4ba6275d48693d9245f39b5d9860a29886376d9b7389139339a12c99f17e154d

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

audacityrecorder.exe
Size

68.4MB
MD5

d6e063934b15d3c075b5a9b969c6a9ef
SHA1

ea8c65893462c2da5ff769bc661d8da6fa5906bd
SHA256

4ba6275d48693d9245f39b5d9860a29886376d9b7389139339a12c99f17e154d
SHA512

31ed8be351c78e74cee89834f7bc025b615963d14fdd6970bf35c92de8e1ce4c5d3496d3ab69c82cbb8cabd9e34a156d0ef5129b182b82ac0203aef6f716e5a2
SSDEEP

393216:PyT3YGojrsBEnP4XrqSFM+FcrONRtgZJ93AEMQu58EISEhoIaE2FShMzTVA+BDEB:PWeBZ6QxhUDE5jO26rsxcwT/Wy12bHVE

Score

9^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	audacityrecorder.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audacityrecorder.exe	audacityrecorder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audacityrecorder.exe	audacityrecorder.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	screenCapture_1.3.2.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	audacityrecorder.exe
2776	audacityrecorder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
1112	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3448	taskkill.exe
4188	taskkill.exe
2476	taskkill.exe
4412	taskkill.exe
376	taskkill.exe
4876	taskkill.exe
4604	taskkill.exe
1896	taskkill.exe
2112	taskkill.exe
3652	taskkill.exe
3860	taskkill.exe
1236	taskkill.exe
1792	taskkill.exe
3684	taskkill.exe
2876	taskkill.exe
2452	taskkill.exe
212	taskkill.exe
668	taskkill.exe
4624	taskkill.exe
4952	taskkill.exe
4540	taskkill.exe
1748	taskkill.exe
4644	taskkill.exe
2320	taskkill.exe
400	taskkill.exe
1520	taskkill.exe
1244	taskkill.exe
4368	taskkill.exe
2516	taskkill.exe
3364	taskkill.exe
3196	taskkill.exe
2524	taskkill.exe
3160	taskkill.exe
3536	taskkill.exe
3988	taskkill.exe
3104	taskkill.exe
1316	taskkill.exe
3428	taskkill.exe
4244	taskkill.exe
632	taskkill.exe
2612	taskkill.exe
1828	taskkill.exe
816	taskkill.exe
4336	taskkill.exe
3776	taskkill.exe
4084	taskkill.exe
4416	taskkill.exe
4996	taskkill.exe
4328	taskkill.exe
4080	taskkill.exe
3280	taskkill.exe
5016	taskkill.exe
3012	taskkill.exe
3364	taskkill.exe
896	taskkill.exe
396	taskkill.exe
3068	taskkill.exe
3196	taskkill.exe
4044	taskkill.exe
2352	taskkill.exe
1236	taskkill.exe
3708	taskkill.exe
5040	taskkill.exe
5024	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	3548	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3808	2776	audacityrecorder.exe	96
PID 2776 wrote to memory of 3808	2776	audacityrecorder.exe	96
PID 2776 wrote to memory of 1900	2776	audacityrecorder.exe	97
PID 2776 wrote to memory of 1900	2776	audacityrecorder.exe	97
PID 1900 wrote to memory of 1444	1900	cmd.exe	98
PID 1900 wrote to memory of 1444	1900	cmd.exe	98
PID 1900 wrote to memory of 2392	1900	cmd.exe	99
PID 1900 wrote to memory of 2392	1900	cmd.exe	99
PID 3808 wrote to memory of 3144	3808	cmd.exe	100
PID 3808 wrote to memory of 3144	3808	cmd.exe	100
PID 3808 wrote to memory of 3448	3808	cmd.exe	102
PID 3808 wrote to memory of 3448	3808	cmd.exe	102
PID 3808 wrote to memory of 3100	3808	cmd.exe	158
PID 3808 wrote to memory of 3100	3808	cmd.exe	158
PID 3808 wrote to memory of 3832	3808	cmd.exe	104
PID 3808 wrote to memory of 3832	3808	cmd.exe	104
PID 3808 wrote to memory of 4084	3808	cmd.exe	157
PID 3808 wrote to memory of 4084	3808	cmd.exe	157
PID 3808 wrote to memory of 3536	3808	cmd.exe	106
PID 3808 wrote to memory of 3536	3808	cmd.exe	106
PID 3808 wrote to memory of 3440	3808	cmd.exe	107
PID 3808 wrote to memory of 3440	3808	cmd.exe	107
PID 2392 wrote to memory of 2208	2392	powershell.exe	277
PID 2392 wrote to memory of 2208	2392	powershell.exe	277
PID 3808 wrote to memory of 5016	3808	cmd.exe	109
PID 3808 wrote to memory of 5016	3808	cmd.exe	109
PID 3808 wrote to memory of 816	3808	cmd.exe	110
PID 3808 wrote to memory of 816	3808	cmd.exe	110
PID 2208 wrote to memory of 3104	2208	csc.exe	231
PID 2208 wrote to memory of 3104	2208	csc.exe	231
PID 3808 wrote to memory of 4412	3808	cmd.exe	199
PID 3808 wrote to memory of 4412	3808	cmd.exe	199
PID 3808 wrote to memory of 4344	3808	cmd.exe	322
PID 3808 wrote to memory of 4344	3808	cmd.exe	322
PID 3808 wrote to memory of 668	3808	cmd.exe	114
PID 3808 wrote to memory of 668	3808	cmd.exe	114
PID 3808 wrote to memory of 3416	3808	cmd.exe	115
PID 3808 wrote to memory of 3416	3808	cmd.exe	115
PID 2776 wrote to memory of 1348	2776	audacityrecorder.exe	421
PID 2776 wrote to memory of 1348	2776	audacityrecorder.exe	421
PID 1348 wrote to memory of 1036	1348	cmd.exe	205
PID 1348 wrote to memory of 1036	1348	cmd.exe	205
PID 2776 wrote to memory of 4436	2776	audacityrecorder.exe	118
PID 2776 wrote to memory of 4436	2776	audacityrecorder.exe	118
PID 3808 wrote to memory of 1244	3808	cmd.exe	247
PID 3808 wrote to memory of 1244	3808	cmd.exe	247
PID 1348 wrote to memory of 3364	1348	cmd.exe	296
PID 1348 wrote to memory of 3364	1348	cmd.exe	296
PID 3808 wrote to memory of 692	3808	cmd.exe	420
PID 3808 wrote to memory of 692	3808	cmd.exe	420
PID 1348 wrote to memory of 4624	1348	cmd.exe	293
PID 1348 wrote to memory of 4624	1348	cmd.exe	293
PID 4436 wrote to memory of 3432	4436	cmd.exe	124
PID 4436 wrote to memory of 3432	4436	cmd.exe	124
PID 4436 wrote to memory of 3432	4436	cmd.exe	124
PID 3808 wrote to memory of 1448	3808	cmd.exe	125
PID 3808 wrote to memory of 1448	3808	cmd.exe	125
PID 1348 wrote to memory of 2544	1348	cmd.exe	126
PID 1348 wrote to memory of 2544	1348	cmd.exe	126
PID 1348 wrote to memory of 4024	1348	cmd.exe	127
PID 1348 wrote to memory of 4024	1348	cmd.exe	127
PID 3808 wrote to memory of 4996	3808	cmd.exe	128
PID 3808 wrote to memory of 4996	3808	cmd.exe	128
PID 3808 wrote to memory of 1968	3808	cmd.exe	297

