hxxps://urlscan[.]io/domain/www[.]pchack[.]tech

Resubmissions

18/09/2023, 07:45

230918-jllxwsfh5v 6

18/09/2023, 07:05

230918-hwq4xsab43 10

18/09/2023, 07:02

230918-ht48rsab36 1

18/09/2023, 06:52

230918-hnkl6sab28 10

Analysis

max time kernel
100s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 07:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://urlscan.io/domain/www.pchack.tech

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 2040 created 3084	2040	mens.exe	56
PID 2040 created 3084	2040	mens.exe	56
PID 2040 created 3084	2040	mens.exe	56
PID 2040 created 3084	2040	mens.exe	56
PID 2040 created 3084	2040	mens.exe	56
PID 2040 created 3084	2040	mens.exe	56

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	driver.exe

Executes dropped EXE 4 IoCs

pid	Process
2104	driver.exe
3388	loader.exe
2040	mens.exe
4928	met.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 5752	2040	mens.exe	150

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5652	sc.exe
5672	sc.exe
5704	sc.exe
5568	sc.exe
5624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5884	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	driver.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
3840	msedge.exe
3840	msedge.exe
4884	msedge.exe
4884	msedge.exe
5056	identity_helper.exe
5056	identity_helper.exe
4876	msedge.exe
4876	msedge.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
4624	Auto-Teleport.exe
4624	Auto-Teleport.exe
3276	Auto-Teleport.exe
3276	Auto-Teleport.exe
4724	Auto-Teleport.exe
4724	Auto-Teleport.exe
5076	Auto-Teleport.exe
5076	Auto-Teleport.exe
432	Auto-Teleport.exe
432	Auto-Teleport.exe
4804	Auto-Teleport.exe
4804	Auto-Teleport.exe
2108	Auto-Teleport.exe
2108	Auto-Teleport.exe
1648	Auto-Teleport.exe
1648	Auto-Teleport.exe
5044	Auto-Teleport.exe
5044	Auto-Teleport.exe
2324	Auto-Teleport.exe
2324	Auto-Teleport.exe
996	Auto-Teleport.exe
996	Auto-Teleport.exe
2740	Auto-Teleport.exe
2740	Auto-Teleport.exe
2440	Auto-Teleport.exe
2440	Auto-Teleport.exe
1264	Auto-Teleport.exe
1264	Auto-Teleport.exe
1712	Auto-Teleport.exe
1712	Auto-Teleport.exe
1580	Auto-Teleport.exe
1580	Auto-Teleport.exe
2040	mens.exe
2040	mens.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
2040	mens.exe
2040	mens.exe
2040	mens.exe
2040	mens.exe
2040	mens.exe
2040	mens.exe
2040	mens.exe
2040	mens.exe
5752	dialer.exe
5752	dialer.exe
2040	mens.exe
2040	mens.exe
5752	dialer.exe
5752	dialer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5752	dialer.exe
Token: SeShutdownPrivilege	5864	powercfg.exe
Token: SeCreatePagefilePrivilege	5864	powercfg.exe
Token: SeShutdownPrivilege	5912	powercfg.exe
Token: SeCreatePagefilePrivilege	5912	powercfg.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
3820	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
1992	Auto-Teleport.exe
4624	Auto-Teleport.exe
4624	Auto-Teleport.exe
4624	Auto-Teleport.exe
4624	Auto-Teleport.exe
4624	Auto-Teleport.exe
1992	Auto-Teleport.exe
4624	Auto-Teleport.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3800	4884	msedge.exe	55
PID 4884 wrote to memory of 3800	4884	msedge.exe	55
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 4520	4884	msedge.exe	87
PID 4884 wrote to memory of 3840	4884	msedge.exe	86
PID 4884 wrote to memory of 3840	4884	msedge.exe	86
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88
PID 4884 wrote to memory of 4224	4884	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://urlscan.io/domain/www.pchack.tech
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cd0846f8,0x7ff8cd084708,0x7ff8cd084718
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3912 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,2636389273230951151,14059614035638264967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3084
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3820
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\driver.exe
    C:\Users\Admin\AppData\Local\Temp\driver.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    PID:2104
  - - C:\Users\Admin\AppData\Roaming\loader.exe
      "C:\Users\Admin\AppData\Roaming\loader.exe"
      4⤵
      Executes dropped EXE
      PID:3388
  - - C:\Users\Admin\AppData\Roaming\mens.exe
      "C:\Users\Admin\AppData\Roaming\mens.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2040
  - - C:\Users\Admin\AppData\Roaming\met.exe
      "C:\Users\Admin\AppData\Roaming\met.exe"
      4⤵
      Executes dropped EXE
      PID:4928
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:996
- C:\Users\Admin\Desktop\Auto-Teleport.exe
  "C:\Users\Admin\Desktop\Auto-Teleport.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5304
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5568
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5624
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5652
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5672
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5704
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5736
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5912
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5504
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5764
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\ytmzevksixaq.xml"
  2⤵
  - Creates scheduled task(s)
  PID:5884

