faed8c71e4afe13edae93ca29791241ab2e7e0b3b87233d768e0dd4ae842d63d

Analysis

max time kernel
440s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad.bat
Size

228B
MD5

2f0aebea21c04a35e6f56ddcae78734e
SHA1

98652f25db92e6a482365fe46101a1e50703ea41
SHA256

faed8c71e4afe13edae93ca29791241ab2e7e0b3b87233d768e0dd4ae842d63d
SHA512

ccbd783ec131bf48685ae110c99b2e90a0b708ae5e245bf2abf12b6158ad3ae1631613e2401676ef9f25068e391ed02a0c2aea3ff4127f79d36ddf3bdbf5ea58

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
13272	taskkill.exe
10608	taskkill.exe
8896	taskkill.exe
11864	taskkill.exe
12960	taskkill.exe
12492	taskkill.exe
12264	taskkill.exe
11736	taskkill.exe
12596	taskkill.exe
9812	taskkill.exe
4796	taskkill.exe
9752	taskkill.exe
10968	taskkill.exe
13220	taskkill.exe
6860	taskkill.exe
8532	taskkill.exe
4440	taskkill.exe
11656	taskkill.exe
4236	taskkill.exe
532	taskkill.exe
6372	taskkill.exe
10968	taskkill.exe
10972	taskkill.exe
4760	taskkill.exe
7200	taskkill.exe
12392	taskkill.exe
11856	taskkill.exe
10608	taskkill.exe
11284	taskkill.exe
12492	taskkill.exe
5964	taskkill.exe
7692	taskkill.exe
1124	taskkill.exe
10736	taskkill.exe
4580	taskkill.exe
10780	taskkill.exe
10508	taskkill.exe
10468	taskkill.exe
12944	taskkill.exe
7572	taskkill.exe
11496	taskkill.exe
11568	taskkill.exe
12284	taskkill.exe
5584	taskkill.exe
6248	taskkill.exe
12744	taskkill.exe
11736	taskkill.exe
3028	taskkill.exe
3416	taskkill.exe
8644	taskkill.exe
9060	taskkill.exe
12960	taskkill.exe
7044	taskkill.exe
6236	taskkill.exe
7456	taskkill.exe
11684	taskkill.exe
12324	taskkill.exe
10468	taskkill.exe
13080	taskkill.exe
9472	taskkill.exe
3484	taskkill.exe
10360	taskkill.exe
11088	taskkill.exe
11692	taskkill.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	powershell.exe
1196	powershell.exe
4420	powershell.exe
4420	powershell.exe
1196	powershell.exe
1820	powershell.exe
1820	powershell.exe
4420	powershell.exe
1820	powershell.exe
1820	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
4932	powershell.exe
4932	powershell.exe
5500	powershell.exe
5500	powershell.exe
5576	powershell.exe
5576	powershell.exe
6104	powershell.exe
6104	powershell.exe
4932	powershell.exe
4932	powershell.exe
5500	powershell.exe
5500	powershell.exe
5576	powershell.exe
5576	powershell.exe
6104	powershell.exe
6104	powershell.exe
2208	powershell.exe
2208	powershell.exe
4828	powershell.exe
1296	powershell.exe
1296	powershell.exe
4828	powershell.exe
1588	powershell.exe
1588	powershell.exe
5824	powershell.exe
5824	powershell.exe
2448	powershell.exe
2448	powershell.exe
6440	powershell.exe
6440	powershell.exe
6700	powershell.exe
6700	powershell.exe
5764	powershell.exe
5764	powershell.exe
6616	powershell.exe
6616	powershell.exe
5396	powershell.exe
5396	powershell.exe
1296	powershell.exe
1296	powershell.exe
7516	powershell.exe
7516	powershell.exe
7608	powershell.exe
7608	powershell.exe
6860	powershell.exe
6860	powershell.exe
8096	powershell.exe
8096	powershell.exe
8104	powershell.exe
8104	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	5352	taskkill.exe
Token: SeDebugPrivilege	5428	taskkill.exe
Token: SeDebugPrivilege	5584	taskkill.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	6372	taskkill.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	6500	taskkill.exe
Token: SeDebugPrivilege	6388	taskkill.exe
Token: SeDebugPrivilege	5576	powershell.exe
Token: SeDebugPrivilege	6632	taskkill.exe
Token: SeDebugPrivilege	6688	taskkill.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	6860	taskkill.exe
Token: SeDebugPrivilege	7044	taskkill.exe
Token: SeDebugPrivilege	6948	taskkill.exe
Token: SeDebugPrivilege	5964	taskkill.exe
Token: SeDebugPrivilege	6236	taskkill.exe
Token: SeDebugPrivilege	7200	taskkill.exe
Token: SeDebugPrivilege	7456	taskkill.exe
Token: SeDebugPrivilege	7660	taskkill.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	6616	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	5824	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	7572	taskkill.exe
Token: SeDebugPrivilege	7624	taskkill.exe
Token: SeDebugPrivilege	6440	powershell.exe
Token: SeDebugPrivilege	7692	taskkill.exe
