modiloader | hxxps://www[.]dropbox[.]com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

Resubmissions

29-03-2024 12:16

240329-pfrh3sgd9x 8

29-03-2024 12:11

240329-pcrdxagd5v 8

27-03-2024 19:52

240327-ylpfcaaf83 10

27-03-2024 19:06

240327-xsc58add5x 10

Analysis

max time kernel
861s
max time network
1058s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

Score

10^/10

modiloader njrat remcos warzonerat geforce host evasion infostealer persistence rat rezer0 trojan upx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes

reg_key
b9584a316aeb9ca9b31edd4db18381f5
splitter
Y262SUCZ4UJJ

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader First Stage 4 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e5a4-92.dat	modiloader_stage1
behavioral1/files/0x000200000001e5a4-124.dat	modiloader_stage1
behavioral1/memory/2180-156-0x0000000000400000-0x000000000053A000-memory.dmp	modiloader_stage1
behavioral1/memory/332-307-0x0000000000400000-0x000000000053A000-memory.dmp	modiloader_stage1

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/4020-374-0x0000000005EA0000-0x0000000005EC8000-memory.dmp	rezer0

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/5896-915-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6372	netsh.exe
6604	netsh.exe
5124	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000233ea-256.dat	acprotect
behavioral1/files/0x000700000002344e-677.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Remcos.exe

Executes dropped EXE 7 IoCs

pid	Process
2180	NetWire.exe
1532	Remcos.exe
4308	PDFSuite20.exe
468	Nadlote.exe
3080	OneLaunch - Easy PDF_bfmsa.exe
1588	PDFSuite20 (1).exe
4480	OneLaunch - Easy PDF_bfmsa.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000233ea-256.dat	upx
behavioral1/files/0x000700000002344e-677.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
60	dropbox.com
61	dropbox.com
66	dropbox.com
345	api.keen.io
408	api.keen.io
409	api.keen.io
421	api.keen.io
64	dropbox.com
346	api.keen.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6752	6168	WerFault.exe	392

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000022f1f-147.dat	nsis_installer_1
behavioral1/files/0x0009000000022f1f-147.dat	nsis_installer_2
behavioral1/files/0x000a000000023078-180.dat	nsis_installer_1
behavioral1/files/0x000a000000023078-180.dat	nsis_installer_2
behavioral1/files/0x0009000000022f1f-347.dat	nsis_installer_1
behavioral1/files/0x0009000000022f1f-347.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5732	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4320	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4940	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{DFFBB93A-BA01-4953-B2D9-C841A9268B27}	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5304	reg.exe
7036	reg.exe
5040	reg.exe
5884	reg.exe
3752	reg.exe
3148	reg.exe
6312	reg.exe
6708	reg.exe
5356	reg.exe
892	reg.exe
1520	reg.exe
5092	reg.exe
1068	reg.exe
1340	reg.exe
6372	reg.exe
6316	reg.exe
7012	reg.exe
2072	reg.exe
5736	reg.exe
5140	reg.exe
1492	reg.exe
1120	reg.exe
5992	reg.exe
7024	reg.exe
7024	reg.exe
5548	reg.exe
4476	reg.exe
6076	reg.exe
528	reg.exe
400	reg.exe
5040	reg.exe
5368	reg.exe
5484	reg.exe
4516	reg.exe
408	reg.exe
1236	reg.exe
5140	reg.exe
412	reg.exe
5700	reg.exe
1340	reg.exe
5992	reg.exe
4208	reg.exe
2516	reg.exe
3224	reg.exe
436	reg.exe
6132	reg.exe
7128	reg.exe
6652	reg.exe
5676	reg.exe
5368	reg.exe
1476	reg.exe
5360	reg.exe
3568	reg.exe
4632	reg.exe
3948	reg.exe
3344	reg.exe
5916	reg.exe
4308	reg.exe
5700	reg.exe
5184	reg.exe
5172	reg.exe
6268	reg.exe
6196	reg.exe
3224	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
6804	PING.EXE
6196	PING.EXE
5688	PING.EXE
5368	PING.EXE
6116	PING.EXE
6352	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5056	7zG.exe
Token: 35	5056	7zG.exe
Token: SeSecurityPrivilege	5056	7zG.exe
Token: SeSecurityPrivilege	5056	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5056	7zG.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4308	PDFSuite20.exe
468	Nadlote.exe
1588	PDFSuite20 (1).exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 5096	1532	Remcos.exe	142
PID 1532 wrote to memory of 5096	1532	Remcos.exe	142
PID 1532 wrote to memory of 5096	1532	Remcos.exe	142
PID 5096 wrote to memory of 408	5096	cmd.exe	144
PID 5096 wrote to memory of 408	5096	cmd.exe	144
PID 5096 wrote to memory of 408	5096	cmd.exe	144
PID 3080 wrote to memory of 4480	3080	OneLaunch - Easy PDF_bfmsa.exe	149
PID 3080 wrote to memory of 4480	3080	OneLaunch - Easy PDF_bfmsa.exe	149
PID 3080 wrote to memory of 4480	3080	OneLaunch - Easy PDF_bfmsa.exe	149

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4280 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3732 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5308 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5480 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5792 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5904 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6204 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5076 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5584 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5888 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6412 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6480 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5480 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5476 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6404 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4508 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6536 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1
1⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6780 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5548 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4632

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap12781:68:7zEvent8884
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5056

C:\Users\Admin\Desktop\NetWire.exe
"C:\Users\Admin\Desktop\NetWire.exe"
1⤵
- Executes dropped EXE
PID:2180
- C:\Users\Admin\Desktop\NetWire.exe
  "C:\Users\Admin\Desktop\NetWire.exe"
  2⤵
  PID:332

C:\Users\Admin\Desktop\Remcos.exe
"C:\Users\Admin\Desktop\Remcos.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:5688
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    PID:5700
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:1236
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:5788

C:\Users\Admin\Desktop\PDFSuite20.exe
"C:\Users\Admin\Desktop\PDFSuite20.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe
"C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\is-3O1AS.tmp\OneLaunch - Easy PDF_bfmsa.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3O1AS.tmp\OneLaunch - Easy PDF_bfmsa.tmp" /SL5="$10300,2484380,893952,C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe"
  2⤵
  - Executes dropped EXE
  PID:4480
- - C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe
    "C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe" /PDATA=eyJ1dG1fY2FtcGFpZ24iOiIxNzQyODAxMDA4NiIsImxvd2VyIjoiaGVhZGxpbmUzIiwidXRtX21lZGl1bSI6IjE1OTM3NjQ0MzUyNyIsInByb2ZpbGUiOiJwZGYiLCJtYWluIjoiaGVhZGxpbmUzIiwidWEiOiJlZGdlIiwidXRtX3Rlcm0iOiJ3d3cubWVtdXBsYXkuY29tIiwiZ2NsaWQiOiJFQUlhSVFvYkNoTUlvOVRkdHBTVmhRTVZOMlFWQ0IyWjNRb3pFQUVZQVNBQUVnSXVBUERfQndFIiwiZGlzdGluY3RfaWQiOiI5NWU3MGNiYS00NDFjLTQ4MGItOWRjOS02Y2NiYWI0MGYzZDUiLCJscF91cmwiOiJodHRwczovL2dldGVhc3lwZGYuY29tL3BkZi9scDUiLCJ3aGl0ZWxhYmVsIjoiZWFzeXBkZiIsImxwYyI6MCwidXRtX3NvdXJjZSI6Im9oLWdkbiIsInV0bV9jb250ZW50IjoiNjg4ODk4NjE4ODE4IiwiaW5zdGFsbF90aW1lIjoxNzExNTcwMDQ5LCJkZWZhdWx0X2Jyb3dzZXIiOiJNU0VkZ2VIVE0iLCJpbml0aW5hbF92ZXJzaW9uIjoiNS4yOS4yLjAiLCJwYWNrYWdlZF9icm93c2VyIjoiTm9uZSIsInNwbGl0IjoiYSIsIm5vX3NwbGl0IjpmYWxzZSwic3BsaXQyIjoiYSIsInNlcnZlcl9zaWRlX3NwbGl0XzI0XzAzX2ZvY3VzX2N1cnNvcl9udHAiOiJ2YXJpYXRpb24iLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjRfMDNfZGVza3RvcF9zaG9ydGN1dF9uYW1lIjoidmFyaWF0aW9uIiwiZW5jb2RlZF9zcGxpdHMiOiIwMDAifQ== /LAUNCHER /VERYSILENT
    3⤵
    PID:6836
  - - C:\Users\Admin\AppData\Local\Temp\is-DO33P.tmp\OneLaunch - Easy PDF_bfmsa.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DO33P.tmp\OneLaunch - Easy PDF_bfmsa.tmp" /SL5="$20284,2484380,893952,C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe" /PDATA=eyJ1dG1fY2FtcGFpZ24iOiIxNzQyODAxMDA4NiIsImxvd2VyIjoiaGVhZGxpbmUzIiwidXRtX21lZGl1bSI6IjE1OTM3NjQ0MzUyNyIsInByb2ZpbGUiOiJwZGYiLCJtYWluIjoiaGVhZGxpbmUzIiwidWEiOiJlZGdlIiwidXRtX3Rlcm0iOiJ3d3cubWVtdXBsYXkuY29tIiwiZ2NsaWQiOiJFQUlhSVFvYkNoTUlvOVRkdHBTVmhRTVZOMlFWQ0IyWjNRb3pFQUVZQVNBQUVnSXVBUERfQndFIiwiZGlzdGluY3RfaWQiOiI5NWU3MGNiYS00NDFjLTQ4MGItOWRjOS02Y2NiYWI0MGYzZDUiLCJscF91cmwiOiJodHRwczovL2dldGVhc3lwZGYuY29tL3BkZi9scDUiLCJ3aGl0ZWxhYmVsIjoiZWFzeXBkZiIsImxwYyI6MCwidXRtX3NvdXJjZSI6Im9oLWdkbiIsInV0bV9jb250ZW50IjoiNjg4ODk4NjE4ODE4IiwiaW5zdGFsbF90aW1lIjoxNzExNTcwMDQ5LCJkZWZhdWx0X2Jyb3dzZXIiOiJNU0VkZ2VIVE0iLCJpbml0aW5hbF92ZXJzaW9uIjoiNS4yOS4yLjAiLCJwYWNrYWdlZF9icm93c2VyIjoiTm9uZSIsInNwbGl0IjoiYSIsIm5vX3NwbGl0IjpmYWxzZSwic3BsaXQyIjoiYSIsInNlcnZlcl9zaWRlX3NwbGl0XzI0XzAzX2ZvY3VzX2N1cnNvcl9udHAiOiJ2YXJpYXRpb24iLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjRfMDNfZGVza3RvcF9zaG9ydGN1dF9uYW1lIjoidmFyaWF0aW9uIiwiZW5jb2RlZF9zcGxpdHMiOiIwMDAifQ== /LAUNCHER /VERYSILENT
      4⤵
      PID:6892
    - - C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_bfmsa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_bfmsa.exe" /PDATA=eyJ1dG1fY2FtcGFpZ24iOiIxNzQyODAxMDA4NiIsImxvd2VyIjoiaGVhZGxpbmUzIiwidXRtX21lZGl1bSI6IjE1OTM3NjQ0MzUyNyIsInByb2ZpbGUiOiJwZGYiLCJtYWluIjoiaGVhZGxpbmUzIiwidWEiOiJlZGdlIiwidXRtX3Rlcm0iOiJ3d3cubWVtdXBsYXkuY29tIiwiZ2NsaWQiOiJFQUlhSVFvYkNoTUlvOVRkdHBTVmhRTVZOMlFWQ0IyWjNRb3pFQUVZQVNBQUVnSXVBUERfQndFIiwiZGlzdGluY3RfaWQiOiI5NWU3MGNiYS00NDFjLTQ4MGItOWRjOS02Y2NiYWI0MGYzZDUiLCJscF91cmwiOiJodHRwczovL2dldGVhc3lwZGYuY29tL3BkZi9scDUiLCJ3aGl0ZWxhYmVsIjoiZWFzeXBkZiIsImxwYyI6MCwidXRtX3NvdXJjZSI6Im9oLWdkbiIsInV0bV9jb250ZW50IjoiNjg4ODk4NjE4ODE4IiwiaW5zdGFsbF90aW1lIjoxNzExNTcwMDQ5LCJkZWZhdWx0X2Jyb3dzZXIiOiJNU0VkZ2VIVE0iLCJpbml0aW5hbF92ZXJzaW9uIjoiNS4yOS4yLjAiLCJwYWNrYWdlZF9icm93c2VyIjoiTm9uZSIsInNwbGl0IjoiYSIsIm5vX3NwbGl0IjpmYWxzZSwic3BsaXQyIjoiYSIsInNlcnZlcl9zaWRlX3NwbGl0XzI0XzAzX2ZvY3VzX2N1cnNvcl9udHAiOiJ2YXJpYXRpb24iLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjRfMDNfZGVza3RvcF9zaG9ydGN1dF9uYW1lIjoidmFyaWF0aW9uIiwiZW5jb2RlZF9zcGxpdHMiOiIwMDAifQ==
        5⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\is-HBATB.tmp\OneLaunch Setup_bfmsa.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HBATB.tmp\OneLaunch Setup_bfmsa.tmp" /SL5="$402AE,105360929,893952,C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup_bfmsa.exe" /PDATA=eyJ1dG1fY2FtcGFpZ24iOiIxNzQyODAxMDA4NiIsImxvd2VyIjoiaGVhZGxpbmUzIiwidXRtX21lZGl1bSI6IjE1OTM3NjQ0MzUyNyIsInByb2ZpbGUiOiJwZGYiLCJtYWluIjoiaGVhZGxpbmUzIiwidWEiOiJlZGdlIiwidXRtX3Rlcm0iOiJ3d3cubWVtdXBsYXkuY29tIiwiZ2NsaWQiOiJFQUlhSVFvYkNoTUlvOVRkdHBTVmhRTVZOMlFWQ0IyWjNRb3pFQUVZQVNBQUVnSXVBUERfQndFIiwiZGlzdGluY3RfaWQiOiI5NWU3MGNiYS00NDFjLTQ4MGItOWRjOS02Y2NiYWI0MGYzZDUiLCJscF91cmwiOiJodHRwczovL2dldGVhc3lwZGYuY29tL3BkZi9scDUiLCJ3aGl0ZWxhYmVsIjoiZWFzeXBkZiIsImxwYyI6MCwidXRtX3NvdXJjZSI6Im9oLWdkbiIsInV0bV9jb250ZW50IjoiNjg4ODk4NjE4ODE4IiwiaW5zdGFsbF90aW1lIjoxNzExNTcwMDQ5LCJkZWZhdWx0X2Jyb3dzZXIiOiJNU0VkZ2VIVE0iLCJpbml0aW5hbF92ZXJzaW9uIjoiNS4yOS4yLjAiLCJwYWNrYWdlZF9icm93c2VyIjoiTm9uZSIsInNwbGl0IjoiYSIsIm5vX3NwbGl0IjpmYWxzZSwic3BsaXQyIjoiYSIsInNlcnZlcl9zaWRlX3NwbGl0XzI0XzAzX2ZvY3VzX2N1cnNvcl9udHAiOiJ2YXJpYXRpb24iLCJzZXJ2ZXJfc2lkZV9zcGxpdF8yOF8xMV9udHBfZGlzdHJpYnV0aW9uIjoidmFyaWF0aW9uIiwic2VydmVyX3NpZGVfc3BsaXRfMjRfMDNfZGVza3RvcF9zaG9ydGN1dF9uYW1lIjoidmFyaWF0aW9uIiwiZW5jb2RlZF9zcGxpdHMiOiIwMDAifQ==
        6⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6168 -s 1968
        7⤵
        Program crash
        
