redline | fd0af456f169a261cf2caa06bef5b9e92e49fb7d5230c7591459ee4a68419e42

Resubmissions

06-02-2024 15:48

240206-s8rakaccbp 7

21-12-2023 17:24

231221-vy135abcek 10

Analysis

max time kernel
5s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2023 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exe
Size

11.8MB
MD5

d7fd6731e4db6fdac15d7ce4844254f0
SHA1

32286ffae51a5bc0f14bcf6f7cc10d5040abd8c4
SHA256

0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f
SHA512

5bb7f1731c892300d67aec81eaa48788690b6abcd9fca5f81dd8830d481d9e6aaf1fa766153b94ad450b6a346b1f48fe8ce4b449062ac476b5ac2cc244315d73
SSDEEP

196608:I1rT3Lk6XhNQSKwAk2V80t5AtgNtKpXeBHsepB7/nqlKBlIgj:irbLPXhN1Kpk6t5AtutKpOBppRln

Score

10^/10

redline smokeloader stealc zgrat work28.7 backdoor infostealer rat spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

stealc

http://5.42.64.41

rc4.plain

Extracted

Family

redline

Botnet

work28.7

194.33.191.102:21751

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

rc4.i32

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe	family_zgrat_v1
behavioral2/memory/4968-152-0x0000000000100000-0x0000000000188000-memory.dmp	family_zgrat_v1
C:\Users\Admin\Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4136-176-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

WW13_64.exekKBrItM5DXxPH321Uuv8xoH7.exezWSniIaojgThJ0w4BGinORYA.exe

pid process

4148 WW13_64.exe
3604 kKBrItM5DXxPH321Uuv8xoH7.exe
1144 zWSniIaojgThJ0w4BGinORYA.exe

Loads dropped DLL 20 IoCs

Processes:

WW13_64.exe

pid	process
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe
4148	WW13_64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3212-490-0x0000000000B30000-0x00000000013D4000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\tmp8EA4.exe	themida

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Minor Policy\EOjnytPKPZ3zfl5JKG6Qpg6v.exe	vmprotect
behavioral2/memory/4456-382-0x0000000000400000-0x0000000000F67000-memory.dmp	vmprotect
behavioral2/memory/4456-399-0x0000000000400000-0x0000000000F67000-memory.dmp	vmprotect
behavioral2/memory/4456-415-0x0000000000400000-0x0000000000F67000-memory.dmp	vmprotect
behavioral2/memory/4456-504-0x0000000000400000-0x0000000000F67000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.myip.com
25 api.myip.com
30 ipinfo.io
31 ipinfo.io

flow	ioc
23	api.myip.com
25	api.myip.com
30	ipinfo.io
31	ipinfo.io

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Minor Policy\ho9mhSQ8g2PdGJhCIlqM0409.exe	autoit_exe
behavioral2/memory/2868-427-0x00000000002D0000-0x0000000000774000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\tmp87CD.exe	autoit_exe

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
4508	4968	WerFault.exe
3932	2900	WerFault.exe	rbuttontray.exe
3844	2900	WerFault.exe	rbuttontray.exe
1640	1800	WerFault.exe	UaYZRV34vUrnRfKsicnRb9dw.exe
1108	6824	WerFault.exe	rundll32.exe
4024	5428	WerFault.exe	suSl6Q_BLgLh866Q8SMHxq8l.exe
1384	6504	WerFault.exe	rundll32.exe
6296	3604	WerFault.exe	kKBrItM5DXxPH321Uuv8xoH7.exe
6884	5416	WerFault.exe	rundll32.exe
5288	5544	WerFault.exe	rundll32.exe
6324	2420	WerFault.exe	rundll32.exe
6216	3152	WerFault.exe	rundll32.exe
6200	1936	WerFault.exe	rundll32.exe
2468	7148	WerFault.exe	rundll32.exe
4320	3956	WerFault.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5164 schtasks.exe
5952 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6288 timeout.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5304 PING.EXE

pid	process
5164	schtasks.exe
5952	schtasks.exe

pid	process
6288	timeout.exe

pid	process
5304	PING.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exeWW13_64.execmd.execmd.exe

description	pid	process	target process
PID 1176 wrote to memory of 4148	1176	0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exe	WW13_64.exe
PID 1176 wrote to memory of 4148	1176	0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exe	WW13_64.exe
PID 4148 wrote to memory of 3600	4148	WW13_64.exe	cmd.exe
PID 4148 wrote to memory of 3600	4148	WW13_64.exe	cmd.exe
PID 3600 wrote to memory of 3604	3600	cmd.exe	kKBrItM5DXxPH321Uuv8xoH7.exe
PID 3600 wrote to memory of 3604	3600	cmd.exe	kKBrItM5DXxPH321Uuv8xoH7.exe
PID 3600 wrote to memory of 3604	3600	cmd.exe	kKBrItM5DXxPH321Uuv8xoH7.exe
PID 4148 wrote to memory of 2792	4148	WW13_64.exe	cmd.exe
PID 4148 wrote to memory of 2792	4148	WW13_64.exe	cmd.exe
PID 4148 wrote to memory of 4264	4148	WW13_64.exe	cmd.exe
PID 4148 wrote to memory of 4264	4148	WW13_64.exe	cmd.exe
PID 4264 wrote to memory of 1144	4264	cmd.exe	zWSniIaojgThJ0w4BGinORYA.exe
PID 4264 wrote to memory of 1144	4264	cmd.exe	zWSniIaojgThJ0w4BGinORYA.exe
PID 4264 wrote to memory of 1144	4264	cmd.exe	zWSniIaojgThJ0w4BGinORYA.exe

C:\Users\Admin\AppData\Local\Temp\0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exe
"C:\Users\Admin\AppData\Local\Temp\0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\WW13_64.exe
  "C:\Users\Admin\AppData\Local\Temp\0829cd6ebf13b1aa2b01403d19b392ce396d4405e9386fe208ea9b542a625c1f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe" """
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe
      "C:\Users\Admin/Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe" ""
      4⤵
      Executes dropped EXE
      PID:3604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1992
        5⤵
        Program crash
        
        PID:6296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:6200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\NapOV7JCO4teEDOTmKZD6vGm.exe" """
    3⤵
    PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\zWSniIaojgThJ0w4BGinORYA.exe" """
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Users\Admin\Documents\Minor Policy\zWSniIaojgThJ0w4BGinORYA.exe
      "C:\Users\Admin/Documents\Minor Policy\zWSniIaojgThJ0w4BGinORYA.exe" ""
      4⤵
      Executes dropped EXE
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\NHtBKFrgPt1Qczfh4VqEVSaU.exe" """
    3⤵
    PID:440
  - - C:\Users\Admin\Documents\Minor Policy\NHtBKFrgPt1Qczfh4VqEVSaU.exe
      "C:\Users\Admin/Documents\Minor Policy\NHtBKFrgPt1Qczfh4VqEVSaU.exe" ""
      4⤵
      PID:2784
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl",""
        5⤵
        