Token: SeDebugPrivilege	6700	powershell.exe
Token: SeDebugPrivilege	5764	powershell.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	7516	powershell.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	8644	taskkill.exe
Token: SeDebugPrivilege	7608	powershell.exe
Token: SeDebugPrivilege	8964	taskkill.exe
Token: SeDebugPrivilege	9060	taskkill.exe
Token: SeDebugPrivilege	6860	powershell.exe
Token: SeDebugPrivilege	8096	powershell.exe
Token: SeDebugPrivilege	9204	taskkill.exe
Token: SeDebugPrivilege	8480	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 544	224	cmd.exe	85
PID 224 wrote to memory of 544	224	cmd.exe	85
PID 224 wrote to memory of 3232	224	cmd.exe	86
PID 224 wrote to memory of 3232	224	cmd.exe	86
PID 224 wrote to memory of 1196	224	cmd.exe	88
PID 224 wrote to memory of 1196	224	cmd.exe	88
PID 224 wrote to memory of 5084	224	cmd.exe	90
PID 224 wrote to memory of 5084	224	cmd.exe	90
PID 224 wrote to memory of 532	224	cmd.exe	92
PID 224 wrote to memory of 532	224	cmd.exe	92
PID 3232 wrote to memory of 2096	3232	cmd.exe	93
PID 3232 wrote to memory of 2096	3232	cmd.exe	93
PID 3232 wrote to memory of 4512	3232	cmd.exe	94
PID 3232 wrote to memory of 4512	3232	cmd.exe	94
PID 3232 wrote to memory of 4420	3232	cmd.exe	95
PID 3232 wrote to memory of 4420	3232	cmd.exe	95
PID 3232 wrote to memory of 2964	3232	cmd.exe	96
PID 3232 wrote to memory of 2964	3232	cmd.exe	96
PID 3232 wrote to memory of 4760	3232	cmd.exe	97
PID 3232 wrote to memory of 4760	3232	cmd.exe	97
PID 4512 wrote to memory of 3088	4512	cmd.exe	102
PID 4512 wrote to memory of 3088	4512	cmd.exe	102
PID 4512 wrote to memory of 5024	4512	cmd.exe	103
PID 4512 wrote to memory of 5024	4512	cmd.exe	103
PID 4512 wrote to memory of 1820	4512	cmd.exe	105
PID 4512 wrote to memory of 1820	4512	cmd.exe	105
PID 4512 wrote to memory of 1632	4512	cmd.exe	106
PID 4512 wrote to memory of 1632	4512	cmd.exe	106
PID 4512 wrote to memory of 3028	4512	cmd.exe	138
PID 4512 wrote to memory of 3028	4512	cmd.exe	138
PID 5024 wrote to memory of 4100	5024	cmd.exe	110
PID 5024 wrote to memory of 4100	5024	cmd.exe	110
PID 5024 wrote to memory of 2736	5024	cmd.exe	111
PID 5024 wrote to memory of 2736	5024	cmd.exe	111
PID 5024 wrote to memory of 2448	5024	cmd.exe	112
PID 5024 wrote to memory of 2448	5024	cmd.exe	112
PID 5024 wrote to memory of 740	5024	cmd.exe	113
PID 5024 wrote to memory of 740	5024	cmd.exe	113
PID 5024 wrote to memory of 1836	5024	cmd.exe	114
PID 5024 wrote to memory of 1836	5024	cmd.exe	114
PID 224 wrote to memory of 3640	224	cmd.exe	118
PID 224 wrote to memory of 3640	224	cmd.exe	118
PID 3232 wrote to memory of 4908	3232	cmd.exe	119
PID 3232 wrote to memory of 4908	3232	cmd.exe	119
PID 2736 wrote to memory of 4372	2736	cmd.exe	120
PID 2736 wrote to memory of 4372	2736	cmd.exe	120
PID 2736 wrote to memory of 2356	2736	cmd.exe	121
PID 2736 wrote to memory of 2356	2736	cmd.exe	121
PID 2736 wrote to memory of 1784	2736	cmd.exe	122
PID 2736 wrote to memory of 1784	2736	cmd.exe	122
PID 2736 wrote to memory of 1036	2736	cmd.exe	123
PID 2736 wrote to memory of 1036	2736	cmd.exe	123
PID 2736 wrote to memory of 4580	2736	cmd.exe	124
PID 2736 wrote to memory of 4580	2736	cmd.exe	124
PID 4512 wrote to memory of 3428	4512	cmd.exe	125
PID 4512 wrote to memory of 3428	4512	cmd.exe	125
PID 224 wrote to memory of 548	224	cmd.exe	129
PID 224 wrote to memory of 548	224	cmd.exe	129
PID 224 wrote to memory of 1972	224	cmd.exe	130
PID 224 wrote to memory of 1972	224	cmd.exe	130
PID 224 wrote to memory of 2208	224	cmd.exe	131
PID 224 wrote to memory of 2208	224	cmd.exe	131
PID 224 wrote to memory of 4644	224	cmd.exe	132
PID 224 wrote to memory of 4644	224	cmd.exe	132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dad.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K dad.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:3088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:4100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:4372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:2356
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:3820
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        8⤵
        
        PID:5616
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        9⤵
        
        PID:7492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        9⤵
        
        PID:8124
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        10⤵
        
        PID:9928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        10⤵
        
        PID:10124
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        11⤵
        
        PID:9436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        11⤵
        Kills process with taskkill
        
        PID:13220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        10⤵
        
        PID:10772
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:11108
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        10⤵
        
        PID:12452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        10⤵
        Kills process with taskkill
        
        PID:12324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        10⤵
        
        PID:13288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:9752
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        10⤵
        
        PID:10972
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        10⤵
        Kills process with taskkill
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        9⤵
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        9⤵
        
        PID:8936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        9⤵
        
        PID:3848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        9⤵
        
        PID:11552
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        9⤵
        
        PID:12388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        9⤵
        
        PID:12512
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        9⤵
        
        PID:12452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6440
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:6880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7200
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:8532
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        8⤵
        
        PID:12820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:12004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:13164
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:12940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        
        PID:11556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:11936
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11936 -s 288
        10⤵
        
        PID:10296
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:2188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        Kills process with taskkill
        
        PID:12492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:13272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6948
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:9176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:3704
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        8⤵
        
        PID:12492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:13268
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:11868
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:10468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        
        PID:8904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:9524
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        Kills process with taskkill
        
        PID:10780
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:11088
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:1036
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:6132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:5420
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:7592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:7600
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        8⤵
        
        PID:9572
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        9⤵
        
        PID:11728
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        9⤵
        
        PID:11132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        9⤵
        Kills process with taskkill
        
        PID:11656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:10596
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:10492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        Kills process with taskkill
        
        PID:11568
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        
        PID:12724
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7608
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7652
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:8896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:12372
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12264
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:11736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:11548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        
        PID:9284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        Kills process with taskkill
        
        PID:6248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5396
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6420
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7044
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:9784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:11832
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:12776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:10296
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:12588
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:11712
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        
        PID:9640
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:12632
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:4236
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:12960
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:13008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:9284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:11132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:11612
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:9404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:12644
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:12584
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12584 -s 656
        7⤵
        
        PID:12860
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        
        PID:10092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:5236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:5276
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:6596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:6604
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:7824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:6688
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        8⤵
        
        PID:9304
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        9⤵
        
        PID:11636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:10952
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:11408
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        
        PID:12680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        
        PID:13300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        
        PID:11736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:8548
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7424
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        
        PID:9240
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        
        PID:11676
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:12292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:11088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:12520
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11672
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:10376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        Kills process with taskkill
        
        PID:10968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:11692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6616
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:6624
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:8644
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:10700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:11896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:12716
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:10900
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        
        PID:12724
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:12376
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:4716
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:12104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:4772
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:4440
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:12740
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:10556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:4236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:13272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:9440
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:13168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:13220
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:13080
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:10636
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        
        PID:12520
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:11848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:13296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:12944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:10608
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:11556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5500
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7572
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:9372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:10548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:1128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:11344
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:13168
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:11692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:10256
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:11808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        
        PID:13192
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:13160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:13220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3428
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:4216
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:6088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:6096
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:7468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:7476
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:9744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:8156
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        8⤵
        
        PID:11348
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        8⤵
        
        PID:13072
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        8⤵
        Kills process with taskkill
        
        PID:10508
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        8⤵
        Kills process with taskkill
        
        PID:11736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:10620
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        
        PID:12028
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:10624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        
        PID:12860
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:9644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        7⤵
        
        PID:13084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:12584
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        
        PID:12860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8096
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:3264
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:9204
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:10968
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:11932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:11236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:9668
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:12744
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:10736
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:12628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:6248
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:12596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6104
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6112
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7624
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:10152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:10280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:11024
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:11524
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        
        PID:12852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:12524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:12596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:13076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5352
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6688
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:9168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:7992
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:11448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:10688
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:11348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:8992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:9384
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Kills process with taskkill
        
        PID:12284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:12944
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12944 -s 660
        6⤵
        
        PID:11684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:13084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:13168
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:12940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:12744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:9504
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9144
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      PID:10764
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Kills process with taskkill
      PID:11864
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:12640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:12080
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      PID:12104
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Kills process with taskkill
      PID:11736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:1448
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:6464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:6900
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:7876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:7884
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:9532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:8216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:11424
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        
        PID:11024
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:9472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:10444
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:4404
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:12236
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:10696
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6860
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8600
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        
        PID:8684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:10360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6700
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7412
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:7456
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8964
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:9828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:9836
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:13164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:12100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:13120
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:13212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Kills process with taskkill
        
        PID:12392
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:12444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:9772
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Kills process with taskkill
      PID:11496
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      PID:12348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1096
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6372
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:8944
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:10740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:10576
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:9564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:10668
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:12820
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:13160
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:11388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:11612
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:11284
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:12236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        
        PID:13100
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:13296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:12284
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      PID:13204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:8676
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:9256
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    PID:9368
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    PID:13072
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:12116
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    PID:10636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5084
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM discord.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K dad.bat
  2⤵
  PID:1972
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:3208
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:5736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:5788
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:7356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:7500
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:9264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:9996
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        7⤵
        
        PID:13180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        7⤵
        
        PID:12948
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:13120
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        7⤵
        Kills process with taskkill
        
        PID:1124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:4032
      - C:\Windows\system32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:10860
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        
        PID:11868
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        6⤵
        
        PID:12864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:12284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7516
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:9440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5824
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3888
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:10328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:11120
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:10360
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:9848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        Kills process with taskkill
        
        PID:10468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM explorer.exe
        5⤵
        
        PID:13076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:11572
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:12312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Kills process with taskkill
      PID:10972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      Kills process with taskkill
      PID:11684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:12644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5584
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:7484
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:9276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:10020
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:13112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:11388
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:12832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:9384
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:10884
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      Kills process with taskkill
      PID:11856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      PID:10388
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:13140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8104
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:7256
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    PID:8472
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    PID:7692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4644
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM discord.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K dad.bat
  2⤵
  PID:5568
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:5432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5428
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:8256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:9108
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:10828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        5⤵
        
        PID:10804
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:12616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K dad.bat
        6⤵
        
        PID:11252
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:9752
      - C:\Windows\system32\notepad.exe
        
        notepad.exe
        6⤵
        
        PID:3004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        6⤵
        
        PID:12740
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        6⤵
        Kills process with taskkill
        
        PID:10608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:10376
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:13144
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /IM discord.exe
        5⤵
        
        PID:10636
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:11404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe
        5⤵
        
        PID:13168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:8840
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:9392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      PID:9956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      PID:13172
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:9000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:12968
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:12808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:12332
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:12004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6236
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8480
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:11816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:12568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:13156
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:12936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:13112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5656
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM discord.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6860
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K dad.bat
  2⤵
  PID:8164
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:10756
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:11192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:9660
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:11936
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      PID:12492
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:12452
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM explorer.exe
      4⤵
      PID:11848
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:12104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K dad.bat
      4⤵
      PID:13248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      PID:12840
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:13296
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /IM discord.exe
      4⤵
      PID:1124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:9284
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:12276
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM discord.exe
    3⤵
    - Kills process with taskkill
    PID:10608
- - C:\Windows\system32\taskkill.exe
    taskkill /f /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:12960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:10624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:9640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe
  2⤵
  PID:8140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8608
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM discord.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:9060
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM explorer.exe
  2⤵
  PID:8504
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:12148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K dad.bat
  2⤵
  PID:12156
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9956
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:9752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:11252
  - - C:\Windows\system32\notepad.exe
      notepad.exe
      4⤵
      PID:12244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K dad.bat
    3⤵
    PID:11336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:10972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:11856
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:12548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe
  2⤵
  PID:12348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12360
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM discord.exe
  2⤵
  PID:12960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 12844 -s 392
1⤵
PID:8684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 13140 -s 596
1⤵
PID:12680