C:\Users\Admin\AppData\Local\Temp\audacityrecorder.exe
"C:\Users\Admin\AppData\Local\Temp\audacityrecorder.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\console.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\console.ps1 "
    3⤵
    PID:1444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udp222bc\udp222bc.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES602C.tmp" "c:\Users\Admin\AppData\Local\Temp\udp222bc\CSCC221490D892548448BA3318F5A6E4B22.TMP"
        5⤵
        
        PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    PID:4404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    - Kills process with taskkill
    PID:4540
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:2004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:3704
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:4384
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    PID:1728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    - Kills process with taskkill
    PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    PID:3804
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:3736
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    - Kills process with taskkill
    PID:3364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:4820
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024720-2776-xkpk7k.lvx8j.jpg" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64DF.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC21F8D1E41D8B458B9D651655892031F3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024720-2776-xkpk7k.lvx8j.jpg"
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:2724
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:1204
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    PID:3756
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    PID:2364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    - Kills process with taskkill
    PID:2476
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Kills process with taskkill
    PID:4644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:4812
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    PID:3064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:4416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    PID:3708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    - Kills process with taskkill
    PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:4836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    PID:748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    - Kills process with taskkill
    PID:3684
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    PID:3792
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:4060
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:4620
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    PID:3236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:3360
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:1212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:1756
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    PID:4852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:3252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Kills process with taskkill
    PID:1748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:4900
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:368
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    - Kills process with taskkill
    PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    PID:3080
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    PID:1036
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:2316
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:4148
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    - Kills process with taskkill
    PID:376
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    PID:3552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:4540
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    - Kills process with taskkill
    PID:3104
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    - Kills process with taskkill
    PID:4328
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Kills process with taskkill
    PID:2320
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:368
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    PID:2268
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    - Kills process with taskkill
    PID:2876
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    - Kills process with taskkill
    PID:3776
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:2612
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:4904
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    - Kills process with taskkill
    PID:3708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    PID:3444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    PID:4836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:4524
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:2208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:3536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:3332
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    PID:968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Kills process with taskkill
    PID:4368
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:4396
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:5048
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:3128
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:1468
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    - Kills process with taskkill
    PID:1316
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    PID:4952
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    PID:3300
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    - Kills process with taskkill
    PID:3536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:1244
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    PID:1168
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    PID:2380
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:4604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    PID:3752
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    PID:3824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    PID:4108
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:3124
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    - Kills process with taskkill
    PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    PID:2724
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    PID:4404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    PID:3252
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:3200
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:3100
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    - Kills process with taskkill
    PID:5024
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    PID:1112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:3120
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Kills process with taskkill
    PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:4416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:4896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    PID:4064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    PID:2940
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:4900
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    - Kills process with taskkill
    PID:400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    - Kills process with taskkill
    PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    - Kills process with taskkill
    PID:4876
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    - Kills process with taskkill
    PID:3364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    PID:968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:4632
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    PID:4904
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:3708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    - Kills process with taskkill
    PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    - Kills process with taskkill
    PID:3196
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:4212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    PID:3372
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:2860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:4604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:4172
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:4680
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:4972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:2012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    - Kills process with taskkill
    PID:3428