        PID:3896
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl",""
        6⤵
        
        PID:2388
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl",""
        7⤵
        
        PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\OKv8JfZoUO5bPbOiCCP6YppY.exe" """
    3⤵
    PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\xpbgFmcuJ8rBD_GC7em_Snub.exe" """
    3⤵
    PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\6vwg8rOQKf9YDbqdXKv8kXY0.exe" """
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\9uQoi5FiRR4_G6BepF185Bb9.exe" """
    3⤵
    PID:8
  - - C:\Users\Admin\Documents\Minor Policy\9uQoi5FiRR4_G6BepF185Bb9.exe
      "C:\Users\Admin/Documents\Minor Policy\9uQoi5FiRR4_G6BepF185Bb9.exe" ""
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\KbMlKNx74f8fK5AJ0zu7AEm7.exe" """
    3⤵
    PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\EOjnytPKPZ3zfl5JKG6Qpg6v.exe" """
    3⤵
    PID:2560
  - - C:\Users\Admin\Documents\Minor Policy\EOjnytPKPZ3zfl5JKG6Qpg6v.exe
      "C:\Users\Admin/Documents\Minor Policy\EOjnytPKPZ3zfl5JKG6Qpg6v.exe" ""
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\7C1M66fCZs8W6KRY2xZVgOj0.exe" """
    3⤵
    PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\UaYZRV34vUrnRfKsicnRb9dw.exe" """
    3⤵
    PID:3808
  - - C:\Users\Admin\Documents\Minor Policy\UaYZRV34vUrnRfKsicnRb9dw.exe
      "C:\Users\Admin/Documents\Minor Policy\UaYZRV34vUrnRfKsicnRb9dw.exe" ""
      4⤵
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
        
        C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
        5⤵
        
        PID:4536
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:3952
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1724
        7⤵
        Program crash
        
        PID:1108
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 1724
        7⤵
        Program crash
        
        PID:1384
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:5680
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1712
        7⤵
        Program crash
        
        PID:6884
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 1720
        7⤵
        Program crash
        
        PID:5288
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1624
        7⤵
        Program crash
        
        PID:6324
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1620
        7⤵
        Program crash
        
        PID:6216
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:5616
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:1364
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1640
        7⤵
        Program crash
        
        PID:6200
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 1620
        7⤵
        Program crash
        
        PID:2468
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        6⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1640
        7⤵
        Program crash
        
        PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Documents\Minor Policy\UaYZRV34vUrnRfKsicnRb9dw.exe"
        5⤵
        
        PID:1628
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:5304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1236
        5⤵
        Program crash
        
        PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\ho9mhSQ8g2PdGJhCIlqM0409.exe" """
    3⤵
    PID:4604
  - - C:\Users\Admin\Documents\Minor Policy\ho9mhSQ8g2PdGJhCIlqM0409.exe
      "C:\Users\Admin/Documents\Minor Policy\ho9mhSQ8g2PdGJhCIlqM0409.exe" ""
      4⤵
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\tmp87CD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87CD.exe"
        5⤵
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
        7⤵
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
        7⤵
        
        PID:6004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        7⤵
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        7⤵
        
        PID:6140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        7⤵
        
        PID:5996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        7⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
        7⤵
        
        PID:5356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
        7⤵
        
        PID:5816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
        7⤵
        
        PID:6252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
        7⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
        7⤵
        
        PID:6644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
        7⤵
        
        PID:6804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
        7⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        7⤵
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
        7⤵
        
        PID:3596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
        7⤵
        
        PID:6844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
        7⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
        7⤵
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
        7⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
        7⤵
        
        PID:6248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
        7⤵
        
        PID:6828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9435176196574530535,12299607616981014759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
        7⤵
        
        PID:6204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        
        PID:5432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
        7⤵
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9878732684744996226,12446009087653290015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
        7⤵
        
        PID:6260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
        6⤵
        
        PID:5668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
        7⤵
        
        PID:5380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
        6⤵
        
        PID:5976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf4,0xf8,0xfc,0xd4,0x100,0x7fff935146f8,0x7fff93514708,0x7fff93514718
        7⤵
        
        PID:5644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:6484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:6664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
        7⤵
        
        PID:6728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:6960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
        7⤵
        
        PID:6984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
        6⤵
        
        PID:7104
    - - C:\Users\Admin\AppData\Local\Temp\tmp8EA4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8EA4.exe"
        5⤵
        
        PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\6Jei4dIi_GFRUC4u45OSX6P6.exe" """
    3⤵
    PID:5248
  - - C:\Users\Admin\Documents\Minor Policy\6Jei4dIi_GFRUC4u45OSX6P6.exe
      "C:\Users\Admin/Documents\Minor Policy\6Jei4dIi_GFRUC4u45OSX6P6.exe" ""
      4⤵
      PID:5544
    - - C:\Users\Admin\AppData\Local\Temp\onefile_5544_133476531256721724\LG.exe
        
        "C:\Users\Admin/Documents\Minor Policy\6Jei4dIi_GFRUC4u45OSX6P6.exe" ""
        5⤵
        
        PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\ukb9CGlgOZ9Qn42Y1VT8rfJz.exe" """
    3⤵
    PID:5464
  - - C:\Users\Admin\Documents\Minor Policy\ukb9CGlgOZ9Qn42Y1VT8rfJz.exe
      "C:\Users\Admin/Documents\Minor Policy\ukb9CGlgOZ9Qn42Y1VT8rfJz.exe" ""
      4⤵
      PID:5244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\suSl6Q_BLgLh866Q8SMHxq8l.exe" """
    3⤵
    PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\YR7DkcDaU4LyjxPtRFPvx0nJ.exe" """
    3⤵
    PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\_H7wCgXGVReozGCB0pHs3SRv.exe" """
    3⤵
    PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe" """
    3⤵
    PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin/Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe" """
    3⤵
    PID:232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
1⤵
- Program crash
PID:4508

C:\Users\Admin\AppData\Local\Temp\is-4FKJO.tmp\9VStNbXMDfBdpe9jdbPA3maY.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4FKJO.tmp\9VStNbXMDfBdpe9jdbPA3maY.tmp" /SL5="$7016E,6799835,54272,C:\Users\Admin\Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe" ""
1⤵
PID:4944
- C:\Program Files (x86)\RButtonTRAY\rbuttontray.exe
  "C:\Program Files (x86)\RButtonTRAY\rbuttontray.exe" -i
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 620
    3⤵
    - Program crash
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 616
    3⤵
    - Program crash
    PID:3844
- C:\Program Files (x86)\RButtonTRAY\rbuttontray.exe
  "C:\Program Files (x86)\RButtonTRAY\rbuttontray.exe" -s
  2⤵
  PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2900 -ip 2900
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2900 -ip 2900
1⤵
PID:1528

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
1⤵
PID:4204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5164

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
PID:5316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
1⤵
PID:5696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
1⤵
PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1800 -ip 1800
1⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff935146f8,0x7fff93514708,0x7fff93514718
1⤵
PID:7132

C:\Users\Admin\Documents\Minor Policy\suSl6Q_BLgLh866Q8SMHxq8l.exe
"C:\Users\Admin/Documents\Minor Policy\suSl6Q_BLgLh866Q8SMHxq8l.exe" ""
1⤵
PID:5428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 920
  2⤵
  - Program crash
  PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5316

C:\Users\Admin\Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe
"C:\Users\Admin/Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe" ""
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4968 -ip 4968
1⤵
PID:1832

C:\Users\Admin\Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe
"C:\Users\Admin/Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe" ""
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6824 -ip 6824
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5428 -ip 5428
1⤵
PID:1176

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl",""
1⤵
PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6504 -ip 6504
1⤵
PID:7128

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3604 -ip 3604
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5416 -ip 5416
1⤵
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5544 -ip 5544
1⤵
PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2420 -ip 2420
1⤵
PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3152 -ip 3152
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1936 -ip 1936
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7148 -ip 7148
1⤵
PID:7084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3956 -ip 3956
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDiskSnap76\PDiskSnap76.exe