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
16c2a9f4b2e1386aab0e353614a63f0d

SHA1
6edd3be593b653857e579cbd3db7aa7e1df3e30f

SHA256
0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81

SHA512
aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
798KB

MD5
6288b60ee964ed78b919b3c86a1dfc0e

SHA1
10a781dbc9e395589aa75c488dc9363e322c6632

SHA256
baffbf375111f4d4fcdec04e4a0e6041d7c694041c4a91cbe17018f1dc5299bf

SHA512
5e85f4fa8662e635b85b368bb94c819473a5349ba487f648bad467fadb08a8ec7c0e1d86bc66b3e8535695328ac0389b04573c0888e600e072326a9db30a66d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
b2c6c667c37bd5c9ccb227884adcf5eb

SHA1
e28d93c80d1e7c12789d4028ffe4dbb4583ccff7

SHA256
1135d9484546ab0ad824f858fb1b1eae0e211cd643c937976ccb5b6cb90088a4

SHA512
a4dca23cc2977b03d6773d6aaf726b8943c8ee10169258fcf6bc7348e971615439574057a39b48e9323f7a0b1d847e38c624f05ab7484a8b376e365eb0cf0cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fc7aa0dcee027d71207a16308962c058

SHA1
d908e341e40abb19076a2bd00678bc324ae97585

SHA256
1bbb61df1e3d8cc968102e32d36773a506bc747c65a9b64730ef4e4f9e3faee5

SHA512
bbf605acacbd30659e70903029e510898b5620b528f95cb01a84a5f54cb2dce15e2178bf4f0a8b356892c3ed3bd7339080f57f68c9c91917a4db2136218de259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7659c927efd11909cf0d8dfd9defbf4b

SHA1
e764a25d39124f3df324b6fabe9fe52e0e5dc22c

SHA256
3165f8182594ebf7ec15925e7e75a85edd6175d3bcceb131672cbcbad49fda8a

SHA512
b194037ee4d36f07fe1c6f7de62d74da9d8709c4273f52a5edd588e6242faa46e83f528484da7a4d40eabd1f3594880078d96f4620b0dc0d16f9f2c6c6fbc74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9f1a664fe8b6b7654ff4c6c559350fe

SHA1
def94d744902751691b3addde3814c3f5fd374ac

SHA256
263ac68a8dc302afffd561397929b50061735a2a71e82cb76e3c1fd3fac84591

SHA512
38e70f44872faef6ef19e536511fbfdb9237ab7eee76ae1d855cf9c15fd34d94fd7838290c3c6dcc10b0596bfacc6ab5a3e3e1d41700dbe35bc8bf3f20c1e160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
197d64975045a9f2af2e561e2e36daf2

SHA1
0770bcc27fde37450ebd70d663507123ab5125b0

SHA256
50f2dfd89b3797289e96da92ae216c64a10776a7fcc3659093c833c49e91848a

SHA512
ad6ae72c42a2a47525005c503b06d4b703fddee3f0e4ad133d79e763134d72aa6673ae482d0b8c7765c5213182b6eac551629afd747d8150da990c298baf37b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae2b2d5ce10374b5e3aa96a08d39bfe8

SHA1
31209e420571298a94cb6d83300671d435d26fde

SHA256
9972837e69407aa2ff9e325b0ac86417803677f2fbb0843df3480e8ead9abfce

SHA512
867b8347508460a0564600cf6bd47d254b29a4d2510757cd68bc5969e1d31fbb72094d4fbdc3cc1194858ae51cd3ae674ffc3d1fd6232a7cfb5c0eddcca4d50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
699e3636ed7444d9b47772e4446ccfc1