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:552

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:12748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4716 -ip 4716
1⤵
PID:13268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 9812 -ip 9812
1⤵
PID:12840

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv j3KQ9bBaiketJ6mm6u+Q+g.0.1
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
25d7ac29d798600ddc5fd880b162958b

SHA1
a2ba91e14155cfa5c26670e17ac606f3f28b0be2

SHA256
3c6d5ecae46dd9f6756e444bc51635cdd9696f3ed9fe0601cf41059a04085f88

SHA512
d91a9028c0fdf3761edbccddaa460573281b7d390efc7dfe3ebef46ce5ede53d36a7148c523e312b5daedc91c11cdb2cc8d0f8b475339cd35dba044595778d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nowbhljy.lu2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a574dfa23694f995aa08d6e95cbbeeab

SHA1
f04946fc3b2b434838ab055706a34994477e7246

SHA256
472738442c07440fd217eaa14e5f2657462dcdc0a3279a7ff00eb666ed9a5fce

SHA512
81054542eaa066d7ea06cfa01b9887d7bf929e9e0005004cd4464fd23d560ec9017ee3c1ef41377fb0a88d5e3997199bc9546112f69fe9e1e0906fb8ffd4901e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f46a38db4f1700fed533ec23528f0544

SHA1
664e634d7ecbec0072146e6365a88bab6b63809c

SHA256
bf49da4c905453698530210d2b575d843b1e061951147897bd60d5037c72d9e6

SHA512
336d66fc84c777bf6012818bca4e19b8895c296ec578eb99e2e530b911b5983e2464eb49aac5d25954d276fffab3aa765fdf1e20ef728cc2b320aec8c604b66d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c9ae8630c5efb72a4bfe9d9c5b4651a7

SHA1
07b52b321070e4d5758c462c094c7bcd1737651d

SHA256
a2318b1e19436c8face912b22512e56a246e368b7707b071fb8c4120d3ea3596

SHA512
11297572d3cd0bf30257691215717edbbc0b5e0e0b8674ffba13a24072ed4ec97cfecdce33de1a283ebaf830d1b1d2fde09872b66c807520978a5fa04434043f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c04cffd687e438f76c2ee8aec42780bb

SHA1
1c39f53bc6814fabfe3be17d56d1a6e907c94f53

SHA256
937c8ce7058d6a89734e080e01601355ee1c58070aa285922114fed036833d3e

SHA512
5e063e8db10c190ae95e37826c996349dc89d449c70f306557060749849db3d5f4a08dcd88aedd47b025b295b1f8de001776a8001c5d2525e095c52e609ea0db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2b8c09e90058dcf2dfaa77dfbed50417

SHA1
d688285b0a5b9d2fd09eb0407c06bde6efd7f7d5

SHA256
24bd311333ccefbaba6db3a8a4ecc2cffc9fa0b8e22e6569ba4e2cf070a36a35

SHA512
6ec3422f9535049b01214e06fc761c7353668f42437d6fe74c612ac7236ae2b4ddef4575560aaafde0b22c7c732cc858dad2ab05c557727d47bdf46d21d892eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5b8249bb50605984625d1452d0558ea0

SHA1
8fd4a395f862b70d70825ab673dbefbec14a8dfa

SHA256
25b66f0b1b78a8160bec0ddc510a434f3994bf699ed46c7a76b6d525813ca442

SHA512
8c9de5f4d9c3a5b6ad570c6656c4de8bca6d95922cae06b85b1d4593f1ff25ef827a10a93558a04ade7ddbc3322fa5ee125e51405a1b241181896ce550b98827

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5292b908b054a0dd2f78bcf5d3117b03

SHA1
5483cad5441e43d961309b44d8484b5e144512c8

SHA256
43aa1bbfc759e4ac30c485137b2d1ad92b16d914645e812c029869bb178ae4ca

SHA512
d3411f43e2e4f26511857de1490f65d09c823a4276fcbb4300d3d784d2c1877eb3fcf68b0431a7ce6c49035a71c68803358e153e34863c1f5ea84de5d6853673

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1971f5e734bc5f4cb80e7c95bf8945a8

SHA1
cde95f93fbd093332cc5afe3a9e512881f54fb51

SHA256
fd2894e349964c8ac0ad3dc74af5c97f6cd795e07aad28a07e40f44f86964528

SHA512
0857f26ec50df5efd416961f542353445cffb25107dc1060e87f165f5a93858388b0076eaa28cd7d0bfdf17d8dd8fa9505dfa23750f44566445d68018d7b704f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8c99caa4f1179d5f4bb2ee12c5ae1125