Filesize
104KB

MD5
79390c6fc2e766792e89f3cf6f56e2c7

SHA1
ad5128ef96afa3609038e7893329e175de467d95

SHA256
50529cc10c1f2b8c0d7be5cd86d6d4ad645283a5af1be56db638eb2f63682519

SHA512
bafe3760004af1451b8c9da71834d79b961037aede6145e9209adb01923432a0ced7cf74bf4dd554d7cdeb24944dc75f7b88de8a0bf6af9f8dafc97a61611fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
1KB

MD5
ce147e7ad97e9c80a84e2071c5d5843a

SHA1
e4edd79a67fba1b680565d27d7c91b92823b2bef

SHA256
f74663a19c5aceca981de6d3efcfc4c9e2b8b30ef78e5348e1cd0eedfd439af2

SHA512
692241ff6d7c55f050273554560d424c16f48e7ddb441ffe497db7a60da9473f6671593fcdb2943f725bbab78f4e212d28f061122c22f98038b52503cb35b273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41f45a8733a671abe958083390e065fc

SHA1
8f7cd4069892dd497be014a69200a01317a38b8a

SHA256
04ddead73b56c29c77cb1e089e32e887ea5f1642448d6f2a732241870472b259

SHA512
04db8dd1df82d8963a641a7a3c114cf9b2b4c95c63909eb3d0795b85c5b948a687bec56160eb5ede50506978b2b16d55a8394288f90d92df381fc3102af6d239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5d64bd55da8113788a6df6c0c35ed79

SHA1
eda3491fc6fa19775b8789aaa600c0f43a3bb723

SHA256
bded10782ff89179cfdbc5488baf20462a31ebc3ef1c025067e8e4d21ef4f5b6

SHA512
2d857b58080ec6fca9da88660cc69c5b808f4026e0336fd8403cf7b4d1c5e41e9f2f936b1ed4880c33e5453a2c7a40d26c303756c324aa207cdb2b5b3cdcf4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
181e6721e0e1a3bfb513b2401a0ed276

SHA1
6d487c3de5a0e6129efe7c2da077e8560dc866f0

SHA256
8ddafa5efd182dbed4bd73d0f303a35ec750469701334e61501d55fe11c520b7

SHA512
75a4e88090e2f4f2355da16edfa0b93816ddd40833033750441811a4d04ce201357a48dc21b858478f3f875d03f70d74e67270744bad7ca04eddabdb60ad2719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e7654b76f4ba2dfaeb06b15db57483f8

SHA1
ad1b80e1637bec5ee2948e281ce9bab3ae44d970

SHA256
acf5c480285fd1366034cea8dcd81dfbd86f36ce20434cdea70cbd1e482e2b3f

SHA512
ccf359951e38f3afbdb6026b25e99d26952665c47f64bfeebdba7981a1b8ecb6429c89774de5d52d2228a94fce133974a5423a86105dd752c0f324722c7eb394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
453901918cfc56f74fd735cff7ccf614

SHA1
b9afecbeaff2360a37ef13f9924c6f30418756e3

SHA256
8cc72eca2d046c90882c86751ffa3f3435c182b5c383c903fa08bc98f168b48f

SHA512
e4c626e1d9f1c360e8df3eb1a4488ee514d3e5e1dd6c4521894f89283b44060cca56cfef486f59d6aacb4cad2dabf05274cf311e86ec78822e7089c9d88a9acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
6a96c7e759062fb4bf91d7df5947e408

SHA1
a93a6b29117077b8305d12009d4f142532c8ec07

SHA256
02579cb2ccd7c9ac069690efbedd8cb6df2c825dc6921d77bdccd76185e6f6cb

SHA512
24417107bea92ba8eb5ce08ea4940336bdad442bddd8f405980a973906e29436d15d30c9e5fc90f292b88124d74645d8ad581505bf4398b216cb4250361f2b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
4KB

MD5
6a6dec3a4eed9da8b650943d38f7cbcc

SHA1
e3be5ae8be6e620dc93c9d7e8adf2e7664247df1

SHA256
e2f334f94559cfa041977c4a5e995013dae63456de292a3c9ac985465483664d

SHA512
b4640239495ef34e946450cbb33451044d96a87ccfa63cbc3635ac2d8483916d0ff6b6023a88de1898d4ffeda9c32a48c6d4f0fba6c7345afad17adb960b8f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
73KB

MD5
100246d88d47fc44bc6501d26a3a22f4

SHA1
69168c0d5394fee05e33b39431d2587853dc7d05

SHA256
cfc7fcfd6cef90c838dc778142a195ac8fcd5c0961b0638f28ade414155967c5

SHA512
c97e8a3b0127700fbe908ae3c7d9dea7ae91df00265516786830a9d495963dcf1fbca4a381c4c6ded064c2cfd70e7122d0c576e64bcea45dc8a75f638ec57b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl

Filesize
166KB

MD5
c1acbba185f79a2a5a85b0980276d29a

SHA1
f25c7573f9ae290e4348d8d3ced88fe7901387ec

SHA256
258314aba82b870be9dba328ff9bf440d1816b752185cf8142b5fa7c15d3bac5

SHA512
b7bc8e9de4d6fa9c3c2b2e85d0d6d14c18f7d146f1ba97e4e905b1a6a2a671d9cf02eb05b6ad7d3d28c024c410f4d72a5258eaf76da0985446ff8fdfd6efc1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl

Filesize
1.1MB

MD5
e1dfa623f644527eb56196bbd744beb0

SHA1
c9792792a951003fa7ccd4df8995c2a56a58e0b2

SHA256
d1a7624a59ac8b8e8d728c31bb8d2488ffa469ad1357c8baa973219c0d2536eb

SHA512
9d14dd2826c2b9b8e0e24053c66f308a52870b14a66ff35b546aa5956b70289c7d80addf6ef8165410fbc27f5b191da8b40e5c4de975d9589934e05a56f57c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0EA71B27\4TpI22VC.Cpl

Filesize
1.2MB

MD5
5d3977a459078f6de808663351854622

SHA1
e85ba9675f9452add82d59e3fbebb4d8de25d99d

SHA256
5ee951ca21437862f8e5b0c8a6ac89c9e6b43d6dc74299d66901e50703ede3d6

SHA512
55fd156d36bf1970ba834f868e335c4021c55d1059436274b3d16895fcbad208226b2b7a14c8839564c850206606202e7ef1665c112cac07f90b2bbed533f923

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll

Filesize
34KB

MD5
d118101394f2ce5aa9edd991db43028d

SHA1
616169c20dfd697a64d2372068e888e562c97d66

SHA256
437d5af493d368e7ee67e9a0af5ed0662953d16744c9ab484aed580d85b07483

SHA512
5eba10891e2251d83a6b25786f08dd8ed8da5c422dcde5c8c74df940c76c91619d5222c1545de4cbcaadb82e5df91aad717072844cd5b7eb45920e4b2380e82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
30KB

MD5
2a44ee6ceb04a50cefa9464a66189718

SHA1
ddb6fa519f5eac6af25843d4b9e36e6aa67c14c1

SHA256
7cad91ecc696c8378035cbb2f9079a12dbe74491fcccdfb27a676ddbda037102

SHA512
9a2ce69031c997cdd3286f4194ceff251baf023f2230ab4fc98bdca13a4c8b2193b71e7834f2af14d386075fbd5ffb0f9e6cbabdbbf67fd0197d3233d5b2d960

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
1c88b53c50b5f2bb687b554a2fc7685d