SHA1
db0459ca6ceeea2e87e0023a6b7ee06aeed6fded

SHA256
9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a

SHA512
d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
699B

MD5
492ab16d3001668b55d5164646cc3963

SHA1
8997a69b09794c62b3f407b9441080a37bb228bb

SHA256
fdd194aea61978cfaa60ae70ec35643e111a782262a364f60ecd85d141ce7342

SHA512
7e43d13f1193f40f4117d6f4293ebb4b0a4f37f1bcdf05bfa0fe410900a546eeff177c8f9bedf4994bc1e5065e1c23dfcbd8b5c991aa17f15d58cd8c1379f71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a7ade999a84cf51c92b5e2175aff67a7

SHA1
ce270fa9dfe92cadf12888a46e9a319320914d27

SHA256
1053cccaa9ab10b42c15ddbd8030585642ab37c5e61854dce401cab9a96fa46e

SHA512
3e12cf81d78032b4b1b3d270dfd42a17c906579aee08f67563f155a057d16955d0fc68c2de40ecdb30573c24abf3935d00db1e95428cc9b72695d130365c0dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e7d.TMP

Filesize
367B

MD5
36550a16fba158c7b0fd46ace209d094

SHA1
8901ec64c13680af40884bb9cdefb86876a7fb21

SHA256
aaafe92d45fa8e74ff80d292fbddbd19d40ea06cbc69eeed2d8621049d3f3ae1

SHA512
4d88b965f2811c6e5114c87c7cb3121ba34e30bd0d673683ff447147e0bb011fd7c40aea7846c9cb5e0b8e58cb8690e4060d2e2b010d6e47d7bb15244cfb7211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b3f1861644a57d063c20dd8efd34d6c

SHA1
011af86dff46aba3e786e62ecc87bc3e549f470d

SHA256
e7c6c92094628ef4aa9558b617084349967ef7dcb12fa3dcdb6f5d4b5b2d4b89

SHA512
21bf5e67b309348ef8f70bcb8ecc67baff705a86003fab9e49b8282dd297cbc23709fc81294b99253d2a5c3f10f33fedd96ff1b49b8c791ba271f27abda68269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d1fd8d9d07b0f5c600aec29e04667a16

SHA1
cdcc6293d3570344eff2588e15537ed2f6e9e821

SHA256
c3ac1ac662e979e007e355b08f84fc92f628d2280f55b39a25135d3802c3a358

SHA512
4e970ae2f9cd231125e6b89f1be5ab1afe0ff6be8aef2e5e0dcc02311c821b31912b0cac983792c756cf10f1e7f4fca3f1108c1997732964216115e3f1afd07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2vbdugl.fmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
1.8MB

MD5
d847ac6eab5cfd567e5ca985d37c936a

SHA1
7b31683955b96f8fcb19a6962f0a01a11b8c1a92

SHA256
5a90782961578cd5678900d015f665556b4c038f4264f20ec4ddf8e139aae313

SHA512
10353f1c2ecb292f37168ee2607cf9cdfa11ca19c7f3074838fa18ac6b6d084200f94146385e7695fc227a2b478e484df43ac29ce3c7d633e8bf78791c68a4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
1.8MB

MD5
8ad14ae0b4e7a2cff0c07c34fdc8de2a

SHA1
d6eba72f0d7fd62455cc956264a376140b5a9599

SHA256
112230d5f9a085d917314ebdf97bae54e6bdf3f9baf3bc9bdf548649d3a915e3

SHA512
370f4da78d090efc7e360f94adf04485d5707c40a2e45b6a9bb4e96890c78c8de8350a2220e15b85775b0ee06187fa876553014453bc98153893028e83aa5ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
448KB

MD5
866d76e1a59cc48d7c4988d60783618c

SHA1
1bbca93e8c4cc10b1ed810086d9e72ff8b442e30

SHA256
98a9a22e5cb8e44807c4f8d9ad01dfa28380ed37fdabec4a5c2b8292d813de65

SHA512
c8047fe06510804f9a9eea691ba117984b21a0714efa3bd96f6f7910744045f0530e239b776539ce6e190ac3afd371d3ced5a3300e4f41c01b76c8d8d454adbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
3.8MB