        PID:6752

C:\Users\Admin\Desktop\Nadlote.exe
"C:\Users\Admin\Desktop\Nadlote.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5356
- C:\Windows\SysWOW64\CMD.exe
  CMD /C "c:\RECYCLER\smss.exe"
  2⤵
  PID:3544
- - \??\c:\RECYCLER\smss.exe
    c:\RECYCLER\smss.exe
    3⤵
    PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig > c:\RECYCLER\IP.dlx
      4⤵
      PID:5248
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net share Love2="c:\Documents and Settings" /unlimited | net share Love1=C:\Windows /unlimited | net share Love3=d:\ /unlimited
      4⤵
      PID:2408
    - - C:\Windows\SysWOW64\net.exe
        
        net share Love2="c:\Documents and Settings" /unlimited
        5⤵
        
        PID:5608
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love2="c:\Documents and Settings" /unlimited
        6⤵
        
        PID:6052
    - - C:\Windows\SysWOW64\net.exe
        
        net share Love1=C:\Windows /unlimited
        5⤵
        
        PID:3084
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love1=C:\Windows /unlimited
        6⤵
        
        PID:5300
    - - C:\Windows\SysWOW64\net.exe
        
        net share Love3=d:\ /unlimited
        5⤵
        
        PID:2172
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share Love3=d:\ /unlimited
        6⤵
        
        PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "smss\smss.exe " /f
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "smss\smss.exe " /f
        5⤵
        
        PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 0 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      PID:5720
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 0 -n 2 -w 3
        5⤵
        Runs ping.exe
        
        PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:3616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:3224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5360
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:3568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:3616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        
        PID:5268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:3800
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:6076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 1 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      PID:2696
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1 -n 2 -w 3
        5⤵
        Runs ping.exe
        
        PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5300
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5252
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:1476
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5168
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:6312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 2 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 2 -n 2 -w 3
        5⤵
        Runs ping.exe
        
        PID:6352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:6684
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:7012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:7140
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:7128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:7024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:6612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:6652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 3 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      PID:6696
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 3 -n 2 -w 3
        5⤵
        Runs ping.exe
        
        PID:6804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:6196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:7152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:3752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5420
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:7036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:4168
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:3344
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 4 -n 2 -w 3 > "c:\RECYCLER\check_4_online.dlx"
      4⤵
      PID:2448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 4 -n 2 -w 3
        5⤵
        Runs ping.exe
        
        PID:6196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5860
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5260
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5832
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:5484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5880
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:6372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:6648
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:7024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:6268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:6196
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    PID:6204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:6708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:7136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:6444
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:6824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:6316

C:\Users\Admin\Desktop\PDFSuite20 (1).exe
"C:\Users\Admin\Desktop\PDFSuite20 (1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\Smallpdf.msi"
1⤵
PID:2824

C:\Users\Admin\Desktop\PDFSuite20.exe
"C:\Users\Admin\Desktop\PDFSuite20.exe"
1⤵
PID:2400

C:\Users\Admin\Desktop\PDFSuite20.exe
"C:\Users\Admin\Desktop\PDFSuite20.exe"
1⤵
PID:5084

C:\Users\Admin\Desktop\EternalRocks.exe
"C:\Users\Admin\Desktop\EternalRocks.exe"
1⤵
PID:2572

C:\Users\Admin\Desktop\DriverUpdate.exe
"C:\Users\Admin\Desktop\DriverUpdate.exe"
1⤵
PID:560
- C:\Users\Admin\AppData\Local\Temp\vc_redist.exe
  "C:\Users\Admin\AppData\Local\Temp\vc_redist.exe" /install /quiet /norestart
  2⤵
  PID:5816
- - C:\Windows\Temp\{4E42AB24-2E5E-45EA-A235-87A3645D5ED0}\.cr\vc_redist.exe
    "C:\Windows\Temp\{4E42AB24-2E5E-45EA-A235-87A3645D5ED0}\.cr\vc_redist.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.exe" -burn.filehandle.attached=552 -burn.filehandle.self=576 /install /quiet /norestart
    3⤵
    PID:5356
  - - C:\Windows\Temp\{2E499590-8778-4192-8C4D-48818EA93A9B}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{2E499590-8778-4192-8C4D-48818EA93A9B}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{CE90A9FB-7502-424E-A51C-DF5631B55F69} {7EA233E1-B6D7-4A58-902A-6C5FAD2C3413} 5356
      4⤵
      PID:2788

C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe
"C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe"
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\abwqaqlg.che\crashpad_handler.exe
  C:\Users\Admin\AppData\Local\Temp\abwqaqlg.che\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Local\Google\Play Games\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Battlestar --annotation=ver=24.1.1687.0 --initial-client-data=0x66c,0x670,0x674,0x5e0,0x678,0x7ffed11752c8,0x7ffed11752d8,0x7ffed11752e8
  2⤵
  PID:6084

C:\Users\Admin\Desktop\NJRat.exe
"C:\Users\Admin\Desktop\NJRat.exe"
1⤵
PID:4256
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:5124

C:\Users\Admin\Desktop\WarzoneRAT.exe
"C:\Users\Admin\Desktop\WarzoneRAT.exe"
1⤵
PID:4020
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6369.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5896

C:\Users\Admin\Desktop\Wave Browser.exe
"C:\Users\Admin\Desktop\Wave Browser.exe"
1⤵
PID:2116

C:\Users\Admin\Desktop\PDFSuite20 (1).exe
"C:\Users\Admin\Desktop\PDFSuite20 (1).exe"
1⤵
PID:4848

C:\Users\Admin\Desktop\NuancePDFReader_English.exe
"C:\Users\Admin\Desktop\NuancePDFReader_English.exe"
1⤵
PID:4536

C:\Users\Admin\Desktop\MEmu-setup-abroad-360-20240322.exe
"C:\Users\Admin\Desktop\MEmu-setup-abroad-360-20240322.exe"
1⤵
PID:408

C:\Users\Admin\Desktop\Nadlote.exe
"C:\Users\Admin\Desktop\Nadlote.exe"
1⤵
PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
    3⤵
    - Modifies registry key
    PID:3224
- C:\Windows\SysWOW64\CMD.exe
  CMD /C "c:\RECYCLER\smss.exe"
  2⤵
  PID:3436
- - \??\c:\RECYCLER\smss.exe
    c:\RECYCLER\smss.exe
    3⤵
    PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f
        5⤵
        Modifies registry key
        