SHA1
bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3

SHA256
19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778

SHA512
a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
30KB

MD5
0927d238a2dc55ff4471c62d975f914a

SHA1
1a2d26e887bdbcdb95ee31cb96d5a8fd91c06e37

SHA256
234fc349f29267fc410bc099eda2ec4ce48a7ef9ac071d5b1f922d6748e192ff

SHA512
bdb51f2f0674e1dedeaa7bc1e3f9ee4b598fddc00b85f96e66c2899a89a30d21efc1ed82fd09341897edc72770f91ec1b837daaf75ffcb8c5e0f90f290468844

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
31KB

MD5
e0cc8c12f0b289ea87c436403bc357c1

SHA1
e342a4a600ef9358b3072041e66f66096fae4da4

SHA256
9517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03

SHA512
4d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
13KB

MD5
a0c0814b3138fb16f1056fe6f5c09f0a

SHA1
b5ded45edc2012ee0006aed57203e7cd47d61e87

SHA256
d467249310e428f8ee120b8907e1fc45fe2241e86765bb455b869fea56d981c9

SHA512
8639a131606deb64bdb0cb69cd64d7bca3c81fee69838ad6e1ea522692c4396c3f4d2ff25ac20745f63330d28f264dc4312803dcb4e8f39edb903cdc543ff8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

Filesize
10KB

MD5
25e5dd43a30808f30857c6e46e6bc8df

SHA1
679cb7169813a9a0224f03624984645ea18aabe6

SHA256
62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974

SHA512
904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
57KB

MD5
46ef9fa6bedb30d3830defecde0b423c

SHA1
2ad34ad546efeb32f914fe02b86451811a9d770c

SHA256
261470dc699477be094292821dd5d1e141fd884874193a9be5fdf8d9b63b609d

SHA512
4e2517783870d5f79e6ef922554de2db158f809f595fd7cf25803b6e2a27eec0fcd5ecf56d58b98f820860bd3ce0808720f1360ee8aecb9e21a15bad7b611b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll

Filesize
1KB

MD5
ed2e3616a46374dbb37d56e6232ff53d

SHA1
07254ba6311442be4bd1050981f6dd0daa455c63

SHA256
edae20f391c4eb2e8e40879eb92e744b0058c9d0a44b4d575e2a5737bf12c004

SHA512
86fba412cec4f6a261ba89812266ca28a46f425bed74cd78379c3082fba8929636e0e82e52121e77bf0225c7f5f52deed7b363d23b2d461b0b4a651a1916b833

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
167KB

MD5
fba4f0d8f5ffa666de28311ff36d71a2

SHA1
7fa5f513e17f8a4601798a8c7835f47939f5b80f

SHA256
31eac6aef6b031d6277af3a51c725bf8e7663da3a540a85a0b4f5420a335777e

SHA512
fef193c782e3163b7e57a90e17ca8569881c6c4a0ce80a7feeed4cd04e78015079ce4a317d7da85618a44453d4c8ec55d879afd1e5e9e2502a5def3f46d43744

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pywintypes311.dll

Filesize
1KB

MD5
65b507d8dc0897c5907f009b71930956

SHA1
31cf30f58bc33452fb5548299180ab973c1418a6

SHA256
92c850c6720077f24c9ee215deca935831b18b7c8f734f9d2857c68fa334ccb0

SHA512
9b06db4d1e6105fee6c759bfa443bfed6fd9176ed88c09ca9206908c116fdd224a775f59450bb2b833abfd347d3f1cbfd0ec80c4e2ee78b70729832d3923d273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
219KB

MD5
2f4cc8478c24fcee0ab177a2efac68ff

SHA1
0e4edeebc0824456e5c27a8c0bdc2eb6bdff3324

SHA256
75e52fc49446cc7b2cfec3140c28fd6447659f5eeb5fecfdbb3a44abd41780df

SHA512
f6920cbb0b6206dd81110f058aaa7bf28aeafad614693e7e8e72dd175d187926c86d17a022136b88b48988d3fe519ef39f62d7114a1c87d21b84a51b06719d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32security.pyd

Filesize
78KB

MD5
080347a3f9123328ce5d9144c4ef3ddd

SHA1
4e1c4cd36176357a1b196b18efd9b994d4fa40ec

SHA256
1f969bdfa81ae7f45241f11cebc2fb9e01e8e8884bb2c38493ed2f0d043793e1

SHA512
3b2c48756f641b91412ba77f8babce5c1deabf6c7b27164bba91517a709d3ca2e38320396d01e35dbe5fa02be9188e6ccaf09d91985ff11902809229ccccc402

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FKJO.tmp\9VStNbXMDfBdpe9jdbPA3maY.tmp

Filesize
382KB

MD5
d798b66d68223f648d5629b46ce60147

SHA1
9b6d0996997a03e45f09069566f153a9719fffd4

SHA256
0b1e85a38aa9cc2655df58aabd9034ce316a8a9ce108aa2a2ad5424ed823f814

SHA512
bf60c31db2c5329c6ce2a16ee88ba5d2de2bb18542e66e74a789a569e87684b44bf847d9c2ef9cbce297ee3aabfc1022e1698a1c69b1580e640a75240ce44b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4FKJO.tmp\9VStNbXMDfBdpe9jdbPA3maY.tmp

Filesize
53KB

MD5
d240c12c2b038d22555cb547cf9defba

SHA1
e765f68d402856fb435f0d02c5af4051a98f1bf7

SHA256
4ef90afe50fcda9183132ab6d0f272e24131c068ede191b6968e4ab6f7928e10

SHA512
4684d9aadd3d24ed40fe0d1bce9ba7452d1914c614f5553eedc6b5fe680249646b1c8c5a14333bf73a60d1443d9d122fea6742ae469e1bc145f36832e11fc856

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OO30U.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\WW13_64.exe

Filesize
132KB

MD5
bdf8bbc12fe7ca911f5967aaf6f0ea6a

SHA1
a67ceab23a0a25fd0e870353d9bccd661d11a011

SHA256
e63361d0bae5cce971396567b784b50b1a70d76046080f0974adcfe4a9cc9395

SHA512
6c237e0b61ee07707e16c7ee40b413b3ae144caacfc5b0ba11b242f3645119d4b245b196c47d2eb78500e3b0275b994483704afd3beef432244f22b0b2baa32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\WW13_64.exe

Filesize
125KB

MD5
8d4efd8808f34501adefc90d9a4ab725

SHA1
a3bde9cbff1258ff3e9b3395a1f69d9b72eeccf2

SHA256
9284a1794395d5960d26fc968a15bce4722a8d23cf29de50abfc72944e81a2d0

SHA512
e9335ade2afffe7ab76190a3ed57d851a644e11d4cae3e6ec6a52b9dc86ddad9a946f73b2b1b86e4b9ee570f16546cc511963bfe9df42d901d69e2463d2ce1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\_bz2.pyd

Filesize
15KB

MD5
e577bbab22666766673bc7eddb8d6ce0

SHA1
4788919415caa9c0067782c472b139177813fdcf

SHA256
3d215f73fdc4a681524145351b4f5ba8e106553ffe69bb6e7de7f4dabf436c3d

SHA512
ecf5c688db3fc9de067b681dedf8348d8f0ee66e67cbe24ad208476a0c1f532a0c1c534d7cd3359ec5120c669c87aa6943bcd754c8bed8cf596aff1cba531fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\_ctypes.pyd