SHA1
141666f5122fc296182198d28c9aaebd93bc6722

SHA256
2c57a7c75ff5fb501db38d26c06bc5e231d6a5985bdc902ca0b1a4982a77e1f5

SHA512
9a3d74eeda1b831df8db59dbc4183cd6db66459d51ca3bced543b4587753fe604152f482eb947482df0bed5b88a770564a73530d2951b3667d10c573b80ab4e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
115137b2a400acd451427ab7930d4a14

SHA1
3c16fad04558c38558f1f3193d86e60fa85e9ef5

SHA256
495aa9c54b7a6067ceadceb168cbc41cff779d5d16775aa91dc804d3ebbf92f4

SHA512
72b5f78a0b506600b66856da49995aa964d9628206b0c94c56caf6429693ce08baab59da5f5071f5a775a41aa395d6b0de80a11e455c4de994ae4869b413b9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d4468be8a5c89fa024723150ce1acd62

SHA1
1b9336f88c8c250fb428ea16185515a05ebc60bd

SHA256
a72691052ff2fe01a079ce94f251efd0ae592f677ecfd0d809d5a6c495914ba5

SHA512
27d3a1037a32921f5f23e5e466c1e65d8651d92b84bca6422eace2dc0e58d3157eecc4dff0aefd4612ff547e8718f0477d70854f820fb0c26cbb1a0c56801361

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c7bf44b2662f7c57facb49449136c8bc

SHA1
46ad7b2d212333b13c03f1ca222d078c65a28e2a

SHA256
e6c505c90140c6aae4d3c6e833aed5cea451602bf33b82b084aa778f17e85832

SHA512
5df824eb02db5040b2981accc53c858582d4de0c3d11f12d2b513c475e0b35b45bf9de1012b88ab25d8013954255cedd3ca79d6c05d3fe3694e86dd8416336b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
21bdb0f522082f422d0942079e479f05

SHA1
287c76d5416142db26c7a265fa4552fe7862a7ba

SHA256
13ba18c7f4eeeb0bf811e3be6c0aee1d0e57e8982c9fbd76f598167bb9036353

SHA512
62eb7674de773c0786dd504499016fabd641585adce16c045edc2b2d4a98a4d24082b2eae0dd06bca5df747dd687480ad250f3b83c9237e531b17a8f91b13338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
7a25eef5088f70e100d2ddb978d80654

SHA1
78acaf4bb75184de2beee350136d849014eb8c93

SHA256
3c8cf99f615d337169fd619d6db9f97bad0cbe45db76c5de045dcfc20b2d99c7

SHA512
5b5c66d79b8ddbcadd948bbff1c53292577f7e4272e2388b7160b9ca0d474600c062dc994e07ae4dd9135d3dfca0a76862a91a1c858422949a3ab0e05de549fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e78559a3b8f50b9e9fce63b0fef59310

SHA1
50bc221cf6cf2376b63858d97b6bd866f839e7cd

SHA256
b1047db56fedba348c0fbf1f9880c95c8e8434027a0936e72c970975ce8c70c2

SHA512
5fe843159d99d3c14b967da0e6cc2d3608ff116d23a700180b5513d92be849cb6f59da9582e511848a498d081090e72925f92ccf85bd9e817a44d325c8c00921

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e9504c386dd65075ad027607ff9260ca

SHA1
6ae369800aa90f9d8c89669964560954e0997377

SHA256
76f66d696477f47501857bb110583496d306168836c38ed1b4e7c97d59fdb877

SHA512
d279bdc9aabece08327df3e6eb44c2e9aec9e5262c668b8403958ebde4b7d8570672bf247a89e6cecf06381d3975d3b4ce1ee90de87065b65259dc86cbb39558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
95b4ae8329af457cf77ea991bb8a23a8

SHA1
afb77b7e9068a04681e493fec653ee71e0670059

SHA256
800610d20abaac612b8dc43721ff4e9b888ac2bc38aefcceceea3fae1e50e375

SHA512
aaadecf1be285389b79f1acbaf470228e02aff9e06f6a172b824b02f11a5d0a4048662f301b140363ffd87c367a57302bf3d50b9c7770e8764abbb2b0c066818

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5af685f2e7813eed7c4aaa95a93bd1cd

SHA1
42a0a680cbc0b83054d75b76e408d0b977e0793b

SHA256
3966a0208fba6fc22b15750f72d861e6208961d0eb86731c6cf1b5aa90d78d38

SHA512
39321e491fb22f6fc55b87f1b62b98f54126c557f98ec137baa7138ab43b09eb8e68b40651632bfc905f57a2601a7dfb999fb102b2fc99ffa19680998ec20ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5a4b32f4910bb0844872105eadd4fb32

SHA1
0c7aad8b9f40245862b4a0facf6177dd1496f821

SHA256
00dbb9036beaeb8aef846bd5658722444a914aa16d437b7d3ff188f717346ca5

SHA512
1ccf9f3c365966aa246b177b9e7bddfee9497839073afd81a57f2828fafbd6d8a50579b7ff6fcfb8bf6e0dd16b19187ccd91da90249bbeff77570172e17a87f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9d585049a3931e02b46769ae8d3ae518

SHA1
a675450ac717d79c8e55c0f55a89f0d78cfcbb6a

SHA256
0d47905807adc51517bc701cd900c639f9de7bbc4d674f875a06ed75909d9905

SHA512
f6ec00f4de61fde5e716361d2f10c2642c7ba92763abf7a3b790d7404111b3ff746b9990cca281da4e20408fa306cc4591c1516c3b0a2df7fa3d15d17fde40eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
cffa05a62bfc6932cafbdb49e9702b69

SHA1
2490c49b0c3d1ccc030d20227470640aa4c39ea4

SHA256
0fc960e16de525b322d179134bbdbe8ef92f8953a55e8abaeb2838aa7f2ccdfa

SHA512
d4a07af2b107ca6f47e5a1380f1e3be1f2210c71c1a6a89072953e06c32f3c1fff40e6cca668231c298ed66a8b5bcbadd66635965132d34d583fd718f99e6fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2a5b5894e5da4aaa210373c852449bd8

SHA1
cb299caa2c16786925aaa7636d0d73cb3af87e0d

SHA256
c91ec4684bab8080641d4a39eb4f83a9788b1593d561e1ad7f03c3b56f91e6ca

SHA512
dcd18df669d6d158419a6298342ecab114b6a160e02c2d0d93fdc364347e32357b534951d3082d198c5f3412ce8cd19c06626aaf435afb5f719adaebe11cc353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
296fe1753951201be457cd30a6d60f08

SHA1
a72af1eb501bceb657dc74e467ec85096627ea81

SHA256
f87d335967ab70902a5c9b70a50b70f7d654a32603fda08bf35c5817025963b6

SHA512
31051d492b0db64dfd5fe461d637de8df7fa05665e170b97565da3f46614647c4f5ea99efa25ab65ca532500228d4a21b2303b8ef835f01b0666c3543200c858

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
fad09b272874928b06c537717831b2b8

SHA1
4b6045ebd064cbfb7a1fa6cd4e2ead6bba99bc3b

SHA256
c2b5372196e4bd25ac40de959b4cb0b0bc1080a51fa61000ab8eb9b7fd7632ff

SHA512
d690844f430ab5fcc4f51a91f7101607e91b434decbfd25cb518be84ac96db59fca97025b74d586c90bcb70eff0619734b4e457b05c80e55f09bab1df78ff2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d22e6fdc38d2f830dbd799e8b8384c01

SHA1
6485dfbd437c98c9751e69134664beb6112090ff

SHA256
0559004a000488013e5562980c13be83a8f88a8815e0cd3bc38f5afd3867bcf2

SHA512
921c48292d91801bb898e9f1adfee7b405e7b3f8a76b3e1766cd56b2cb36af29e0e975a3af0e2a35451ba1e8b17c942d778be794f591bffed426051dfcfb18a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2bca9326dcf2a886456f386c01bf6b5b

SHA1
54c6c75f12272afafacb8e82caa0775ff9ef573d

SHA256
cf7a141fa245f6542e6ab320c5c870dcf055dad2db1e5bea22a1699a0ee02d7e

SHA512
af974aca706c996b2024cbea8f3a20f300036d8395a45f90220398c726cc8e78e9b16c8ae9d681820ee014a82c8cee06b55cca5f0d83206ca206d6cd639125e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5b81a0ec6e56388a21fc51e2109e79f4

SHA1
d953669e1eed66c664f4bb68aa6b0e1b92105a02

SHA256
8e4044cade2664d301ec7eff0b1d9fe4610358ee9686e5e375459d44f3fed558

SHA512
019ea4684d5b9b6f70ab7c72214271cf21374c43e5e13a632eb8a70d5b6040ad870752c5689e116d72ef49a5ec978f0f06acd327d8aeff69400dd898add96b53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5daebe56b870c3ffa8fb79332ae36bc1