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:1520
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    - Kills process with taskkill
    PID:2352
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    PID:1748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:4916
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:4344
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    - Kills process with taskkill
    PID:3652
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    PID:4056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:2248
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Kills process with taskkill
    PID:4244
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:2712
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:1392
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    PID:5004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:5016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:2340
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    - Kills process with taskkill
    PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    PID:2012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    - Kills process with taskkill
    PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:5068
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:4736
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:3708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:4184
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    PID:4608
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:4616
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:540
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:3064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    PID:4820
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    PID:3712
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    - Kills process with taskkill
    PID:896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:3232
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:4540
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    PID:4384
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:3988
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    PID:4644
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:4812
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Kills process with taskkill
    PID:632
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:1444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:4060
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    - Kills process with taskkill
    PID:3988
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    PID:400
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "wireshark.exe"
    3⤵
    PID:4936
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon.exe"
    3⤵
    PID:3380
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64a.exe"
    3⤵
    PID:1520
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Procmon64.exe"
    3⤵
    PID:2148
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "SystemInformer.exe"
    3⤵
    PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "Arc.exe"
    3⤵
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    - Kills process with taskkill
    PID:212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    PID:4852
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:4060
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:1728
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:704
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:3144
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    PID:3784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    PID:836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    - Kills process with taskkill
    PID:5040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:4872
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    - Kills process with taskkill
    PID:1520
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    PID:2352
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:748
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    PID:3704
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:4524
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "armoryqt.exe"
    3⤵
    - Kills process with taskkill
    PID:2524
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "epicgames.exe"
    3⤵
    PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "processhacker.exe"
    3⤵
    - Kills process with taskkill
    PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x64.exe"
    3⤵
    PID:692
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor-x86.exe"
    3⤵
    - Kills process with taskkill
    PID:4416
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "apimonitor.exe"
    3⤵
    PID:376
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "fiddler.exe"
    3⤵
    PID:1564
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "disassembly.exe"
    3⤵
    PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "x64dbg.exe"
    3⤵
    PID:3200
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "HTTP Toolkit.exe"
    3⤵
    - Kills process with taskkill
    PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:2528
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:3944
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    - Kills process with taskkill
    PID:2612
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:3020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    - Kills process with taskkill
    PID:4604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:3824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:3880
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "mullvadbrowser.exe"
    3⤵
    PID:4328
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "brave.exe"
    3⤵
    - Kills process with taskkill
    PID:1236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "thorium.exe"
    3⤵
    PID:2292
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "browser.exe"
    3⤵
    PID:1348
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "opera.exe"
    3⤵
    PID:5060
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "vivaldi.exe"
    3⤵
    PID:212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "exodus.exe"
    3⤵
    PID:3552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "telegram.exe"
    3⤵
    PID:3756
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "atomic wallet.exe"
    3⤵
    - Kills process with taskkill
    PID:3160
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "bytecoin-gui.exe"
    3⤵
    PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:3832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:4212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    - Kills process with taskkill
    PID:1828
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "firefox.exe"
    3⤵
    PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "librewolf.exe"
    3⤵
    PID:628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "floorp.exe"
    3⤵
    - Kills process with taskkill
    PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "midori.exe"
    3⤵
    PID:3876
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "waterfox.exe"
    3⤵
    PID:4456
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "pulse-browser.exe"
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM "chrome.exe" & taskkill /F /IM "msedge.exe" & taskkill /F /IM "firefox.exe" & taskkill /F /IM "librewolf.exe" & taskkill /F /IM "floorp.exe" & taskkill /F /IM "midori.exe" & taskkill /F /IM "waterfox.exe" & taskkill /F /IM "pulse-browser.exe" & taskkill /F /IM "mullvadbrowser.exe" & taskkill /F /IM "brave.exe" & taskkill /F /IM "thorium.exe" & taskkill /F /IM "browser.exe" & taskkill /F /IM "opera.exe" & taskkill /F /IM "vivaldi.exe" & taskkill /F /IM "exodus.exe" & taskkill /F /IM "telegram.exe" & taskkill /F /IM "atomic wallet.exe" & taskkill /F /IM "bytecoin-gui.exe" & taskkill /F /IM "armoryqt.exe" & taskkill /F /IM "epicgames.exe" & taskkill /F /IM "processhacker.exe" & taskkill /F /IM "apimonitor-x64.exe" & taskkill /F /IM "apimonitor-x86.exe" & taskkill /F /IM "apimonitor.exe" & taskkill /F /IM "fiddler.exe" & taskkill /F /IM "disassembly.exe" & taskkill /F /IM "x64dbg.exe" & taskkill /F /IM "HTTP Toolkit.exe" & taskkill /F /IM "wireshark.exe" & taskkill /F /IM "Procmon.exe" & taskkill /F /IM "Procmon64a.exe" & taskkill /F /IM "Procmon64.exe" & taskkill /F /IM "SystemInformer.exe" & taskkill /F /IM "Arc.exe""
  2⤵
  PID:4496
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "chrome.exe"
    3⤵
    PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "msedge.exe"
    3⤵
    - Kills process with taskkill
    PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3784

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1204

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ZfHsNgqd806JDcZWetlW3A.0.2
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.cache\pkg\da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd\@primno\dpapi\prebuilds\win32-x64\node.napi.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\.cache\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024720-2776-xkpk7k.lvx8j.jpg

Filesize
75KB

MD5
9f9d642c17faa2eadd1e69c63e29c459

SHA1
5236b1e88bce33c59d7116cfd0032bcfb7753093

SHA256
e08021a64848871944c0c7b48f832742f42eae344a304bf7a3afa4ba2d123384

SHA512
5cc9b9524c1bd16beabb2d51d56dd547ccdf22c73a88008097ff5a7902c7c899a7a49f72c1f5628fa8472732801f60a07a87b3acaf742ed638d82ea64ec5c3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\815692d0-4c5c-4f29-b5e9-0f59a1c4ac20.zip

Filesize
62KB

MD5
3e967cdd3c2175814ea8f6f09ef33844

SHA1
25e0ac6cfe0a630e09f255801e19c10b055ac36f

SHA256
72b062229e74a0aee57094afe3250027ad1c498ae39ed690c4ecf17e406f1ff8

SHA512
dcfe17b1af54d1045e6c3e2bab4c836bd54a034449f1c8a0674604885b0e16ac75070c26a1a8c6ebec8369b82f9c362e75dd56ac57ccb8fd1ece989fdbcc82f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\815692d0-4c5c-4f29-b5e9-0f59a1c4ac20\Cookies\Microsoft_Edge_Default.txt

Filesize
88B

MD5
b5c0ac2190eba6d5702873258c7ede2c

SHA1
9559dda57a3baa4a8ed866e395a2d253ee280fb2

SHA256
1c74fbcf02a135abce2f252bc12dce2904de6995ab895b5517f12ea41e361e57

SHA512
b42fe76f6a0cdfb5be6a773bf05cd4d6d743e2de36d9c5a7dc7189ad0a50dcb58c861beebaad7b5fbfb2522009994a769af04e4f4e04f603eb5dc1ad0fe9d8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES602C.tmp

Filesize
1KB

MD5
7fef7d5d406af7655c72296f7eef7782

SHA1
e09887ef2fd0ee9de43101ce0f7b6ae01578bfb7

SHA256
3e72b96d5db5960b772e3e25d1dbd15de4a21fd37ebcfa2f3037dc4cd28bd09d

SHA512
ae66f568e917c2c4a20c62363294cd6107dcebbd2435115354895e0be1c6692ea167a366835c43ce129d468a85d8af5279d8a4e805f473599a589a79e956fc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES64DF.tmp

Filesize
1KB

MD5
7404a325eaf87a32a0aac76dd7831b06

SHA1
14325a56e15287a0bb4732d45707ab668565791e

SHA256
7625c0b56da028d84608b2216081c0bd2e472fde1f1794be763f44aee6309387

SHA512
be8aa089b76dd7179fa8dee0b65a7014a7aa207e5eef8ea861251c7186bfdebd4c58712b10cbda0bea0424b4b85c451dd22a43119364cfd505f108d162fae7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zazn0z20.q2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\console.ps1

Filesize
929B

MD5
f06b643b339b5dd831b1fc7fdff8d6da

SHA1
97947a56365e852593f0ce3107b3a3d541645a48

SHA256
65f6cb5327762e4c44bd36512a4795a07465e7976cbc05c20f452ea00b7fcb60

SHA512
e679f5b64371a1697238d3e2a1413f921bb96b005813f17acccb50be71142a2cf65d653487b3f5446ab41c42ff0bad13ef4d4fe8ffd96a184d4808ed0a9910af

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
98bc05a877f33072b4a20f8563007ef6

SHA1
631b09208d59e369fb06a1ca432aa26b39993eb4

SHA256
91bae7b6ac11e7639ff53667ee08da087170b2b00f8d851e873541b440b77e3b

SHA512
51571f874a5617a209c2efe351ed7fa93194f9e8a8007671a37fb42ee4ec4d8d72c14366b3ff58b4a7813712c95c640953e935e94f438e072298139eacd654aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\udp222bc\udp222bc.dll

Filesize
3KB

MD5
a22cf92231584bf4ce172324e69203a4

SHA1
cb74ed486ea1158c2af444a5a77c1a6a62d2a2e8

SHA256
85428fe59c4635d220be614d8b872b2886ca54d227cdb2d000e8524a04fb34a1

SHA512
ec3fd0bddf4cdfc1473d15469fb739cca410b87a77e83e00876484c07686613899ba2b53d538da8af51786cb324f75f91791e59657c354168d514ff174b869ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC21F8D1E41D8B458B9D651655892031F3.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udp222bc\CSCC221490D892548448BA3318F5A6E4B22.TMP

Filesize
652B

MD5
5315364ea728e21079e9677427405938

SHA1
0ec67a8bfa679309d4e6f62d16021f8f117e17a5

SHA256
cb69668125f91f2427ddb1248cbf6e784b0dcad15500205c0e70695376fd8389

SHA512
8ffaba86465aace6a2d5ce0a307e8cde909de79143faa78c11f64a0b056562854a32ed0825116e49e9821a51fd9ef99c5077132e4144af33b9dbd7790467a8de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udp222bc\udp222bc.0.cs

Filesize
245B

MD5
8154bf94671d26f431a16a22e1c06fff

SHA1
2c5429f7b636aa07edcb2e2c0e76efb1ffca00a2

SHA256
50d82ccab66261a75c93386eed6506550ddaf2bf8501b5fa3a1fe1eb2c1c179c

SHA512
c646398f22ea0a72d7f7b47cbbe470884c1c91dde5526fe9266572d2ba6167ac4d062d1fa47d9b14ea825282c877c733339b93496a9a92714cd5cd79e6f9dde7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udp222bc\udp222bc.cmdline

Filesize
369B

MD5
9b462a1636203d892466985a40090e65

SHA1
59399e2b3258f2a55dc06a8209069540f19764cd

SHA256
332a730f7fb1f9094778fd68980d1b52aaa0085a2e6fda3fddefc7e0e265bd00

SHA512
dbfcc0d5c85ff2714ab70462add5e4b4ca47c9626c15984526725e78cd540a44a26b9d5608eb046032d0b5cac815a2136477dcc82320263bd94184768d1f92b2

Download Submit
memory/1316-89-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2392-70-0x0000012AFB4C0000-0x0000012AFB4C8000-memory.dmp

Filesize
32KB

Download
memory/2392-57-0x0000012AFB7E0000-0x0000012AFB856000-memory.dmp

Filesize
472KB

Download
memory/2392-56-0x0000012AFB4F0000-0x0000012AFB534000-memory.dmp

Filesize
272KB

Download
memory/2392-46-0x0000012AFB230000-0x0000012AFB252000-memory.dmp

Filesize
136KB

Download