MD5
5af1d17c107af084cfe0d3c4b8674b8a

SHA1
c6bf598bb4fd9183c33c4420f289952dbececf70

SHA256
0cb6f6d02791982d11b2d8ac7a634cf7533011b8ac0f3f9cade4c2d04345085a

SHA512
9df4c4de39950baaeb2e7c630ddebfce6f77647daca6d1698fdafdfac0908b00f0741170e1e6b8ae2d310f609b4b7682c9636b049b5f0e3f0913c4688f8552f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
3.8MB

MD5
5af1d17c107af084cfe0d3c4b8674b8a

SHA1
c6bf598bb4fd9183c33c4420f289952dbececf70

SHA256
0cb6f6d02791982d11b2d8ac7a634cf7533011b8ac0f3f9cade4c2d04345085a

SHA512
9df4c4de39950baaeb2e7c630ddebfce6f77647daca6d1698fdafdfac0908b00f0741170e1e6b8ae2d310f609b4b7682c9636b049b5f0e3f0913c4688f8552f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
3.8MB

MD5
5af1d17c107af084cfe0d3c4b8674b8a

SHA1
c6bf598bb4fd9183c33c4420f289952dbececf70

SHA256
0cb6f6d02791982d11b2d8ac7a634cf7533011b8ac0f3f9cade4c2d04345085a

SHA512
9df4c4de39950baaeb2e7c630ddebfce6f77647daca6d1698fdafdfac0908b00f0741170e1e6b8ae2d310f609b4b7682c9636b049b5f0e3f0913c4688f8552f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytmzevksixaq.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe

Filesize
2.7MB

MD5
ea9c6ff0b33d8ffa4c28472860260f07

SHA1
b76dd92af8fbcf57291b30decab4a094e368b8cb

SHA256
e03f6c32cd676c1e4b463acdbf62e3b4bd435fe0698f752feac744e4855b5eda

SHA512
34affa39a29c8ec372eec70b1634e7dfcede6a74c4ac089e6357e841862a5bd862cd3fb2b4bb20e251b057f5501645a1f3580499553bbfa1c3ea76b53f9744df

Download Submit
C:\Users\Admin\AppData\Roaming\loader.exe

Filesize
2.7MB

MD5
ea9c6ff0b33d8ffa4c28472860260f07

SHA1
b76dd92af8fbcf57291b30decab4a094e368b8cb

SHA256
e03f6c32cd676c1e4b463acdbf62e3b4bd435fe0698f752feac744e4855b5eda

SHA512
34affa39a29c8ec372eec70b1634e7dfcede6a74c4ac089e6357e841862a5bd862cd3fb2b4bb20e251b057f5501645a1f3580499553bbfa1c3ea76b53f9744df

Download Submit
C:\Users\Admin\AppData\Roaming\mens.exe

Filesize
5.4MB

MD5
01f66ee2a8ecd24538d146a504f42cb5

SHA1
7b42432d23765722ed876ae725341b2d70121a2f

SHA256
ed58046044e126ab8b740bd4d37aa52dd8eebbfd539b607bda4425e6cd3e8c66

SHA512
386d6f12704e89d0e0d8201448d9733f4e835b3c2f8de74d867288a5cd6aa1afe3fc7631e474097adf77a6b5841c0c23d2e2e8e5b55f716f48681e098c746d6d

Download Submit
C:\Users\Admin\AppData\Roaming\mens.exe

Filesize
5.4MB

MD5
01f66ee2a8ecd24538d146a504f42cb5

SHA1
7b42432d23765722ed876ae725341b2d70121a2f

SHA256
ed58046044e126ab8b740bd4d37aa52dd8eebbfd539b607bda4425e6cd3e8c66

SHA512
386d6f12704e89d0e0d8201448d9733f4e835b3c2f8de74d867288a5cd6aa1afe3fc7631e474097adf77a6b5841c0c23d2e2e8e5b55f716f48681e098c746d6d

Download Submit
C:\Users\Admin\AppData\Roaming\mens.exe

Filesize
3.5MB

MD5
f80a56776a020f8800caa6bd8be35795

SHA1
7494fa314764766a63b7237908a7a24c3f51c8ea

SHA256
cb5102d92c3dcfd732351153f1c2b4af057b1aff221166178636af55f90ebfc8

SHA512
466c843c7451fa6bf553f4d2b0a09ddea42cc1f81bfdbbe8f4087b627487a82e701586b7614f64fe572bbba75d49ec67241ffc6e82a6de8e06dfa219aabaea94

Download Submit
C:\Users\Admin\AppData\Roaming\met.exe

Filesize
549KB

MD5
a739be28c4cee49fa6bf5907b04126ec

SHA1
220569e07ac8614298065fca3ac596ed117fb21f

SHA256
4e88dc4d5b694927bbf3eae3484cf65b42033920247192f90704696759f7409b

SHA512
4b9386091fe94a000437295c4fced3944ecb201448582d51a7b3cfeb22da505e1a020676155e73de97a9083c1a0821720507a2c80d973149f07e88aa9b24b7ce

Download Submit
C:\Users\Admin\AppData\Roaming\met.exe

Filesize
549KB

MD5
a739be28c4cee49fa6bf5907b04126ec

SHA1
220569e07ac8614298065fca3ac596ed117fb21f

SHA256
4e88dc4d5b694927bbf3eae3484cf65b42033920247192f90704696759f7409b

SHA512
4b9386091fe94a000437295c4fced3944ecb201448582d51a7b3cfeb22da505e1a020676155e73de97a9083c1a0821720507a2c80d973149f07e88aa9b24b7ce

Download Submit
C:\Users\Admin\Downloads\Auto-Teleport.zip

Filesize
30.3MB

MD5
5b7c27129bffe90114d352db297925d5

SHA1
9a6ff5a55ce60e1853d79a797148cceaca00ddc8

SHA256
9baa22ad0de95508f6a83604cdff60004ffd57aa2c157ceb1c534ae75af71c16

SHA512
84c06b438297da799b830ead4427b9ea10fcd0cb8764862fad919949e42c83aee1bb228cdd8684d9976f3529b02ba5629c121ddb212b6acc958ccb7d238b451c

Download Submit
memory/608-787-0x000001AE7BD20000-0x000001AE7BD4B000-memory.dmp

Filesize
172KB

Download
memory/608-790-0x00007FF8DBC4D000-0x00007FF8DBC4E000-memory.dmp

Filesize
4KB

Download
memory/608-784-0x000001AE7BCF0000-0x000001AE7BD14000-memory.dmp

Filesize
144KB

Download
memory/684-826-0x0000020529030000-0x000002052905B000-memory.dmp

Filesize
172KB

Download
memory/1992-434-0x0000022B25C30000-0x0000022B25C40000-memory.dmp

Filesize
64KB

Download
memory/1992-436-0x0000022B25C40000-0x0000022B25C50000-memory.dmp

Filesize
64KB

Download
memory/1992-428-0x0000022B25C00000-0x0000022B25C10000-memory.dmp

Filesize
64KB

Download
memory/1992-423-0x0000022B25BA0000-0x0000022B25BB0000-memory.dmp

Filesize
64KB

Download
memory/1992-433-0x0000022B25BC0000-0x0000022B25BC1000-memory.dmp

Filesize
4KB

Download
memory/1992-491-0x00000000004F0000-0x00000000022F5000-memory.dmp

Filesize
30.0MB

Download
memory/1992-421-0x0000022B25B90000-0x0000022B25BA0000-memory.dmp

Filesize
64KB

Download
memory/1992-419-0x0000022B25B80000-0x0000022B25B90000-memory.dmp

Filesize
64KB

Download
memory/1992-431-0x0000022B25C20000-0x0000022B25C30000-memory.dmp

Filesize
64KB

Download
memory/3276-458-0x000001B575CC0000-0x000001B575CD0000-memory.dmp

Filesize
64KB

Download
memory/3276-456-0x000001B575CA0000-0x000001B575CB0000-memory.dmp

Filesize
64KB

Download
memory/3276-450-0x000001B575C00000-0x000001B575C10000-memory.dmp

Filesize
64KB

Download
memory/3276-452-0x000001B575C20000-0x000001B575C30000-memory.dmp

Filesize
64KB

Download
memory/3276-454-0x000001B575C80000-0x000001B575C90000-memory.dmp

Filesize
64KB

Download
memory/3820-420-0x000002B5C3B10000-0x000002B5C3B20000-memory.dmp

Filesize
64KB

Download
memory/3820-424-0x000002B5C3B30000-0x000002B5C3B40000-memory.dmp

Filesize
64KB

Download
memory/3820-425-0x000002B5C3B40000-0x000002B5C3B50000-memory.dmp

Filesize
64KB

Download
memory/3820-429-0x000002B5C3BA0000-0x000002B5C3BB0000-memory.dmp

Filesize
64KB

Download
memory/3820-427-0x000002B5C3B90000-0x000002B5C3BA0000-memory.dmp

Filesize
64KB

Download
memory/3820-432-0x000002B5C3BB0000-0x000002B5C3BC0000-memory.dmp

Filesize
64KB

Download
memory/3820-437-0x000002B5C3BD0000-0x000002B5C3BE0000-memory.dmp

Filesize
64KB

Download
memory/3820-488-0x00000000004F0000-0x00000000022F5000-memory.dmp

Filesize
30.0MB

Download
memory/4540-693-0x000001C5758C0000-0x000001C5758D0000-memory.dmp

Filesize
64KB

Download
memory/4540-694-0x000001C5758C0000-0x000001C5758D0000-memory.dmp

Filesize
64KB

Download
memory/4540-697-0x00007FF8BE240000-0x00007FF8BED01000-memory.dmp

Filesize
10.8MB

Download
memory/4540-682-0x000001C575360000-0x000001C575382000-memory.dmp

Filesize
136KB

Download
memory/4540-676-0x000001C5758C0000-0x000001C5758D0000-memory.dmp

Filesize
64KB

Download
memory/4540-674-0x000001C5758C0000-0x000001C5758D0000-memory.dmp

Filesize
64KB

Download
memory/4540-672-0x00007FF8BE240000-0x00007FF8BED01000-memory.dmp

Filesize
10.8MB

Download
memory/4624-442-0x000002C12F540000-0x000002C12F550000-memory.dmp

Filesize
64KB

Download
memory/4624-440-0x000002C12F520000-0x000002C12F530000-memory.dmp

Filesize
64KB

Download
memory/4624-446-0x000002C12F5C0000-0x000002C12F5D0000-memory.dmp

Filesize
64KB

Download
memory/4624-448-0x000002C12F5E0000-0x000002C12F5F0000-memory.dmp

Filesize
64KB

Download
memory/4624-485-0x00000000004F0000-0x00000000022F5000-memory.dmp

Filesize
30.0MB

Download
memory/4624-444-0x000002C12F5A0000-0x000002C12F5B0000-memory.dmp

Filesize
64KB

Download
memory/4724-468-0x0000020FFFFE0000-0x0000020FFFFF0000-memory.dmp

Filesize
64KB

Download
memory/4724-466-0x0000020FFFFC0000-0x0000020FFFFD0000-memory.dmp

Filesize
64KB

Download
memory/4724-464-0x0000020FFFFA0000-0x0000020FFFFB0000-memory.dmp

Filesize
64KB

Download
memory/4724-460-0x0000020FFFF20000-0x0000020FFFF30000-memory.dmp

Filesize
64KB

Download
memory/4724-462-0x0000020FFFF40000-0x0000020FFFF50000-memory.dmp

Filesize
64KB

Download
memory/5076-472-0x000002857C7F0000-0x000002857C800000-memory.dmp

Filesize
64KB

Download
memory/5076-482-0x00000000004F0000-0x00000000022F5000-memory.dmp

Filesize
30.0MB

Download
memory/5076-470-0x000002857C7D0000-0x000002857C7E0000-memory.dmp

Filesize
64KB

Download
memory/5076-478-0x000002857C890000-0x000002857C8A0000-memory.dmp

Filesize
64KB

Download
memory/5076-476-0x000002857C870000-0x000002857C880000-memory.dmp

Filesize
64KB

Download
memory/5076-474-0x000002857C850000-0x000002857C860000-memory.dmp

Filesize
64KB

Download