        PID:5676

C:\Users\Admin\Desktop\KLauncher-Installer.exe
"C:\Users\Admin\Desktop\KLauncher-Installer.exe"
1⤵
PID:3200

C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe
"C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe"
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\sokyswm0.qlq\crashpad_handler.exe
  C:\Users\Admin\AppData\Local\Temp\sokyswm0.qlq\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Local\Google\Play Games\CrashReporting\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Battlestar --annotation=ver=24.1.1687.0 --initial-client-data=0x644,0x648,0x64c,0x620,0x650,0x7ffed14652c8,0x7ffed14652d8,0x7ffed14652e8
  2⤵
  PID:6028

C:\Users\Admin\Desktop\DriverUpdate.exe
"C:\Users\Admin\Desktop\DriverUpdate.exe"
1⤵
PID:3112

C:\Users\Admin\Desktop\EternalRocks.exe
"C:\Users\Admin\Desktop\EternalRocks.exe"
1⤵
PID:564

C:\Users\Admin\Desktop\winrar-x64-700.exe
"C:\Users\Admin\Desktop\winrar-x64-700.exe"
1⤵
PID:5200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\Temp1_stuff.zip\Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_stuff.zip\Birele.exe"
1⤵
PID:6740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_stuff.zip\BobuxGenerator.exe.vbs"
1⤵
PID:6716

C:\Users\Admin\AppData\Local\Temp\Temp1_stuff.zip\Cerber5.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_stuff.zip\Cerber5.exe"
1⤵
PID:3580
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  PID:6372
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:6604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6168 -ip 6168
1⤵
PID:4516

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:6888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\autorun.INF

Filesize
379B

MD5
cba289891ec7b2f21bda3435f229537b

SHA1
791eb6ade5b072480020f649151d3309d7ef8714

SHA256
34e37c589c9cdfea750288f65d019afee10644722cc520f1e95febc5758fd4f0

SHA512
626b0ccb36d6dbe9c0fd18b3c7a3f0636fc840a7f02b81c7c1883a638044202d979d330efefbe8d891d7ec043c64ddd536beb25994dfbdc66244822a6cc6736f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7c230c3b5ad34dff83cec72b02d5ca8d

SHA1
362c6af49c5544c800f76816b77004f7f99c45ad

SHA256
1b1b7f15563cf06dbffa85cd1d4e0c275e338388c1b2ff5bfbcfe9e4136810a5

SHA512
b6fb9125ffde51301c2ff4a0edf327533eb4555132238c1c90790abee2ecf23cced0c6be61044da95ee655abf0fddadec7d0d01206f21217d9f7f144267ef8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneLaunch Setup.exe

Filesize
4.5MB

MD5
256802b89fd5c1ceeba6175c11422349

SHA1
1c3714c11df07538fc9973bc7da0cc9f8793b0cc

SHA256
85c848cbc02867f7436fd01108e7c8a6ecd292ace8c2bb7b3c081f7f5a0a8a2c

SHA512
fed02e1034bf3d5462ffe25597a19295b342c8c006fdc2c2773b6f560355a75bc041f0d3da59d3f01db82df29f3892f1b1babbf2506089036e49a875c4771cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\abwqaqlg.che\CrashReporting.dll

Filesize
256KB

MD5
a73c670353a840aa4c4904c3dab266f3

SHA1
46d141f56fcffc49409b77c7d56204bfe320036c

SHA256
347421b0d368f29178f7d0d71128731d3d32dd1b15cd2f5706973d34f30b43b1

SHA512
41edb01511211226b3c5096f75aae2f5a93ea8711f9032be49c14185d7fbb00e01934e1ba9bbd716025198e4d3d4f31e684de3f5fbc90f5c3f7259b6966a5691

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
133B

MD5
10ca4bba76803018a30c280fcc1f907e

SHA1
df6af0b7d414774a323ab5cfc1e4af5bcd7c7a7f

SHA256
da27e7f6ec839e25aef165cc13a000284a039c5ffbf7e5574c89f709b172f078

SHA512
9837f60c3318dfc3db12b7b207123d690768e970c4ac542a30c0f82202811281a7f3176640657ef734f8e8739184fab7591a1e3f17a2a0cea78d5ac48effad9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0GBOB.tmp\checkmark-10-light.png

Filesize
363B

MD5
a4d4dc66a41d9c3b54a2ed3ee8d4b3df

SHA1
e91a5e7a6690c14c6f799e2433beb2f6388c4df6

SHA256
46e9c171e2115cd43e5d05f6a5f6015b27bda065fbab939916fee2fd5c06d5a4

SHA512
99d5425aa653b93d0b6065020f88c095c39d982fb20a0ed0078418e8e862a104b4f0392791c79d2df86410a0ba5ba60e644852943a9fc602f7eaf82fecaaefd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0GBOB.tmp\exit-rest.bmp

Filesize
24KB

MD5
b8ad3b36ae539bbb3d8c41faa57fe4f6

SHA1
16e75aa762df3edd1ddcb69b7a0aee196c553e7c

SHA256
33bd571330e590730a52c6880ea744a63b8d5342a0c8bf2df871c41d190d57f0

SHA512
158341605ce52fa2e7ee1bbdfe8a5d4a42115bb1063f4826a560156e0634f1a35a39a65b9a949f2c7ade96b9b592c936309f99e75a9fff4630c40df530322e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0GBOB.tmp\min-10-light.png

Filesize
5KB

MD5
2257b1d0d33a41f509e7c3e117819f8b

SHA1
87583bfbc655aec4e8cc4465b341c3f7889a6317

SHA256
d43e4b285b5b54313b53e87d2a56ca9ba0c85f8f55c9c5fdcdb4fac815ff4d02

SHA512
702d1a126a0a7a64af5cee9450daeed74364aa9e9f123e1bc398ecd4215c082e7f55e43dd292a4119749e84999b015109bff8b11732df11143d202b385411cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3O1AS.tmp\OneLaunch - Easy PDF_bfmsa.tmp

Filesize
1024KB

MD5
7306366232ef692f8cd0588f6ff0f528

SHA1
fc15d7943006ebc4b3f6a5b7b2c0049fa6fa5c2a

SHA256
1202436133f8b105d8650c74069af014477300d052c6f7e5cc5c38db54aa524d

SHA512
1d3631752f7ae6614ba9026896e037529a5d531d6298455cc122d4125b29a72d8061f626382e1cb34abe3da024afcdd917e6366a58b47e95aca917e7e0b4c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3O1AS.tmp\OneLaunch - Easy PDF_bfmsa.tmp

Filesize
1.1MB

MD5
083756028e06c48d0bc9b7e405bd5d48

SHA1
91c95b6ca4ba375c90b3e72a988512f4d76cbe29

SHA256
e521576ed111da823482ce0a10d1cdbddadec1982d1de2a78a7669fa90ddac68

SHA512
52897fd4670054360af8b8198ffe76103aca89e5aa375dc7ae57a522f35423a959da4465e4990670f6bb079921e1ced6e9cbad12f7cf4f6ab4801013e55774b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FES3D.tmp\Win32Library.dll

Filesize
47KB

MD5
2bc86843519fb3ff164531f172a86c8a

SHA1
06c3375f00d73a387c4c9d1443e68af2e625159c

SHA256
e1673868c355fac124a2ede086d14e91baae9c32e3a3a62f8c9840ac1be3c99a

SHA512
2f8a9aeb329bb13bfe9906df3e4365f36c890c11de4ca05ce6fa0af09ad25ef6253a4ac98bc853aeb88b561b7fe5fe3c0fb6ee439715c6de849c8a403b3c43f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FES3D.tmp\onelaunch.png

Filesize
70KB

MD5
d3110fb775ee7fd24426503d67840c25

SHA1
54f649c8bf3af2ad3a4d92cd8b1397bad1a49a75

SHA256
f8392390dc81756e79ec5f359dbdcac3b4bd219b5188a429b814fc51aabb6e36

SHA512
f6b79f728be17c9060edb2df2dac2b0f59a4dffd8c416e7e957bc3fa4696f4237e5969647309f5425a6297f189e351e20c99c642f90d1476050285929657c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FES3D.tmp\pdf.png

Filesize
19KB

MD5
485cd5451b6a5e12380aa2e181abf046

SHA1
e1fe4637b2568aa8b26057ba6e653c0d37c8abc8

SHA256
1d227c280d121311a0c7ec32acf8da0ffb34090da2c4c1e47cca701cd8b32c47

SHA512
3dd90236103a52b112bfe4b90ba1bf985fec0d23f70f21ee7b2d677a0f29e929266fb1f2abb37e06a0029448f08e0feb5d4f8612115a7e81b05de0a5875a85f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb3AA4.tmp\inetc.dll

Filesize
44KB

MD5
01e912f4dcc1962e4caf95cf06824bd6

SHA1
ca38906b61417a495ab4a99f87fefd1fcea27b68

SHA256
7de65937b8b6dcebe11e373630b32979dd51dd642f5024c398e235fc603683da

SHA512
156b3efc5656164c06e60a7657829216ce17c607a3ac82858c82ba8c886919b3e36d54df101b5387e5eca967672d30aa0bd081ba9ed322f407e7df45cfa6511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb3AA4.tmp\nsResize.dll

Filesize
13KB

MD5
826b388ae77158fb430eef40d09e20a4

SHA1
8e121819c77c950cb13767a0eeb76cf19e48eccb

SHA256
0a2387d1acb456406dd83fba1f69cb48532f96a7aedf2e9e128229c66dbaa075

SHA512
5c44c30861b8f2045d0ad3bef298f84a9404ce6b3fbaef8139cf603bff9cdc878b0f87d6184d52bcef7ce7d162148fd77d213c1f8fabefa49d5eed0d88222027

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\LangDLL.dll

Filesize
5KB

MD5
ea60c7bd5edd6048601729bd31362c16

SHA1
6e6919d969eb61a141595014395b6c3f44139073

SHA256
4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39

SHA512
f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\NScurl.dll

Filesize
256KB

MD5
ef8a887af1318bfcb1fd736fe11a8f69

SHA1
7635647ece967f7c19c45dfb9d50d80b2e63a828

SHA256
c92f9f9d328e37babdd5c24608d3b6533d16e1816fdddd3ab6be3815c04530c8

SHA512
af3d1b4c2bb85d8f69fa3eeb54fcfc5c058c85c2985f2d2b3800d6713e83995cb1407a31184a3810323db4fd4985e5f5cc7b30eed747ccc9339bb69a9105bea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\UserInfo.dll

Filesize
4KB

MD5
c051c86f6fa84ac87efb0cf3961950a1

SHA1
f18f4bb803099b80a3a013ecb03fea11cff0ac01

SHA256
d0949b4c0640ee6a80db5a7f6d93fc631ed194de197d79bf080ec1752c6f1166

SHA512
6e9de5d07aaed2ac297faa5049d567884d817ed94dece055d96913ac8e497ade6f0ff5c28bae7cc7d3ac41f8795efb9939e6d12061a3c446d5d2a3e2287d49d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\nsDialogs.dll

Filesize
9KB

MD5
ee449b0adce56fbfa433b0239f3f81be

SHA1
ec1e4f9815ea592a3f19b1fe473329b8ddfa201c

SHA256
c1cc3aa4326e83a73a778dee0cf9afcc03a6bafb0a32cea791a27eb9c2288985

SHA512
22fb25bc7628946213e6e970a865d3fbd50d12ce559c37d6848a82c28fa6be09fedffc3b87d5aea8dcfe8dfc4e0f129d9f02e32dae764b8e6a08332b42386686

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\nsResize.dll

Filesize
4KB

MD5
aa849e7407cf349021812f62c001e097

SHA1
4cbb55b1d1dd95dcb7a36b5a44121ad4934539af

SHA256
29b0e5792679756a79d501e3a9b317971b08e876fac1c2476180d0ae83b77ba5

SHA512
4556baa49e8182d72e29e8d809635312142eb127039f5803ca0bf011b4359f0b584a670a3bd26a9969165a332cfa14a39abeaeae0b4d90519f91fdea755c54de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq2AF6.tmp\nsisdl.dll

Filesize
14KB

MD5
90f7c0f400fdc219ae149ede95c06cfd

SHA1
a39c3bc64c9dc68fbc44d729511b03ed4573e6aa

SHA256
5f9d4b41a10578f98e469466e55feb0141644842a4e246b2cbae6666cebd69a3

SHA512
f9e0476a4078c5435274cf2d8bf00e115e75b37ff3355388c040b1386b604090b85ef3170114d50958ec2f8bc8fab5d3b3ebda30d4c84a0e5d49138e60817272

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokyswm0.qlq\crashpad_handler.exe

Filesize
448KB

MD5
7d005b398093edefe3bb14426935d927

SHA1
6e0c4ba646d81b7b3f70c481890bfc5b9614c93a

SHA256
3d6fece70b73d54d755d7f4c89c1e591cc996226945ecd5bc3ee509abee1870a

SHA512
9311cfea5a72b9a5f1d21992e6804a0788251a5020bb3fc25e3381da325d0a8402c9a9c5a617d49c72441c0a024e8712efbd53c11f972676c91e4ecb2c08fc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8FD23AA1-4CBD-491C-A8C3-ED30DE4C1095}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8FD23AA1-4CBD-491C-A8C3-ED30DE4C1095}\_ISMSIDEL.INI

Filesize
1KB

MD5
b12be1fe592d6750b55c02c66dfc9ad8

SHA1
da7af2d450ca630c853b55d72f75c4aebfabb576

SHA256
6ab7a29ca02ec5579c8e922110b745f214c5358b1cbe770c04dbf280fc7f7fd4

SHA512
d74bef56f679b0958729ffce1eb543061fa79774dc7f88b23e0bce821b5e8e783cc199a0a4fd1cb433328af498470ac9f71edc30cf60d252b2c1df2813513913

Download Submit
C:\Users\Admin\AppData\Roaming\jFvfxe.exe

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Desktop\DriverUpdate.exe

Filesize
512KB

MD5
9ec68520db69a1bab4f62b4c84ca9a4d

SHA1
60bb138b00d3b8666060f9e9e11e35af0645f5f2

SHA256
4d4a2f042d32e76b2e979730fdfd71c910de92c2373a4a88be3ea62dc957ef1d

SHA512
579beb88c737df98efc392b3c40d5174df0b1a1341d0606033f619388fe84cd8c69efe2b77a64e0c9ac611f8209f4d4fa84e3639772e59899139c1ed2aa6c869

Download Submit
C:\Users\Admin\Desktop\DriverUpdate.exe

Filesize
1.5MB

MD5
57f352259e6a51faf1b09a1cc384526b

SHA1
b2fc8e78846f894a046b2d453199a4a3d132d084

SHA256
9c9993f49f60ee77b2f584c5b003718c517424e6b78b39d592c7317a710bfaa6

SHA512
6aa9f6f6c19c156421f0fed924a8636f1fae256760029d08533d90f3c3ecd588cd6cc3abbd7c0d485688089477dac3abf584352581f5188a7a3fedf590619f6e

Download Submit
C:\Users\Admin\Desktop\EternalRocks.exe

Filesize
512KB

MD5
10c6799fe7e9a0b2e605017468956829

SHA1
c1d3b4f328c9a75d4bea975adcf4224e90605ff1

SHA256
197f366a75317819da44893151b8e0d6b268bc84e936e06f5de08131c2eeba99

SHA512
201985becc926860c09f2113011b63cf430cd15d19713ddd5088a685b14646deb87c8764830dc4596d0d57b5553a4154eb90ad8ab8515abf834caea23c12dc62

Download Submit
C:\Users\Admin\Desktop\EternalRocks.exe

Filesize
2.5MB

MD5
0ab8082704a13958062a0a4b0a41a65d

SHA1
4ff5b34a3e02a148606eaf70ae40790c010d44c0

SHA256
5b199633fec221f6f85cf6cba701d83631f1ea0677c66869ba1037b10a301bf2

SHA512
3f6b8026f86a128a6f9d97a8e33742a1eca30658e50962fde9d6aac370bba77fc1c32196a93802140cf313ace8ddd3d0edc4e2dd87a635f77862d023c3a98d9c

Download Submit
C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe

Filesize
1024KB

MD5
0bc4b9bc62fd2236fcc2a89314deba0a

SHA1
8c395f981a856aa7c570b09a007815ab8d8469cc

SHA256
338f9b9f2ba2db99478bb99d4881c068720ca84ca3d38e90e9f7d33b41100283

SHA512
4b30d297bb7ca35b96aa581b37982ad21a0c0ba0294ade5c13e94f7cf0cbade4d3ac937ce69101a725fe32ae051a549853ee686c86da893f44952d335162f0bc

Download Submit
C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe

Filesize
320KB

MD5
34ff759d2c25775b6de46940d72d09d9

SHA1
536702f93e0aa21173dfa2e0c8d4e11806c5a805

SHA256
39946acab86b6d8cfd7960442d0150bb063d598a607b4c4ef8c222c94d229b28

SHA512
0fe9f340c9fb2c44770be95a7d9ac925462f7fd4a72e40c25a63057e6ca4c6077f1939a78e05661c9ecc8632a4b69ce715e39564654e83d2a903edf0a2b3d16e

Download Submit
C:\Users\Admin\Desktop\Install-GooglePlayGames-Beta.exe

Filesize
2.7MB

MD5
d4d00a02cad10faa8d106b4ed226909a

SHA1
caafefe0a444f9ce60cfcf03162d7ebaa8bcf4cf

SHA256
ac97f80217851fe1ac66990a22a4033e9009d9222b8d6ae961d1a7893fb9d068

SHA512
8c6ac8552eeac47ef8e11805b5de4f0ab346388c32a2e70cb985d5f447ebf4b51436dd6211f5782d87d9dd70c1bee7ac106ec290a5afa6ba379e5781bde87396

Download Submit
C:\Users\Admin\Desktop\KLauncher-Installer.exe

Filesize
5.2MB

MD5
a62557ebcf54067c8dd374530a557e9c

SHA1
028e8d5d3d3d2c9365dce8e43893475c741a87d2

SHA256
3c4bb574dbfa6f89b2297fb5ac462d0119b5916864a9735f808541b3d0d92f5d

SHA512
eebed23761cafb6f51e13de9fd50182fb6cbd47c4d314924e84c8cbe7f7272c2912284fd7828fcbf8f30097ba419b9457a058bb6419c97b7098461a2f0cfb985

Download Submit
C:\Users\Admin\Desktop\MEmu-setup-abroad-360-20240322.exe

Filesize
4.2MB

MD5
b592b53ea7b904563660a552784c4f62

SHA1
7873fccb5d1ee15b6b2c157805ebf7519a8c3abd

SHA256
907160127553761c35f869e932061883ad00594dfb4ab185c8a60d2e8a1707fb

SHA512
c00e7c8f4696b8c551112e8d165456212248840382e4b0673f19604cb48676b094a29c0674213856f50b6ee668084fd573601b379b86355210c5e9037e30474c

Download Submit
C:\Users\Admin\Desktop\MEmu-setup-abroad-360-20240322.exe

Filesize
256KB

MD5
51ecb01c2b62646277fa40fca1773cd1

SHA1
84b2389568cfaf773960e25052b004123b999270

SHA256
8fda75be5dccceba8cc5407942b57eb4da64853a7d45d6ae1322632e215f0052

SHA512
d23471f82d605ad8283e4cc65b0fde1146fd785d2f6f8f130654f9504100a4500ac72a72d6a25179beb2dab23932491df97934cfe50bf6d9272c266e52cb218f

Download Submit
C:\Users\Admin\Desktop\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Desktop\Nadlote.exe

Filesize
240KB

MD5
57aecbcdcb3a5ad31ac07c5a62b56085

SHA1
a443c574f039828d237030bc18895027ca780337

SHA256
ab020413dce53c9d57cf22d75eaf1339d72252d5316617a935149e02fee42fd3

SHA512
7921f184411f898a78c7094176fa47368b1c6ba7d6a3f58df4332e6865325287f25622f1d13765fd08d499d34974461b2ee81319adc24ce3901cc72d132b3027

Download Submit
C:\Users\Admin\Desktop\NetWire.exe

Filesize
576KB

MD5
6606f195220dba28b5187b45522bb21c

SHA1
2f15dba9ecc2c69a2920dc192f0ac6c974f398f5

SHA256
d6f5e333aa4ded6d21381c83c6aec7a1fb857ac31e182aaad32aa821fd671494

SHA512
498407c2b58bac5e6c16665fcaab3b6ae801f5743e5b791e5cd45fa18dc6e66a097162ae9cc9127a0b9bc6003e0e73fc11ba48c63b1733566ad133183b238129

Download Submit
C:\Users\Admin\Desktop\NetWire.exe

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Desktop\NuancePDFReader_English.exe

Filesize
4.3MB

MD5
66a970b048976e57dee0a77bfa117c88

SHA1
b1ab898d4658e4a92c4c9c07ba21bb89d0efba57

SHA256
ea1227a7f51c476c5a9e47de554f652ea0c7f41d323deefe704d622e96ba3e73

SHA512
7eede9801b4a6368b194b32174121826839f372f75e04c2517fdd1084b2939cc3a2642a6fdc8987fb65e88c1d25fa80ef627b2fbcfc140b2b3f973b8b576c555

Download Submit
C:\Users\Admin\Desktop\NuancePDFReader_English.exe

Filesize
4.4MB

MD5
3bc8490dc26152d19d19cdd94eeb5f7f

SHA1
139634d48a96fcec15adf260e4505e78b8b0e899

SHA256
87b28703fc635c492fe962f70c397f5fac145af266c2b61859d08840bb25e1be

SHA512
b2c90d8e95865bb0907a31c54a54fe5f24dbb7bbc72c33af9496db10623ae2c5cead3597b5f1b0672b4249769d2bb3b44072328ce6c1e39a9f0a9ebd8bf8b824

Download Submit
C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe

Filesize
3.0MB

MD5
3c90ce6679d9f5050f89748628c40827

SHA1
9eec812e52f507375bcaf1da72fef425bb2e0dc6

SHA256
bc58fa3021325200837b14b0a696abd43c7a93237aaddcb3053b0049a9db3c9b

SHA512
a93b9ce236664f837c70ddbeb24478df3cb295adac766537936cec5ed7d947ae7f3d6b88262848946d4fbebed77b910b8e5b7d58edc48381bbbb892a79dacac5

Download Submit
C:\Users\Admin\Desktop\OneLaunch - Easy PDF_bfmsa.exe

Filesize
2.6MB

MD5
3ede7a1837ed44b0f9f6754436dbe9be

SHA1
f5a824d30fd1f45a4cb9c3ab430ee961454b7283

SHA256
674811ea068508a4858f9efcf0d0955692b0a82ac12f87b1064f2552036fe9ae

SHA512
601fbeff1b5b7ef5eca6183a3856c917440b1f843644880941be832ca607210834739b0ebe9cf17828322ee7d0b42507ac96a49b18ca332428fe750103d87e0a

Download Submit
C:\Users\Admin\Desktop\PDFSuite20 (1).exe

Filesize
832KB

MD5
85a2d32e32a9d181c277a29f671789e5

SHA1
5a18e42857ae3e28e298c170c1d71c3edeed89f2

SHA256
d6c11421eec88ce0f9df553479c3313d74af0f636218675e5080b4562d3b67ad

SHA512
9d26ae0c30ba378ce4cbb0955e9da121248b9d0d7e0f756c4df3ce8e9c5bf12e239aac8d76ebc80a226a44ee2cfc30b7f1153c4ab6b4b87c7eec4925a52983b5

Download Submit
C:\Users\Admin\Desktop\PDFSuite20 (1).exe

Filesize
395KB

MD5
c31a09bbf2eed54b31555fae2668f7e9

SHA1
0fbb2e3539b973a6bbd0b7c4045c449c89d41aee

SHA256
542466551cd2d637715d340ee1c555c685977db8699e802245aaf16edda6cd79

SHA512
30741a4ecd43f89bcde7e0614127469b82c19ed4967da5979846cf94c4c1d32fda625679c85c25fcc9f37cf1c34b7f3270995424d428a96670c32adeec65faf0

Download Submit
C:\Users\Admin\Desktop\PDFSuite20 (1).exe

Filesize
5.2MB

MD5
ee71266b00ab40d9e530a11e7a93d5b5

SHA1
17ac24f8a6cc953f95f6bab93bdc14378862f0a3

SHA256
2f1f11d27f3ffc8b951208057b8cb0a43fc0ac0e7e721384bec13fca06b8c140

SHA512
af3438d77dbf31c0c6e0828d0f5cfc31cd63c49e7d4613386973332a20b62601d3155d2ad686f0fa21c1cd6e1014ce4b087e6c8ecddc029ce4a323bd0a3852d2

Download Submit
C:\Users\Admin\Desktop\PDFSuite20.exe

Filesize
896KB

MD5
84363000b7649e2e07e88f16f208c15d

SHA1
9aa78e6886374629ada8ae93573ffa6cde2e82c9

SHA256
dae20f5bf0146b65d0ff766b25b332c2e17c497ccf2d147b775f620c56340e70

SHA512
4c1c9e63ce16eedb192ae25a1a35a9e30387c8cfbed9ce9467da4d8e936d2a9dff6d48a1db0eb1c7b5f4d2582a63986a6e46d899b4c6a28db9f9893a391f46bf

Download Submit
C:\Users\Admin\Desktop\PDFSuite20.exe

Filesize
512KB

MD5
d98fc562b0155d13daf0e3318f974ec0

SHA1
d5f6a9a7785d1a281c113d51307a268ac50befb8

SHA256
ca6fc5893769ff5e92eb2bc699dca049deba2c4fb0e5978c71ffe32748387283

SHA512
849e94e8b006d5bd72b4869ab4d34dfd7c72e30995021453639692cc3e0a0a74fa2759a1ef9e538bea13ce303f1fcfde61d5764b7a37057e43e4f696ddd3c815

Download Submit
C:\Users\Admin\Desktop\PDFSuite20.exe

Filesize
1.4MB

MD5
bb29c1770b461f2e1ea717624647f126

SHA1
764661b4f26a245c04550cb46e4b2d0bdd535755

SHA256
8520816a89e96a2adf03139d0888b774815390b5bc69c7a73b4a0d9d188dff3f

SHA512
a625607a999be67963f8f196c9d235e67e0894b367285809555153e71d00eb4947a341112e174c1d5f4cc18d21f7196130435c7d85b14557158f3c35f0895ff9

Download Submit
C:\Users\Admin\Desktop\PDFSuite20.exe

Filesize
1.6MB

MD5
8443c1b6c1f2a8a81649bdeccb3ba8ac

SHA1
d3be2606fb24e1e23c695736108a5eb3a15a3579

SHA256
9feaaf08f94fc74ad6b187e7d3ba32706f9158ced925b1627c2e9d2ab9253924

SHA512
339aaaa06b8bcaec03a1353678e6f4446e5945ecc8fdc11cf70115b79910e635ec150ff7f7e86945309b906280444adc07f785d9081a68d02b7207bc454948f3

Download Submit
C:\Users\Admin\Desktop\Remcos.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Desktop\Smallpdf.msi

Filesize
704KB

MD5
744de052403ccce52e3f672c4ae6e80d

SHA1
b20bb7f3318ace9fe0d3e48419301a7d7d688bf6

SHA256
08bbea547d378fde7d28dc7a870d5eba49b8b1101ca669836f63dabf9f063b47

SHA512
27e01d2a609734e8efafca91d875815eb6e6c5db3f14594c37eecf02dae1035eefb6d755f22286a55e86a9325abe647e8568fb0e1ec99b05242cca83052a1141

Download Submit
C:\Users\Admin\Desktop\WarzoneRAT.exe

Filesize
313KB

MD5
5aa7b008167e2e553f073cbbd75ee98c

SHA1
fc0cdcc02914c0efe6509bb259a1f1984346e67d

SHA256
528bc2ffb03e28d839c27393d886957971be00ab3ee7c45af0caa14da8474043

SHA512
41b5a3d9d907bdf255b2d3db2228a67520a2fc5b1cc9bb3322d54c06f11395856d8e4535ec9cae26213bd8f21a4ec90bc17d21d9d72c259443c85a58cf1ae99e

Download Submit
C:\Users\Admin\Desktop\WarzoneRAT.exe

Filesize
64KB

MD5
e6321792a20fe1948ef42faff6e4807e

SHA1
a67fb7bd027bc2fd6b41029c8d37a334c0db7b04

SHA256
23f93ae15c449a310e9df1fb06b89e513268181af05cc63c1fc609cd6da9065b

SHA512
7062c495f9bff5757e052533eaf4dbd0c271cfec778bf7de2d247c77c2b820b6015450a26e9a31fc269590cbefc85fcd1fb8bc74ffe0d4f3b46e90c144ebf6ee