Filesize
47KB

MD5
96d0c634c05693f07eae869a4858cede

SHA1
a6b831ad0f35960548c72be94dfcd70da7322499

SHA256
3df59a36f40277a6ece22d180d8288d8adeb9a6050ef028130db80d09bef17ef

SHA512
3fac763fa205c5c46125c8289278645a71943d88653f799198921e08f261e93a9880f9f7d2eb71779b92ab03be1ab0af0f181893554b2764c0ee94ca7372a413

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\_hashlib.pyd

Filesize
31KB

MD5
e0c3d0d94fa8fc4febaa785d57b8316d

SHA1
db4f5fd9852bc5504b20fdf6559d2957d304bceb

SHA256
6386c25d711d45086257ed4b79a830420788b7608bb06fae9a3c099155461cb7

SHA512
a54d94eb7a575710ec85b833ff857110616cd562829f3e9225fa9b3cd4ef1f9e6647bc0e89796601ae66aeafe994b05797b20045c899156ea714bcd62ce8f039

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\_lzma.pyd

Filesize
12KB

MD5
1ac4209b2bcf55f148ada89d5d43b4f8

SHA1
267f3f70ba5a17e6dd5c99874cbb9962122f1b7b

SHA256
1132e215b5c8358a9b7fe76ead9bb8568c9af48fd0d45bd3552231fcd1658754

SHA512
b2676a75157f239d0abaa3146a347bd0592fb4cfaeea589b4ee07a6f81bf702b1416cda314bfad16d84b88c5a505d8f2f3e701f34033f876d4325caa97246db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\_ssl.pyd

Filesize
157KB

MD5
0a7eb5d67b14b983a38f82909472f380

SHA1
596f94c4659a055d8c629bc21a719ce441d8b924

SHA256
3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380

SHA512
3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\charset_normalizer\md__mypyc.pyd

Filesize
110KB

MD5
f4192b63f194d4b4e420e319f08fd398

SHA1
03e2f59492e05f899cb5399a4971b3ee700f00c1

SHA256
0be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca

SHA512
447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\libcrypto-1_1.dll

Filesize
207KB

MD5
fd30e1942ede407b21b973499d2505f9

SHA1
d13237939bae71dbc2bb9f6b5380315eca273f10

SHA256
40f3b0c9f16df31a2f62a7872441db33781158c9a4d55561d8e7d3c2b1b35460

SHA512
155fc68297c64ae4aa6f106a48da6891ddf48d5ce57d89ce29de08b13f169ec480ee13f2ee7d6ac77bb8bc418c4e375d791acea997fb98dc4b958ad83d620b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\libcrypto-1_1.dll

Filesize
132KB

MD5
1bcf62d5e2b8dbd63a6ebd65360bd538

SHA1
6f2a8d9a13f87a5ed7c5fe3179a968a55e605f1e

SHA256
099920f1631b198a5f3b002b86b6adacae1a495ac82eb4a9ceb1206f58659f45

SHA512
a48390ea4447f8503290d01e84ddad7c3bd8177217a10596adc74c8192ce519d277af3df587b06fdcd07f06bf16c0f48af4be16fe30a05c2abdeaa11eab259e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\libffi-8.dll

Filesize
23KB

MD5
0177796163c488efe5ddf51011919acb

SHA1
c3439eebed3d549cf82c7d4cac530ae2e9844242

SHA256
f3aac747f6d775c7abf7fa4dff6a95b19225004546aa6b37b50e787295efa4cc

SHA512
50cba1a0135a5f80f817cc2b8c1d620eb7ae2e6ef84f1a3dcab9117c6ab3babb0cfcaf232b68613455460918a988419b3015a5b438d298a5ca007de0ee4bed0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\libssl-1_1.dll

Filesize
178KB

MD5
1d85ffc6655d4b492887cd3b9449c53b

SHA1
f4476e8ec2d5c123fa49954f0e5abc2bf9dcb049

SHA256
f087ce1a904bbf665694c81d0456702d341e8e357fcbbde81208824236e547b3

SHA512
3fcd9289f17dc5f404803e8ebbd9b95126213990dd8c8421ba8c16cc6575959c921eb4d75fe9e752b926b118953abf84ab805c7b8ab1567e701ec82f25c165df

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\python311.dll

Filesize
104KB

MD5
2c979f33e4643a6d15fcdadcb37ac537

SHA1
120be759e7b198ce478854d1fd3d4961f7183235

SHA256
9ec1182663581af32f766a35f30c027c9a87be1db8ba2240c5be232c53de7598

SHA512
73123e42b76d444dfd5cfa0e477aaf75fc4ae8650ce51bedc9e9abfa73d5b8000d2bad9c04bece9c20ba93123142fce5e22b3a6102605d38eb12461bdd3dd079

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\python311.dll

Filesize
82KB

MD5
3497ff4cfdbcff33373681b78c94a36b

SHA1
29367f1552f826a98b69ddcbaeb20c352c9e1443

SHA256
dcc5e00ead349f6da9e3a707893a3b001febef797f63e85c8568cf2d206c26f1

SHA512
f9de300344acba59ba8640c0176fcd3ad2d767184b02b506097f5a3116af945f32030b210ffa083fb2e38fcc407a27fc689a6078749e6649dbdde90750751d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\pywintypes311.dll

Filesize
36KB

MD5
5d4ded8a5fa140aefb518c21b17c0b4b

SHA1
cc618461197540964415741bd69c87b1626e313f

SHA256
0f59e32178bd670929a7aaab478eb02f646fb1618ee9c3fe8be3e777d09113ff

SHA512
7339c73acad2d086b561442618e5f98df649907bb8da8cacbc1eb5b626fede458e246bb45f0c414f129459b7efaa2fe457cffe74d0286bb23e20e9aee3304d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\unicodedata.pyd

Filesize
215KB

MD5
8a9fd5308bf5c6d9e2ff6b906753f6bf

SHA1
6cf65015967d968a1b8d3bec6e20f2410a176952

SHA256
300e2e74efa4c014eae4061852e729b53c25f26b937fd96f0e7ce0a4aeeffb74

SHA512
7456250736ecbf948f78710dcc0bef0c69505f92eec56b0433470bba78e6028d5aea885db94f2290ff40a837750f3b669774ae9605227c3c353c891eaa05df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\vcruntime140.dll

Filesize
92KB

MD5
de66f1205f4e571a216289de7ca483ef

SHA1
c5efc5769ba429acc29a7ba21079617f164b4d9c

SHA256
f8823ff06265e548d2457096657387c6c0d3f621f83b925483b724bfb9032192

SHA512
b4681e2383c9280f6ab3bede398086c2b82c0e702fc59f3e8820c295ff50d10823e0af955277a21db5f533bd3db20423f5be02f98f5dd5de68ea0d73db9c4b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\vcruntime140_1.dll

Filesize
46KB

MD5
8f18bd29db71c707e5050b99b681b4b0

SHA1
2654fff3d2149d6658421653be922e77bbfeb918

SHA256
f5e8d51debde3d36486bda49fc4621d4de49d6b3eb993c8f814aecab8e11aefc

SHA512
6cc49c3fecc5a3043d889f85da1cfaed0b2b0e9d802c90e3bad7ae3310b0126c82347fdf2d4cba13af338310330d285852af200a173d130de4ca812d50192ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1176_133476531035743675\win32security.pyd

Filesize
44KB

MD5
223bdfcfa374c9d63ef361a607672e41

SHA1
430137d1bf08ac5ba2fcc52406a6ce39810211a7

SHA256
3f5c899e0e1bd10865356591c3953ddee8ab32ec8e115eff8ce3df1a3a05cba5

SHA512
6bb2d95754e97bec14fd9d0ec26544b2d1c1dac053b8a7d926ad4b76ba3b63aee727e0b9ae5e25c0fd8553469a9982a2edd818702b5066b277f83067cbcffdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87CD.exe

Filesize
37KB

MD5
de68aee4ac7fc958cec0560b37fa7baa

SHA1
9c9202d3fcf49ae5fffa858fc6f8e27aa051b644

SHA256
97fac2b550d1c5970c5385f367a55a582c29675881e26890d62aace357d1f59a

SHA512
427b8fc91dec9e8f48016d82ec9a598662691d169b1cc396201d9a5339af086f45d4549979b6aed5c122f7b25760424fcd7f5a92f082dec4bf11b5720f7d6eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EA4.exe

Filesize
619KB

MD5
2924aec91ebbbb8a40ac16a58e50a8ee

SHA1
3405535435088c195916abd2b8c8601476e78470

SHA256
63a27b81cf37fb30feec1514e2d688d92665cbc2bc4333df761e8e676e45d3d3

SHA512
809ff42dff6928907bfc522b97f7d0bcb814546c9903fe0ad5fd40d0a7392097fa2601faf8e8d978171360d7398d1830f3c4c5949e52bb8c696c57427057fc82

Download Submit
C:\Users\Admin\Documents\Minor Policy\6vwg8rOQKf9YDbqdXKv8kXY0.exe

Filesize
741KB

MD5
dc54e2e22df159a20c67712144e08ce2

SHA1
0f9b5b792cf5d39466686e9253f4a4e852b91c8c

SHA256
18e0cfeb35f013593e6d60193f85a138fa004ae4da338458e0725034591d8713

SHA512
ffbe16cd0a6d9688a54257e629705b0183fd2b95b4bb73d59ee014351a82ee8ea12901188fd5bfc42a8c27306fc483b5165ed090725bd32349f3b5cf0fce83d2

Download Submit
C:\Users\Admin\Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe

Filesize
85KB

MD5
289b2f003a47b09752453d8d03e073db

SHA1
ade91bc86d7ff2642d0316bc6e4b59fcf79f1985

SHA256
5488b0af3dabc1e8da9f27be01b9508b75dc91e83ae6eb493d7458edd6e3e913

SHA512
db30d1aea52de6e31bf053fcb5328c555dcbe9a22acf1d89a7ff7a2987f4ac09c7dc4b2ec5fb619dba6a79a6215257dcdfe91969585ce1e4c0faa00942fef006

Download Submit
C:\Users\Admin\Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe

Filesize
49KB

MD5
2bee3068b9794c8d9bfb142b0aa08121

SHA1
a55b50a1eb1a59a6c0eaac05878dd42473d3ff18

SHA256
a638fc4d660a0fd6c92e9cd2e66cb09873fe1c78c648e2cc6459abd8250c081e

SHA512
6611c42091b5e946cd94426905e49bfaf239ba9e69b49b91f175b5ac1d8f44562dd9cca002b300960d24fb386a57c320e1a537cf65dc77909e471cc33a1b2971

Download Submit
C:\Users\Admin\Documents\Minor Policy\9VStNbXMDfBdpe9jdbPA3maY.exe

Filesize
51KB

MD5
a1f6e174f555d8263bb48f2b6ae2c48a

SHA1
c7f13e3a8dd78b5f62651f89c719540d2e6c9710

SHA256
2032c3609e7be35057404f163d19b6f7867c60f7722101bd7ad0e35a5401c6be

SHA512
1c7c8770b9e8b1c006fede3664000ef35d0b8ed418d3a84df20795dc139f5b7fa634eb97c21518611e3052075d0ffd4e723bdba7e26969824c295abc3411bf03

Download Submit
C:\Users\Admin\Documents\Minor Policy\9uQoi5FiRR4_G6BepF185Bb9.exe

Filesize
37KB

MD5
74bf7e11a1050996ad0c415fe8bb1918

SHA1
de547de69112c0e322bb391124607b9f6dc9b929

SHA256
80079ffb7a8afe151c3986a4d519fd6052dc354ad0df67295a5a2b2145395fb3

SHA512
08cda6a808a6183fa58b7f3517658789e02fb3546172ce1d42faa84930e78d072af98d9fbeb0eee28920a8a0cc44d1d0755b2af68cf34fa05b09ce6dc9459f6e

Download Submit
C:\Users\Admin\Documents\Minor Policy\9uQoi5FiRR4_G6BepF185Bb9.exe

Filesize
243KB

MD5
96323074c8fd721f75ddc2ab7397c1f5

SHA1
c40cd803483779b6bb2a12bed03eaa7e3766cb8e

SHA256
02eb002f33af51183396e8406bc7518c01c4b2f3b326d227fef6bc7e3c8fd1a6

SHA512
8d09835aedf2366edce647ce57bcd2b75e5ed075b0043e635be81f646faabeec002589842f6345b341b5b1b4b6587b75e6ee6d5c7957f8d2908f9c37c04a871a

Download Submit
C:\Users\Admin\Documents\Minor Policy\EOjnytPKPZ3zfl5JKG6Qpg6v.exe

Filesize
24KB

MD5
483f0c5bca37e8db09aa5585f94ee1a3

SHA1
940d29784a955fc6c06c269e2b78fc732dd5da4d

SHA256
24868d4503098e83bdbaa70567bdbc18aa6f9482d6c59c5ccaeacd26eb88a0a0

SHA512
255a8a070567e81a28a92211785c15aaafcc24ce6e3606e0206eea5f2b7459f62012dda5951a065d1af8505263abf44f7dd479e0dcc21650995385f22d0007ab

Download Submit
C:\Users\Admin\Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe

Filesize
516KB

MD5
78b7008ed5a0282d7ab117589f193540

SHA1
655ff2288ef80567eace3cee137fd4f229a4750f

SHA256
573829010e86ad1c19fb478ccdb0a422759afe038664cc7de2e41ae6f5d4d196

SHA512
f1cb489faa13eb21994a1871a2731c5b005dcbcb08c835f1bb9ae551874179e8295d2ff3aae5bb460c2a96fd516ede99a5b7b8fa2bff3842f1afe28f095c3fab

Download Submit
C:\Users\Admin\Documents\Minor Policy\FhDYgWvjtyn0ZxOwFxwOvi6R.exe

Filesize
69KB

MD5
3bb85c03534285abd4815edf3bd5e135

SHA1
42e2b45d781ad6eeb654e04b0fd11cbb61e69a71

SHA256
b11707d9cea83bc4a13bc2224ca9f09dbd3c974b6d464d6b6d1d2bca76f96f27

SHA512
96b68276721d34f36d56b7edea8af6ecd02982a3c2c2e693c2da5f5210558d70c606297e24d5f414d520f18494ce1123e4e5c3a615faff850ea7dde6437e3d8d

Download Submit
C:\Users\Admin\Documents\Minor Policy\NHtBKFrgPt1Qczfh4VqEVSaU.exe

Filesize
36KB

MD5
6d2ff3f3a4c086a787c5f3ad0fb687e1

SHA1
69760bf5c921b95ce41f1c8a013f0c795127f2e2

SHA256
37c5920467bd9fcccf33e41e5414cd1860035fb6e6c297dcb867a40f37668383

SHA512
cdeb1a5a40ecc8ce1524b0eaf949f05e6fd2092ad5fc8b65acf042c632876439a8b37faca3d6e221cc0bbd8d408b9127dfe2d1b81f9ca29f223443f76f35d998

Download Submit
C:\Users\Admin\Documents\Minor Policy\NHtBKFrgPt1Qczfh4VqEVSaU.exe

Filesize
186KB

MD5
41b7872bf2b7ccfd66d048e602a88b37

SHA1
4fedccfe32313e40dd8faca8ac5f3f41ffc30981

SHA256
c19cc84cbfd3f55a8bfb5182c36f78d4c49433679624dc71c324d3cc8e59d1c2

SHA512
de490feda7d45bbd18a2007b6eb344de31778976294a4013ec8c5456cd1f3634e4e712fc56c3a7ab2e84b9fb8625e2111f550ce881cbe61e3bdd9e1e8fd2a0be

Download Submit
C:\Users\Admin\Documents\Minor Policy\NHtBKFrgPt1Qczfh4VqEVSaU.exe

Filesize
34KB

MD5
6999bd33b66cd88b1e7f29c8b9e3db72

SHA1
7ce644264f7262e972ca9f75a13a90f17d7a67ca

SHA256
0ca3b532c483a2adf1d1ae7aa2511da467f53db692c0562de580e160d0866a34

SHA512
cf8ad4df5498c268f6bf0243aeccb7e90046cbb07bdd571597890c93413370045ba1c7a69242c0b66f1995119658de63e92064df098e75b07cf2891943d317a0

Download Submit
C:\Users\Admin\Documents\Minor Policy\NapOV7JCO4teEDOTmKZD6vGm.exe

Filesize
184KB

MD5
c6bf9e1d16f755d2e234062019ad4311

SHA1
28b5af0999cbbd3a05629ffbfb06e0f94fce242d

SHA256
d683bf573f3e9f0779838d54ccd161e1b2055fabf1182ed35f023ee8436ed3b6

SHA512
01047a1be6d11cbd123144425b6f3927d623199cc20665e609b923db2bc48dc501448ebe8c876c0870ecce7697f8401f3a59e67fb75f80bcb6193895c0095192

Download Submit
C:\Users\Admin\Documents\Minor Policy\OKv8JfZoUO5bPbOiCCP6YppY.exe

Filesize
11KB

MD5
897318c4ca9cc1b91c69d32d7ad40db1

SHA1
99a42131d9d33383eb48f8739bc0a4436a04d03e

SHA256
f3c56b9fb474c2843197e632fe338937bf10309baac9c3db8e29d340115ab274

SHA512
cc27e253cdd4b42e2c5545f940cbaf8cb257486a38218dd1a4ec39315abf1b479bae547d67bf36264fb5a73c2f163c89a749065a8d41762169790981d4b791c5

Download Submit
C:\Users\Admin\Documents\Minor Policy\OKv8JfZoUO5bPbOiCCP6YppY.exe

Filesize
138KB

MD5
aed6cd2d8289aaadf9b8941fd9df491e

SHA1
7c68c4d3f9b0cf57b97bf2be59fbea8f06c9243a

SHA256
058c8b1f4a61e0f790f41cbaa4e608587915bd5ee1da3646f2b34226144bf90f

SHA512
cb81d0a56ad2868c3165e37bbb1c7bd0408bdb872ed0cb90e648be9c62afbadfb38ca7f07cfe7a65e8eeb56984c048bc8724924648ffdd68b99ae8970b7932f6

Download Submit
C:\Users\Admin\Documents\Minor Policy\UaYZRV34vUrnRfKsicnRb9dw.exe

Filesize
56KB

MD5
02e9dabc3936422089c699da1d0ccb46

SHA1
323cf058ae71f8ad72cdc6d97ea9f539769ac1a7

SHA256
6da2b92ad553fef005515c31cb8c647711076b79509cbc6395aa5f4165bc45c8

SHA512
c0a4fce7c9bd44b92efed66f9e8fa6c84a96c6effba751c5d57557d4f179e74051c490ded5ba462cbacd2aa72c122b9c026123db71901aec4e338763f471b9f8

Download Submit
C:\Users\Admin\Documents\Minor Policy\_H7wCgXGVReozGCB0pHs3SRv.exe

Filesize
70KB

MD5
c557db0d18998fc1f12f72919ead118c

SHA1
6286f49eebe760410361863a4e71371391a0bda4

SHA256
70076e25e0faf148647f09fb8e4fba0e17e86b0ab3dbb3d214ccf23283d90a9d

SHA512
b3611a94ff86de0a2281d263ea7c2c93ac3866ea9c8a7dabf8b4ba2f95e28585e1c184cc507db23e79a5f221107e001f198140ebdd65463feaf365e2eae37678

Download Submit
C:\Users\Admin\Documents\Minor Policy\ho9mhSQ8g2PdGJhCIlqM0409.exe

Filesize
42KB

MD5
24be0e33709e3295eed358c0f0868735

SHA1
4f28c10b4965c1b0122d38067110118518960f9f

SHA256
fbf7e32c3eb8bdc0a9d22898bbc35c884b1f8fe085777045bc9a293929e3a8cd

SHA512
814dcb74605603925787eaa1cf560775b649fbd50670f043676e4856506b84b39d3264776fd27a17fe969efb06efdc8df18946bc6408a8e3f72df55e137f324b

Download Submit
C:\Users\Admin\Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe

Filesize
52KB

MD5
0516c5369a36af38549c8065dca95b59

SHA1
0d9f6ff8f5e12c13c0b6684966830a8e9f569997

SHA256
c4d520635f5556e73ef34c125d3780f3f037b40a662d289c4385f52664070159

SHA512
75f8582f1a0f0028842662dda4ed9b155ad4e032a6dd35397decf46827aabed3101b1654d65143f9debfada0e84f6ec222597b156e9f255d371948d6407cbe55

Download Submit
C:\Users\Admin\Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe

Filesize
52KB

MD5
71981c5a048c3bb8099fa4b56bd213e6

SHA1
c586156a794772915afbe861e403f45c7ea1aa7d

SHA256
1669afa096aff4951d71ce16c00fa2813e511b0ec184f4fe0810f7cc5fb61318

SHA512
79749038ec7558acbb937de1d5318382e1cc337a529fd4970e2ae0ee14f35a7b644ebe59260f6b389423f8a66a798903d336fadf7b0d9b3a1e7bcbbb39511386

Download Submit
C:\Users\Admin\Documents\Minor Policy\kKBrItM5DXxPH321Uuv8xoH7.exe

Filesize
243KB

MD5
cfe50dd0c3d3c69ab66e80e6632b26d2

SHA1
1fb2f71dcfea064ed66cc0c14ed6e8f38e22069e

SHA256
0fe7bd9ddeb2d94d1372e3e8a2da428679a263b9636b0107abdf416862c72d39

SHA512
920966a9e68e20ef32074edffd51f6812cad1b5492e1777ac7ce5bc2559187eb68c995dd8007165682c1a65a39a8193dda3ff97d7d3289bcd2a516d8797aac5c

Download Submit
C:\Users\Admin\Documents\Minor Policy\xpbgFmcuJ8rBD_GC7em_Snub.exe

Filesize
76KB

MD5
c6f2400be6d755c844ff062aaf6b9bba

SHA1
ed14af499b3043d97a55734a2191cfd3af12a1a7

SHA256
8557ad6153223b0de9e3903f13dfeefa07cafe193995ebc3b318173d12a5d551

SHA512
c7d650a6ace7cc73f29d43c74eeac17a215ffff08e94b3d200f723404c0cf8bd7a4ea413cad7bec505a2f53e6d0cd26a29d1fa5950b171a4f63ae887a8b4a850

Download Submit
C:\Users\Admin\Documents\Minor Policy\zWSniIaojgThJ0w4BGinORYA.exe

Filesize
149KB

MD5
4d76231717e3603cb69cd8593d36c920

SHA1
ca729443bfa8139978811dbc5d65648cc4baded9

SHA256
92bf74396acbf3508024175b7f0ac4845df4953cff462ccef1587792bb1d353c

SHA512
812f68049283188e21fab8b4f125f9e3f2707431e9612af75e4f41d458def5026e88005dd70a206421d4c865003113437b527c71658124bea4df8212c983fba8

Download Submit
C:\Users\Admin\Documents\Minor Policy\zWSniIaojgThJ0w4BGinORYA.exe

Filesize
174KB

MD5
e93a372ad426316a26d63208d739efff

SHA1
02eae920c39a6ca25122c80bc9325159337fb127

SHA256
fe17a2b74679743a0383ec1a775ea4ed77364884ac57990dd0b0a701e9bc69e3

SHA512
0a83e1f945a05489bf11e45ac2a5a50a85e20473f03faad5caa8472546db478ccce7aca27d1fd61927d85fa23902de21975452a05769a969c6b3c091b3aea02b

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1144-101-0x00000000003E0000-0x0000000000410000-memory.dmp

Filesize
192KB

Download
memory/1144-102-0x0000000073760000-0x0000000073F10000-memory.dmp

Filesize
7.7MB

Download
memory/1144-367-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1144-106-0x0000000004F10000-0x000000000501A000-memory.dmp

Filesize
1.0MB

Download
memory/1144-112-0x0000000004E80000-0x0000000004ECC000-memory.dmp

Filesize
304KB

Download
memory/1144-360-0x0000000073760000-0x0000000073F10000-memory.dmp

Filesize
7.7MB

Download
memory/1144-104-0x00000000053E0000-0x00000000059F8000-memory.dmp

Filesize
6.1MB

Download
memory/1144-107-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/1144-105-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

Filesize
72KB

Download
memory/1144-103-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/1176-0-0x00007FF77CA50000-0x00007FF77E19D000-memory.dmp

Filesize
23.3MB

Download
memory/1756-469-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/1800-442-0x0000000002640000-0x00000000026EC000-memory.dmp

Filesize
688KB

Download
memory/1800-443-0x0000000000400000-0x00000000008DB000-memory.dmp

Filesize
4.9MB

Download
memory/1800-441-0x0000000000AA0000-0x0000000000B32000-memory.dmp

Filesize
584KB

Download
memory/1800-527-0x0000000000400000-0x00000000008DB000-memory.dmp

Filesize
4.9MB

Download
memory/2388-366-0x00000000029F0000-0x0000000002AFF000-memory.dmp

Filesize
1.1MB

Download
memory/2388-467-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/2388-153-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/2388-164-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/2388-203-0x00000000028C0000-0x00000000029ED000-memory.dmp

Filesize
1.2MB

Download
memory/2388-358-0x00000000029F0000-0x0000000002AFF000-memory.dmp

Filesize
1.1MB

Download
memory/2388-354-0x00000000029F0000-0x0000000002AFF000-memory.dmp

Filesize
1.1MB

Download
memory/2868-473-0x00007FFF916F0000-0x00007FFF921B1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-427-0x00000000002D0000-0x0000000000774000-memory.dmp

Filesize
4.6MB

Download
memory/2868-434-0x00007FFF916F0000-0x00007FFF921B1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-364-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/2900-357-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/2972-496-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2972-201-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3212-494-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-472-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-491-0x0000000000B30000-0x00000000013D4000-memory.dmp

Filesize
8.6MB

Download
memory/3212-475-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-490-0x0000000000B30000-0x00000000013D4000-memory.dmp

Filesize
8.6MB

Download
memory/3212-499-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-502-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-487-0x00000000776B4000-0x00000000776B6000-memory.dmp

Filesize
8KB

Download
memory/3212-474-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-480-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-477-0x00000000766E0000-0x00000000767D0000-memory.dmp

Filesize
960KB

Download
memory/3212-498-0x0000000007AB0000-0x0000000007B26000-memory.dmp

Filesize
472KB

Download
memory/3536-430-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/3604-213-0x00000000025A0000-0x00000000025BC000-memory.dmp

Filesize
112KB

Download
memory/3604-428-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/3604-328-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3604-185-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/3604-315-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/3604-85-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/3604-618-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/3604-87-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/3604-86-0x00000000025A0000-0x00000000025BC000-memory.dmp

Filesize
112KB

Download
memory/3700-506-0x0000000002DE0000-0x00000000031E0000-memory.dmp

Filesize
4.0MB

Download
memory/3700-497-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

Filesize
36KB

Download
memory/3700-519-0x0000000076950000-0x0000000076B65000-memory.dmp

Filesize
2.1MB

Download
memory/3700-512-0x00007FFFB0F70000-0x00007FFFB1165000-memory.dmp

Filesize
2.0MB

Download
memory/3700-522-0x0000000002DE0000-0x00000000031E0000-memory.dmp

Filesize
4.0MB

Download
memory/4136-184-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/4136-179-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/4136-470-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4136-187-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4136-186-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/4136-426-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4136-178-0x0000000073760000-0x0000000073F10000-memory.dmp

Filesize
7.7MB

Download
memory/4136-176-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4136-466-0x0000000073760000-0x0000000073F10000-memory.dmp

Filesize
7.7MB

Download
memory/4136-523-0x00000000078E0000-0x0000000007AA2000-memory.dmp

Filesize
1.8MB

Download
memory/4136-524-0x0000000007FE0000-0x000000000850C000-memory.dmp

Filesize
5.2MB

Download
memory/4456-484-0x0000000003DF0000-0x00000000041F0000-memory.dmp

Filesize
4.0MB

Download
memory/4456-399-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4456-478-0x0000000003DF0000-0x00000000041F0000-memory.dmp

Filesize
4.0MB

Download
memory/4456-495-0x0000000076950000-0x0000000076B65000-memory.dmp

Filesize
2.1MB

Download
memory/4456-415-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4456-504-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4456-489-0x00007FFFB0F70000-0x00007FFFB1165000-memory.dmp

Filesize
2.0MB

Download
memory/4456-382-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4536-516-0x0000000000B70000-0x0000000000C70000-memory.dmp

Filesize
1024KB

Download
memory/4536-520-0x0000000000400000-0x00000000008B7000-memory.dmp

Filesize
4.7MB

Download
memory/4536-518-0x00000000025C0000-0x000000000267A000-memory.dmp

Filesize
744KB

Download
memory/4888-435-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/4888-228-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

Filesize
44KB

Download
memory/4888-217-0x0000000000B90000-0x0000000000C90000-memory.dmp

Filesize
1024KB

Download
memory/4888-294-0x0000000000400000-0x000000000085F000-memory.dmp

Filesize
4.4MB

Download
memory/4944-269-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4944-511-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4968-158-0x0000000073760000-0x0000000073F10000-memory.dmp

Filesize
7.7MB

Download
memory/4968-177-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4968-175-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4968-169-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4968-152-0x0000000000100000-0x0000000000188000-memory.dmp

Filesize
544KB

Download
memory/4968-361-0x0000000073760000-0x0000000073F10000-memory.dmp

Filesize
7.7MB

Download
memory/4968-170-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/5244-619-0x00007FFFB1170000-0x00007FFFB1172000-memory.dmp

Filesize
8KB

Download