SHA1
fa7fc2f17574da34ee63de6fbe51a7a5881a0d88

SHA256
4a1e6b3eaa745adbf5ea908abcc4799e072d34b21114215d80ddf7f3078f7e07

SHA512
6c0db0c150acef440eeaaecb73b5b937982df9f2642dcd27d3cdc358ea1504562bd1659990b6e12f82c4ab65a61323faf78354b4a69f42b2dcb17ac19714f004

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3d9be3bf81181e1bc89862d1283015af

SHA1
451060ed2aabf6ea1924c050a722fe9ac449d5e9

SHA256
5f625a72dae5a518c419331e92045ea5bbea6b6c5097f9258224dc0d8e6586ec

SHA512
b844dedd80685d847dff9c3881580b0cd15fe1185f38c398fd32c50c9f751f3bdef6f1ff77ac9c269b9c59a75dbe44685a498e2284dcdf0ab7400eda2cb69a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z3YIVLPNTP3R8K7A4YVF.temp

Filesize
6KB

MD5
9e7c2808279aff59db51e7f7804951bd

SHA1
d57848737871f8ce368fba511f20807c5723ca50

SHA256
f4fecd9a4ae69429f3cdf19f92372fd55ffb398c671d8a25663a945d096e4ce7

SHA512
572da8491506f54a0b2186e9a4ca83584e70dbe1cb786fd0d8fbf76cfdb3918cac3dd3ea7d2e24e1fe496ce2a091ac68eb613fe86d58fe3ae16975de761a4aee

Download Submit
memory/1124-566-0x00007FF705040000-0x00007FF70505D000-memory.dmp

Filesize
116KB

Download
memory/1196-43-0x0000022E3E560000-0x0000022E3E5D6000-memory.dmp

Filesize
472KB

Download
memory/1196-33-0x0000022E3E490000-0x0000022E3E4D4000-memory.dmp

Filesize
272KB

Download
memory/1196-13-0x0000022E3D6F0000-0x0000022E3D712000-memory.dmp

Filesize
136KB

Download
memory/9284-588-0x00007FFB599B0000-0x00007FFB59B94000-memory.dmp

Filesize
1.9MB

Download
memory/9752-568-0x00007FFB66590000-0x00007FFB66859000-memory.dmp

Filesize
2.8MB

Download
memory/9752-554-0x00007FFB68810000-0x00007FFB68A05000-memory.dmp

Filesize
2.0MB

Download
memory/10596-467-0x00007FFB68810000-0x00007FFB68A05000-memory.dmp

Filesize
2.0MB

Download
memory/10608-602-0x00007FFB68810000-0x00007FFB68A05000-memory.dmp

Filesize
2.0MB

Download
memory/10624-580-0x00007FF6A0530000-0x00007FF6A0597000-memory.dmp

Filesize
412KB

Download
memory/11024-573-0x00007FFB599B0000-0x00007FFB59B94000-memory.dmp

Filesize
1.9MB

Download
memory/11088-516-0x00007FFB599B0000-0x00007FFB59B94000-memory.dmp

Filesize
1.9MB

Download
memory/11132-601-0x00007FFB65DF0000-0x00007FFB65E1E000-memory.dmp

Filesize
184KB

Download
memory/11424-571-0x00007FFB65020000-0x00007FFB650AA000-memory.dmp

Filesize
552KB

Download
memory/11556-563-0x00007FFB599B0000-0x00007FFB59B94000-memory.dmp

Filesize
1.9MB

Download
memory/11572-539-0x00007FFB4A880000-0x00007FFB4B341000-memory.dmp

Filesize
10.8MB

Download
memory/11656-567-0x00007FFB66320000-0x00007FFB66420000-memory.dmp

Filesize
1024KB

Download
memory/11684-562-0x00007FFB599B0000-0x00007FFB59B94000-memory.dmp

Filesize
1.9MB

Download
memory/12568-517-0x00007FF6A0530000-0x00007FF6A0597000-memory.dmp

Filesize
412KB

Download
memory/12744-572-0x00007FFB68810000-0x00007FFB68A05000-memory.dmp

Filesize
2.0MB

Download
memory/12852-452-0x00007FFB680B0000-0x00007FFB6816E000-memory.dmp

Filesize
760KB

Download
memory/13092-451-0x00007FF6A0530000-0x00007FF6A0597000-memory.dmp

Filesize
412KB

Download
memory/13204-535-0x00007FF705040000-0x00007FF70505D000-memory.dmp

Filesize
116KB

Download