Download Submit
C:\Users\Admin\Desktop\Wave Browser.exe

Filesize
256KB

MD5
cc3e37ba0be915bc8b7fcd6de3502f57

SHA1
70f95c1e493e83370328fe469285d47f1b6ff255

SHA256
15d8e9795f032361b73a0362c39aacc3458e294b55e0eb5a611767705751fcc3

SHA512
d2f3d9ac91e0eab821ca8468bdc2e9f2acfd42a6740660368b085c460f5393ee6f9555fe143ad478666cf83ac3f6b0dce57015297d6142dd27f4ba3430d74e77

Download Submit
C:\Windows\Temp\{2E499590-8778-4192-8C4D-48818EA93A9B}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{2E499590-8778-4192-8C4D-48818EA93A9B}\.be\VC_redist.x64.exe

Filesize
128KB

MD5
032cbdca6bc6a3cd6f3c45d7a4ebcb11

SHA1
aae70bd1e3326b82a886dc6f844fbe76e93b44e7

SHA256
5ef6feff56d1bb747cabe553c481ac2661a7763b0e1938d0107d82d9c614ac1d

SHA512
56e0b200d6da1769bdeda39ba0332366196196c0a538434df1c818c152c57791b7c90c8c2f8717ff094d8d7bee75abac49aee44a15fd8e6586041efe84084a77

Download Submit
memory/332-307-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/332-123-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/332-121-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/468-105-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/560-320-0x000000006D5D0000-0x000000006D5D9000-memory.dmp

Filesize
36KB

Download
memory/560-342-0x000000006EAC0000-0x000000006EE5A000-memory.dmp

Filesize
3.6MB

Download
memory/564-381-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/564-394-0x00007FFED6220000-0x00007FFED6BC1000-memory.dmp

Filesize
9.6MB

Download
memory/564-583-0x00007FFED6220000-0x00007FFED6BC1000-memory.dmp

Filesize
9.6MB

Download
memory/564-380-0x00007FFED6220000-0x00007FFED6BC1000-memory.dmp

Filesize
9.6MB

Download
memory/2116-927-0x000000006D8F0000-0x000000006D8F9000-memory.dmp

Filesize
36KB

Download
memory/2116-913-0x000000006D8C0000-0x000000006D8C9000-memory.dmp

Filesize
36KB

Download
memory/2180-156-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2180-101-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2572-167-0x00007FFED6220000-0x00007FFED6BC1000-memory.dmp

Filesize
9.6MB

Download
memory/2572-505-0x000000001C6C0000-0x000000001CB8E000-memory.dmp

Filesize
4.8MB

Download
memory/2572-919-0x000000001DE90000-0x000000001DF2C000-memory.dmp

Filesize
624KB

Download
memory/2572-171-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/2572-486-0x000000001BB00000-0x000000001BF2E000-memory.dmp

Filesize
4.2MB

Download
memory/2572-916-0x000000001D8E0000-0x000000001DDEE000-memory.dmp

Filesize
5.1MB

Download
memory/2572-178-0x00007FFED6220000-0x00007FFED6BC1000-memory.dmp

Filesize
9.6MB

Download
memory/3080-220-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3080-109-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3200-322-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/3200-409-0x0000000000470000-0x0000000000CB5000-memory.dmp

Filesize
8.3MB

Download
memory/4020-559-0x0000000070EF0000-0x00000000716A0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-323-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/4020-369-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/4020-205-0x0000000000E40000-0x0000000000E96000-memory.dmp

Filesize
344KB

Download
memory/4020-374-0x0000000005EA0000-0x0000000005EC8000-memory.dmp

Filesize
160KB

Download
memory/4020-372-0x0000000005F40000-0x0000000005FDC000-memory.dmp

Filesize
624KB

Download
memory/4020-215-0x0000000070EF0000-0x00000000716A0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-280-0x0000000006100000-0x00000000066A4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-344-0x0000000005840000-0x0000000005848000-memory.dmp

Filesize
32KB

Download
memory/4256-437-0x0000000071740000-0x0000000071CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-184-0x0000000071740000-0x0000000071CF1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-181-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4480-574-0x00000000063A0000-0x00000000063B4000-memory.dmp

Filesize
80KB

Download
memory/4480-126-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/4480-276-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4480-892-0x0000000070EF0000-0x00000000716A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-883-0x00000000039B0000-0x00000000039C0000-memory.dmp

Filesize
64KB

Download
memory/4480-576-0x0000000073930000-0x0000000073944000-memory.dmp

Filesize
80KB

Download
memory/4480-428-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4580-769-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4644-370-0x000001A81F7C0000-0x000001A81F7C8000-memory.dmp

Filesize
32KB

Download
memory/4644-905-0x000001A838120000-0x000001A838130000-memory.dmp

Filesize
64KB

Download
memory/4644-225-0x000001A81DEF0000-0x000001A81DF12000-memory.dmp

Filesize
136KB

Download
memory/4644-177-0x000001A81D800000-0x000001A81DAB0000-memory.dmp

Filesize
2.7MB

Download
memory/4644-213-0x000001A81DE50000-0x000001A81DE5A000-memory.dmp

Filesize
40KB

Download
memory/4644-343-0x000001A8382B0000-0x000001A838328000-memory.dmp

Filesize
480KB

Download
memory/4644-221-0x000001A81DE60000-0x000001A81DE6A000-memory.dmp

Filesize
40KB

Download
memory/4644-407-0x00007FFED4510000-0x00007FFED4FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-740-0x000001A838DB0000-0x000001A838DE8000-memory.dmp

Filesize
224KB

Download
memory/4644-274-0x000001A81DF10000-0x000001A81DF1E000-memory.dmp

Filesize
56KB

Download
memory/4644-904-0x000001A838120000-0x000001A838130000-memory.dmp

Filesize
64KB

Download
memory/4644-238-0x000001A8381A0000-0x000001A8382AE000-memory.dmp

Filesize
1.1MB

Download
memory/4644-186-0x000001A81F6D0000-0x000001A81F786000-memory.dmp

Filesize
728KB

Download
memory/4644-450-0x000001A838120000-0x000001A838130000-memory.dmp

Filesize
64KB

Download
memory/4644-341-0x000001A81F790000-0x000001A81F7B4000-memory.dmp

Filesize
144KB

Download
memory/4644-348-0x000001A838330000-0x000001A8383B8000-memory.dmp

Filesize
544KB

Download
memory/4644-521-0x000001A838560000-0x000001A838568000-memory.dmp

Filesize
32KB

Download
memory/4912-371-0x0000024359D10000-0x0000024359D20000-memory.dmp

Filesize
64KB

Download
memory/4912-912-0x0000024359D10000-0x0000024359D20000-memory.dmp

Filesize
64KB

Download
memory/4912-926-0x0000024359D10000-0x0000024359D20000-memory.dmp

Filesize
64KB

Download
memory/4912-745-0x000002435DFF0000-0x000002435DFFE000-memory.dmp

Filesize
56KB

Download
memory/4912-426-0x000002435A080000-0x000002435A13A000-memory.dmp

Filesize
744KB

Download
memory/4912-636-0x000002435DFA0000-0x000002435DFA8000-memory.dmp

Filesize
32KB

Download
memory/4912-462-0x00007FFED4510000-0x00007FFED4FD1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-240-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-423-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5328-466-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5896-915-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads