asyncrat | 0613d9d0dda0d03efe4dd9876834c8234b54b7d2f406fe8dcc66e799eeb5a640

Analysis

max time kernel
2s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 15:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Hackus.exe
Size

3.1MB
MD5

70787feaf9b8720abbd483c657d7a1b0
SHA1

9ce52f7b5ff2b4dadbe12694391b76d3a82d121c
SHA256

0613d9d0dda0d03efe4dd9876834c8234b54b7d2f406fe8dcc66e799eeb5a640
SHA512

9c105e63b5c12f94b80d0668fec63736fad97a13cc49fed6c7715715d4519f38d558fbde431b73153ef226aeb6e211ad1a8e9cc5c69b8fdec31214005c612d36
SSDEEP

49152:kGlP3G5KT6W0/KJQdqsF5JcJ+l2VbvbUGH8wb6i:kb4T6LEsBlM+lQ3B

Score

10^/10

asyncrat stormkitty default discovery rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot8038687818:AAF7yfWLNIj0GslX51tOIFXZ_75cuFnZ9oc/sendMessage?chat_id=6378570062

https://api.telegram.org/bot7289188591:AAFXBqcWy9p_LgUKTwd-Pcl7lvzedUGWL1E/sendMessage?chat_id=8079461533

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b89-4.dat	family_stormkitty
behavioral2/files/0x000a000000023b8d-21.dat	family_stormkitty
behavioral2/memory/2408-23-0x00000000006E0000-0x0000000000720000-memory.dmp	family_stormkitty
behavioral2/memory/1192-24-0x0000000000220000-0x0000000000260000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b000000023b89-4.dat	family_asyncrat
behavioral2/files/0x000a000000023b8d-21.dat	family_asyncrat

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Hackus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	HACKUS.EXE

Executes dropped EXE 14 IoCs

pid	Process
1192	LOADER.EXE
2408	SVCHOST.EXE
4560	LOADER.EXE
2328	SVCHOST.EXE
4284	LOADER.EXE
3376	SVCHOST.EXE
4856	LOADER.EXE
5052	SVCHOST.EXE
1824	LOADER.EXE
648	SVCHOST.EXE
4140	LOADER.EXE
512	SVCHOST.EXE
3868	LOADER.EXE
4552	SVCHOST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
13720	9772	WerFault.exe	339
13792	8652	WerFault.exe	221
13848	4396	WerFault.exe	108
14244	7772	WerFault.exe	187
14200	5688	WerFault.exe	190
7988	3076	WerFault.exe	115

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hackus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HACKUS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 9 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
9196	netsh.exe
1136	cmd.exe
9784	cmd.exe
11640	cmd.exe
7652	cmd.exe
3608	netsh.exe
12184	cmd.exe
11828	cmd.exe
10248	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
13488	schtasks.exe
13696	schtasks.exe
8360	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3464	5076	Hackus.exe	82
PID 5076 wrote to memory of 3464	5076	Hackus.exe	82
PID 5076 wrote to memory of 3464	5076	Hackus.exe	82
PID 5076 wrote to memory of 1192	5076	Hackus.exe	83
PID 5076 wrote to memory of 1192	5076	Hackus.exe	83
PID 5076 wrote to memory of 1192	5076	Hackus.exe	83
PID 5076 wrote to memory of 2408	5076	Hackus.exe	84
PID 5076 wrote to memory of 2408	5076	Hackus.exe	84
PID 5076 wrote to memory of 2408	5076	Hackus.exe	84
PID 3464 wrote to memory of 3548	3464	HACKUS.EXE	85
PID 3464 wrote to memory of 3548	3464	HACKUS.EXE	85
PID 3464 wrote to memory of 3548	3464	HACKUS.EXE	85
PID 3464 wrote to memory of 4560	3464	HACKUS.EXE	86
PID 3464 wrote to memory of 4560	3464	HACKUS.EXE	86
PID 3464 wrote to memory of 4560	3464	HACKUS.EXE	86
PID 3464 wrote to memory of 2328	3464	HACKUS.EXE	87
PID 3464 wrote to memory of 2328	3464	HACKUS.EXE	87
PID 3464 wrote to memory of 2328	3464	HACKUS.EXE	87
PID 3548 wrote to memory of 1252	3548	HACKUS.EXE	88
PID 3548 wrote to memory of 1252	3548	HACKUS.EXE	88
PID 3548 wrote to memory of 1252	3548	HACKUS.EXE	88
PID 3548 wrote to memory of 4284	3548	HACKUS.EXE	89
PID 3548 wrote to memory of 4284	3548	HACKUS.EXE	89
PID 3548 wrote to memory of 4284	3548	HACKUS.EXE	89
PID 3548 wrote to memory of 3376	3548	HACKUS.EXE	90
PID 3548 wrote to memory of 3376	3548	HACKUS.EXE	90
PID 3548 wrote to memory of 3376	3548	HACKUS.EXE	90
PID 1252 wrote to memory of 2676	1252	HACKUS.EXE	91
PID 1252 wrote to memory of 2676	1252	HACKUS.EXE	91
PID 1252 wrote to memory of 2676	1252	HACKUS.EXE	91
PID 1252 wrote to memory of 4856	1252	HACKUS.EXE	93
PID 1252 wrote to memory of 4856	1252	HACKUS.EXE	93
PID 1252 wrote to memory of 4856	1252	HACKUS.EXE	93
PID 1252 wrote to memory of 5052	1252	HACKUS.EXE	94
PID 1252 wrote to memory of 5052	1252	HACKUS.EXE	94
PID 1252 wrote to memory of 5052	1252	HACKUS.EXE	94
PID 2676 wrote to memory of 1380	2676	HACKUS.EXE	95
PID 2676 wrote to memory of 1380	2676	HACKUS.EXE	95
PID 2676 wrote to memory of 1380	2676	HACKUS.EXE	95
PID 2676 wrote to memory of 1824	2676	HACKUS.EXE	96
PID 2676 wrote to memory of 1824	2676	HACKUS.EXE	96
PID 2676 wrote to memory of 1824	2676	HACKUS.EXE	96
PID 2676 wrote to memory of 648	2676	HACKUS.EXE	97
PID 2676 wrote to memory of 648	2676	HACKUS.EXE	97
PID 2676 wrote to memory of 648	2676	HACKUS.EXE	97
PID 1380 wrote to memory of 3736	1380	HACKUS.EXE	98
PID 1380 wrote to memory of 3736	1380	HACKUS.EXE	98
PID 1380 wrote to memory of 3736	1380	HACKUS.EXE	98
PID 1380 wrote to memory of 4140	1380	HACKUS.EXE	99
PID 1380 wrote to memory of 4140	1380	HACKUS.EXE	99
PID 1380 wrote to memory of 4140	1380	HACKUS.EXE	99
PID 1380 wrote to memory of 512	1380	HACKUS.EXE	100
PID 1380 wrote to memory of 512	1380	HACKUS.EXE	100
PID 1380 wrote to memory of 512	1380	HACKUS.EXE	100
PID 3736 wrote to memory of 344	3736	HACKUS.EXE	101
PID 3736 wrote to memory of 344	3736	HACKUS.EXE	101
PID 3736 wrote to memory of 344	3736	HACKUS.EXE	101
PID 3736 wrote to memory of 3868	3736	HACKUS.EXE	102
PID 3736 wrote to memory of 3868	3736	HACKUS.EXE	102
PID 3736 wrote to memory of 3868	3736	HACKUS.EXE	102
PID 3736 wrote to memory of 4552	3736	HACKUS.EXE	103
PID 3736 wrote to memory of 4552	3736	HACKUS.EXE	103
PID 3736 wrote to memory of 4552	3736	HACKUS.EXE	103
PID 344 wrote to memory of 5100	344	HACKUS.EXE	104

C:\Users\Admin\AppData\Local\Temp\Hackus.exe
"C:\Users\Admin\AppData\Local\Temp\Hackus.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
  "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
    "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
      "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        10⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        11⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        12⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        13⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        14⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        15⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        16⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        17⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        18⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        19⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        20⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        21⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        22⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        23⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        24⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        25⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        26⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        27⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        28⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        29⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        30⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        31⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        32⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        33⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        34⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        35⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        36⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        37⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        38⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        39⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        40⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        41⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        42⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        43⤵
        
        PID:8608
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        44⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        45⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        46⤵
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        47⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        48⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        49⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        50⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        51⤵
        
        PID:9256
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        52⤵
        
        PID:10076
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        53⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        54⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        55⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        56⤵
        
        PID:10076
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        57⤵
        
        PID:10072
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        58⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        59⤵
        
        PID:8528
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        60⤵
        
        PID:10472
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        61⤵
        
        PID:10652
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        62⤵
        
        PID:11048
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        63⤵
        
        PID:10400
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        64⤵
        
        PID:11016
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        65⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        66⤵
        
        PID:10408
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        67⤵
        
        PID:10976
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        68⤵
        
        PID:11120
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        69⤵
        
        PID:10976
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        70⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        71⤵
        
        PID:11428
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        72⤵
        
        PID:11708
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        73⤵
        
        PID:12088
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        74⤵
        
        PID:10860
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        75⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        76⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        77⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        78⤵
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        79⤵
        
        PID:12184
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        80⤵
        
        PID:12216
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        81⤵
        
        PID:11824
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        82⤵
        
        PID:12648
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        83⤵
        
        PID:13140
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        84⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        85⤵
        
        PID:12880
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        86⤵
        
        PID:13076
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        87⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        88⤵
        
        PID:13504
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        89⤵
        
        PID:13708
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        90⤵
        
        PID:14116
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        91⤵
        
        PID:14300
        
        C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"
        92⤵
        
        PID:10984
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        92⤵
        
        PID:12196
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        92⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        91⤵
        
        PID:14308
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        91⤵
        
        PID:14316
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        90⤵
        
        PID:14124
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        90⤵
        
        PID:14140
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        89⤵
        
        PID:13740
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        89⤵
        
        PID:13912
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        88⤵
        
        PID:13516
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        88⤵
        
        PID:13540
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        87⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        87⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        86⤵
        
        PID:13012
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        86⤵
        
        PID:13192
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        85⤵
        
        PID:12896
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        85⤵
        
        PID:12936
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        84⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        84⤵
        
        PID:12740
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        83⤵
        
        PID:13148
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        83⤵
        
        PID:13160
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        82⤵
        
        PID:12712
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        82⤵
        
        PID:12728
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        81⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        81⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        80⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        80⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9772 -s 928
        81⤵
        Program crash
        
        PID:13720
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        79⤵
        
        PID:12276
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        79⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        78⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        78⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        77⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        77⤵
        
        PID:11988
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        76⤵
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        76⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        75⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        75⤵
        
        PID:12208
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        74⤵
        
        PID:10928
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        74⤵
        
        PID:11768
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        73⤵
        
        PID:12100
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        73⤵
        
        PID:12128
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        72⤵
        
        PID:11884
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        72⤵
        
        PID:11980
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        71⤵
        
        PID:11440
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        71⤵
        
        PID:11460
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        70⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        70⤵
        
        PID:11280
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        69⤵
        
        PID:9836
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        69⤵
        
        PID:8756
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        68⤵
        
        PID:10992
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        68⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        67⤵
        
        PID:10856
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        67⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        66⤵
        
        PID:11152
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        66⤵
        
        PID:11052
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        65⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        65⤵
        
        PID:9528
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        64⤵
        
        PID:11032
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        64⤵
        
        PID:10788
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        63⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        63⤵
        
        PID:10452
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        62⤵
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        62⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        61⤵
        
        PID:10660
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        61⤵
        
        PID:10672
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        60⤵
        
        PID:10480
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        60⤵
        
        PID:10516
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        59⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        59⤵
        
        PID:10072
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        58⤵
        
        PID:9696
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        58⤵
        
        PID:8432
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        57⤵
        
        PID:9728
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        57⤵
        
        PID:10004
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        56⤵
        
        PID:9780
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        56⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        55⤵
        
        PID:9856
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        55⤵
        
        PID:10188
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        54⤵
        
        PID:9952
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        54⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        53⤵
        
        PID:9448
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        53⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        52⤵
        
        PID:10172
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        52⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        51⤵
        
        PID:9268
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        51⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        50⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        50⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        49⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        49⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        48⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        48⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        47⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        47⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        46⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        46⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8652 -s 1324
        47⤵
        Program crash
        
        PID:13792
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        45⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        45⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        44⤵
        
        PID:9000
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        44⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        43⤵
        
        PID:8748
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        43⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        42⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        42⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        41⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        41⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        40⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        40⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        39⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        39⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        38⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        38⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        37⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        37⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        36⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        36⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1340
        37⤵
        Program crash
        
        PID:14200
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        35⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        35⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7772 -s 1344
        36⤵
        Program crash
        
        PID:14244
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        34⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        34⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        33⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8360
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        33⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        32⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        32⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        31⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        31⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        30⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        30⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        29⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        29⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        28⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        28⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        29⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        27⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        27⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        28⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:11828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        
        PID:14064
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        26⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        26⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        25⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        25⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        24⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        24⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        23⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        23⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        22⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        22⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        21⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        21⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        20⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        20⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        19⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        19⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        18⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        18⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        17⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        17⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        16⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        16⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        15⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        15⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        14⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        14⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        13⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        13⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        12⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        12⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1920
        13⤵
        Program crash
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        11⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        11⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        10⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1044
        11⤵
        Program crash
        
        PID:13848
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        10⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        9⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        9⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13696
      - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:9784
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:13996
      - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:648
    - - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5052
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:10248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:5064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:7960
  - - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
      "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:12184
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:11160
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:9196
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:12212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:12196
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:8472
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:12584
  - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:11640
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:12292
- - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
    "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2328
- C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
  "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2408

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:13820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7856 -ip 7856
1⤵
PID:13840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 8852 -ip 8852
1⤵
PID:13876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2200 -ip 2200
1⤵
PID:13608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5688 -ip 5688
1⤵
PID:13940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6532 -ip 6532
1⤵
PID:13932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 12196 -ip 12196
1⤵
PID:13636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 11884 -ip 11884
1⤵
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 8360 -ip 8360
1⤵
PID:14120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 6764 -ip 6764
1⤵
PID:14132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 11768 -ip 11768
1⤵
PID:11448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 6844 -ip 6844
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7764 -ip 7764
1⤵
PID:13016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2196 -ip 2196
1⤵
PID:10860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 8748 -ip 8748
1⤵
PID:11456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 7700 -ip 7700
1⤵
PID:12512

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:12964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3076 -ip 3076
1⤵
PID:7584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3589422cacb93716c94c00349007e19e\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
142B

MD5
e739cffa81393cd7b91fb30f3b8781a6

SHA1
72fef18590480cbbd98cf2901ba113fdd8519203

SHA256
c49da9c53d3005ef69a1f48c77d1d0f6638ed3dc1303b7dc7c8624f74ead6571

SHA512
2957e8b71171dc6dfc38df11ea120301e8148e5ba79e01247dcd9ed739abfbc1c3673156eafff67e7b092402b3979dd2dda1874e344f858125370da88fbe8582

Download Submit
C:\Users\Admin\AppData\Local\606d0e5e778be20f338f785186f974b7\Admin@HGNBWBGW_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\Directories\Temp.txt

Filesize
8KB

MD5
33e48bf07d8605d198010b9765b7f216

SHA1
b120407cdf45b824c377daecfb96856f38760f94

SHA256
f75619e987c364d8c429aea0cdf6523256077565617c470615f2a139e924a226

SHA512
0606541f04affc7691ac58a480abfe7ffdc364cc795182475ff8b948a8f1de3081e0a4827ddf1d8c1ec464e7807a7c1483921166bc892ecd619fc55f72544c77

Download Submit
C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\Directories\Temp.txt

Filesize
5KB

MD5
d0255632210663155d040a620da027a7

SHA1
02246b71ea24108b993675483673a8b77021fee8

SHA256
daad12b4098e23a6b82308414466c3b43f798dfd32ac75509102fa1659767ca0

SHA512
3d353ef3df9d912886b9abca55c4a4aa1c29b1256f4edef66bdd54cf9e98125ff61868af4a7ff6156127681319565e604bb534aac21a86b15805080127852e66

Download Submit
C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
437B

MD5
15f0d26500b56ce9fc7f6c36df212464

SHA1
177a2946094e7a50eb5b4594407503f2d61d272b

SHA256
55803fc0bae2fc961c3d9904d67530dce9d8fb69c572d487a4cdf138435a1f7b

SHA512
d883694e3abfe7b43def24aa98c81291aa0aae3931e5fae8a878444aacd014f35e925effce3f18a231f703eed77a7d24ff12508baf995f44caa377cae4321455

Download Submit
C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
874B

MD5
0ccd1b3049c330bf3dc9429f6ac46941

SHA1
b5317f69858d3866862b5ab79483b956e765bfc6

SHA256
1e497e8f2fbb44dd7b2e7536688ac5bc759a69f4cf43a70c793929a003f5efa7

SHA512
249c13481092a1a9cb1adfd90c613a1a1c71ada2bd4cf2f658bfdffd139a44641181501b6ad81b589a52773ab428ccc5f7696148c300da9dd4633f5c88bb686d

Download Submit
C:\Users\Admin\AppData\Local\8648dd9006ccc12c10d4ef0a8c8cd3b5\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
1KB

MD5
11c9e56f1ce50acabc9ff1de27df8f35

SHA1
973f92be75c30951e99cd220487d8a10053264fa

SHA256
0afa679267046f0bf8af66176031fd5f66db7dfbbee7b1ffa5b5682191bd8b4c

SHA512
82629d1d7f41287386c039496d6ceb41856a517d61641f638167e42afa6546b75624ed3ead9e086602b54dba3cbac88126bd0344783a16a902c431c4271f8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE

Filesize
232KB

MD5
905d8f8b1d16ce5c63f6a806e1efeb98

SHA1
75c8c39c0bb5e48f53f1585a9cefa03a997dc680

SHA256
78dcc1bbf29a5d6e5cb57506f273d41e8629232bc733bb4126955f40f60f63f4

SHA512
f0c00f773909bc0b04e638196f902f314d75000e04ed7bc72b3d9b35c4278de3f18d7e02aaf85e70207860aa3d920d167c62e14bbdf9289481bcf516ebf87a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
232KB

MD5
ea10b6fdbb466c9e2bc1602efa14e4be

SHA1
f9144cda448d4cf8ff47ac9cdb56ed262c5f9de3

SHA256
e574a3494f4b760d028ccb7c8c73d6997aa7fd422104fa9b56c9ab3ddb695b2b

SHA512
81e076141d108f914008b29e2f7b350e832c1e1edb44d778a8150b8011c78452d29c1c563faf3da201cc8a91e61ac2b5bad7298be3ba36659a24298df4149fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
19b8ad57bdab8ad0e83915a3b20183c1

SHA1
62bdf09a73fa09296118d77ef366642233f9db6f

SHA256
8a3f119a5dac3b2cc21b6d635e750a526620f284aec290a74e1712a579a3d614

SHA512
d55a389f359504ecd8d0b4cd1772ea89ab26433ba23e1c399dc4ecc55dd67d033f90d27314e02e9f6b5a441c6a3e7edf9b3b481e8d101536ac0c2fa90f99a267

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD532.tmp.dat

Filesize
114KB

MD5
0163d73ac6c04817a0bed83c3564b99f

SHA1
784001e8d0e7ab6a09202c2a1094f371f7d017cb

SHA256
5114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea

SHA512
47051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5E0.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5E3.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAD0.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAE6.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAE7.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAE8.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAE9.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\d48703d101a4f363cb81112891ead2e1\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
64B

MD5
c32b024e109a672073a7c8e88414161a

SHA1
60e3c82690288663d38d40a933ad2d06c79344b8

SHA256
119d88f1da00d8da6f88d744d8096c4ff381281894efcf1dbdbd1e43d961ac84

SHA512
b6e7f9a76495f0acd3d112818db834045a851c5e6d7faacdf4b3cd4ac38997c168162b32bbb696276c33fa54b523e92d699d8393799ff8fdfc6c3658a0a8dbc9

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Desktop.txt

Filesize
534B

MD5
101998abef51d4e0a07f5108080f9a16

SHA1
076eb182637ca707099044c553a55c0aabbd1293

SHA256
3cb182947731d36fedad184816267bb68771a5234dc5a0bc7714ddc0550ab54b

SHA512
16c4cbd55847c802dcbfa666c697ada012594be6dba97bb8a917716b06d77d97bcf919baaff631dc302b0cb0ea19ddc36fe50e7ccf0e3436efc4b32dce704896

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Documents.txt

Filesize
830B

MD5
acc657f95bded22a724194efd48db507

SHA1
cd856d30252d93602468c4854c537b29c7cfd1bb

SHA256
f8f234c826833541e661a6cd3a5f8fb081e56714913e4d73be03506f9902d5aa

SHA512
7ca594bb6aaa34fd18dc45671439b3ab015d7537dfabb80068fe8b2d2adce273c577b062ab2366f38a51f1cc82ce7baab626954e5f9d3c3e34d546fe0c233fc6

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Downloads.txt

Filesize
705B

MD5
d0c0068c716945670832a6ed5d9d30c7

SHA1
dafaa6ee659898429978cff1ce139b475c52fd5a

SHA256
8064bf32768a9b06289135dd294ee4cd355825d1cbae2e0d253727da78402f14

SHA512
cc28c1851900656161067721c9b2372fff8e173a7f37098e5952ac2ee6e6944191042e4d7aee316cb229a8666a633275b50aff2cdab05f877fe5ac727f4bbd8c

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Pictures.txt

Filesize
362B

MD5
af52f11bb75605414af0457867809964

SHA1
e66573d5f9b96a7bc3920f11b31fecbf4b4a4aff

SHA256
25fe2832f10a26527590fee54d5fc540994f69d250f3bfb8623846d8d6de02d9

SHA512
70f8d673665c9c91d1afeed47156e50cfe194f533cc1558c472c4eff3b9473404cbb16bafad7efb522a4553c45b12322eb32a28b2a52ebc8f04e35bf8f9dea10

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Temp.txt

Filesize
2KB

MD5
d03f243b11326f5e229baa4e593aae7c

SHA1
c181b6b99837e2fe6f309bd90eff84835239688f

SHA256
17cc259f2983e692fef9715b216a5eeb4e9c33e2443c426302c0ca8bdd6565bd

SHA512
826aa895950d6c0092e88b2a3a7d081c6519d5314141079e0e53a9a5ee7bdf9f1a928675606d7dd1b178a2b7e2eb4038bfd1e34eef37ca9ee199b9d871acb135

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\dfb609e2a7ae0b0fab490ff79f15c6f7\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Desktop.jpg

Filesize
14KB

MD5
9fda60ecca37b7fabec8226df10e22d5

SHA1
fc293e789cff1461b6caa37ef50986c50db2fd54

SHA256
c044ed4d7d134d4f32daa126c8a3205b1763fd028ad8250a164ed768814f7f10

SHA512
db5836615531070dcaa4ab26b8e9a5a8d68d6dfb0983965099cbd0fd3deefe1995dad255a861a5a6149f2086b94ac6af2b5e887605fbf55687556735efb09503

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
206B

MD5
5ca08fa32e4176ad8705f46a16e950e5

SHA1
21a52e991fc81aa858c62ca411f0fd757f74a213

SHA256
804ac77575f87a14b3e7d97acad11d703b9b8583e51ed5bce17b3260e8c85e99

SHA512
0feb3c2296d3b6a915a2f67b61f7b9006b103cb45c7ccc252a62b090ffc54b90b55758bd2021e96f4e768043b82675e4d3df0e5f18af8bce36d4e1c7b7cf8549

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
361B

MD5
fd4dddc8d5fd68ab4a8050d1517024a4

SHA1
90e3a489936e7bbdae058ac96e56de770978b461

SHA256
b2191ede0905cbe38ef29248cca9a4ccb2a7922c1e1d60fb9b3a5a356df34e93

SHA512
5f10041894c3ef8f41ac49725b7ae7abbce2246977222f613e35a7f0fab7702373128857f5936f486ae4ccf7a5e8e63a933c3f1a0697aedae79dff519960d120

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
722B

MD5
5a5e480813096b0761e86c0ffd4e680a

SHA1
d9c0d5187879b5a0e1fae720c116015f9a035aa3

SHA256
406bc6753bbc3c5f5540bf81933d364927a17df5fd5410cf0d0981d9757910f5

SHA512
8a0074f51377530bc2a3405506710647ce32e6b96a74718a625c9de5da0dcdeaffcda413cc3df768ea8fb4f93f71aab4133c48685ff47b7880d04fe4854e1c1f

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
1KB

MD5
6c961e77f80779db09072baaf24275bc

SHA1
f6352945ddbce6b8e032b5e9377aac173bf408c5

SHA256
13037b75059427558203958b67194fecba0338d203ac2449c622d179951429a9

SHA512
b1c318b613808d5e78f5c55c040690eaebd98c231e6616645777b8d8e31d80289c65cc75bdf7c761a828cfc1b6df3b09a76bcbbebabff1eb03da476856fd5668

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
1KB

MD5
5b1dbfae8cef4c0ca62901b324871bb9

SHA1
5bc49b4f5780739c30e77baa470b732c900fa7c2

SHA256
ac888307909d28d16753374f099f314b3dd149e3ec808af0af5f206ffb8718b8

SHA512
b4676121a4864d8156632e466b8c60831b9701628694c51268dcf97aa9e8488ac91385672140a02c63ae71007edb7ee6d7af171c70535a44b9d30e7bc905a081

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
2KB

MD5
dc034921159aa58214197c66e5f069ee

SHA1
0af784a1416efbc0d90b5c2eb3c7d6ba8dc6a5a4

SHA256
fb0ece27c52222c598a42ba781c2455f201c58b3a344496a885161bfe3e7da81

SHA512
5595bb2234c191304a1292c181b3077bf776e84237a9d80dbc7e57fec05565eebc6d0a76f6d3c64b040f15f9316ce8bc513a2abd47ee62d2ae2f233c233ffdbf

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
2KB

MD5
8c88a5224528191f7653baedba853df4

SHA1
a5353da609d79f5884b2d3a136588ff9400104c8

SHA256
a3738cbb4aa1c9d6c5386d1553fdd34020df8ee8d82fe9a11fad0da21fc83993

SHA512
06a41508d59565b30111ccd9b81d528b92c8f22569aa9dfbb4f5ff82bf587734eaefdd2d031b16e5edafe32fd288ac089ef9540011d0ffabdc56bdd00583c83b

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
3KB

MD5
896ff9a658a9e38662d12ee54375d8fc

SHA1
cdd5289e103380237bffc5c6c8517c02b7dbf774

SHA256
c37078587f5fcc2dc7e83fed38835a0e54a71706dbd3609d2d55ca0f11c9e79d

SHA512
a454789b0af5a4816e0b615597ac70d1fe5f537dc8a263b5a87df31216573e0184941277290c9155f820a86802eeb1c006c4a6fc4e9f78af1cc2e4ba61a17a0c

Download Submit
C:\Users\Admin\AppData\Local\eed2bd628da1c2f6ff9a0b2cbae35763\Admin@HGNBWBGW_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
memory/1192-24-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1192-60-0x0000000073B1E000-0x0000000073B1F000-memory.dmp

Filesize
4KB

Download
memory/1192-22-0x0000000073B1E000-0x0000000073B1F000-memory.dmp

Filesize
4KB

Download
memory/1192-29-0x0000000073B10000-0x00000000742C0000-memory.dmp

Filesize
7.7MB

Download
memory/1192-72-0x0000000073B10000-0x00000000742C0000-memory.dmp

Filesize
7.7MB

Download
memory/1192-27-0x0000000004B40000-0x0000000004BA6000-memory.dmp

Filesize
408KB

Download
memory/2408-23-0x00000000006E0000-0x0000000000720000-memory.dmp

Filesize
256KB

Download
memory/2408-63-0x0000000073B10000-0x00000000742C0000-memory.dmp

Filesize
7.7MB

Download
memory/2408-25-0x0000000073B10000-0x00000000742C0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-3934-0x00000000061A0000-0x00000000061AA000-memory.dmp

Filesize
40KB

Download
memory/4304-556-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-552-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-557-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-558-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-544-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-554-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-543-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-553-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-542-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4304-555-0x0000024B4AB20000-0x0000024B4AB21000-memory.dmp

Filesize
4KB

Download
memory/4856-67-0x0000000005E50000-0x0000000005EE2000-memory.dmp

Filesize
584KB

Download
memory/4856-66-0x0000000006320000-0x00000000068C4000-memory.dmp

Filesize
5.6MB

Download
memory/5052-3428-0x0000000001220000-0x000000000122A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads