Malware Analysis Report

2024-12-01 03:01

Sample ID 241107-zr9h5sxqfw
Target BuiltStub.exe
SHA256 e014eb99de60b913905f2a6c4267f663c36beee4ef35df66e8ca7f372b871b9b
Tags
remcos remotehost collection credential_access discovery evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e014eb99de60b913905f2a6c4267f663c36beee4ef35df66e8ca7f372b871b9b

Threat Level: Known bad

The file BuiltStub.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection credential_access discovery evasion rat stealer trojan

UAC bypass

Remcos family

Remcos

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Uses browser remote debugging

Executes dropped EXE

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Modifies registry key

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 20:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 20:58

Reported

2024-11-07 21:00

Platform

win10ltsc2021-20241023-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe
PID 4572 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe
PID 4572 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe
PID 3692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3692 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3692 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3692 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 3504 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 3504 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 3504 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 4796 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3896 wrote to memory of 4796 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3896 wrote to memory of 4796 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3896 wrote to memory of 4796 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3516 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3516 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3504 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3504 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3504 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3896 wrote to memory of 1896 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3896 wrote to memory of 1896 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3700 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3700 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 3896 wrote to memory of 1972 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 1972 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 1972 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2392 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2392 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2392 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2392 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2788 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2788 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2788 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2788 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2316 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2316 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 2316 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 3220 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 3220 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 3220 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3896 wrote to memory of 3220 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 1896 wrote to memory of 3084 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe

"C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe"

C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe

C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514 0x504

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb38a5cc40,0x7ffb38a5cc4c,0x7ffb38a5cc58

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kmltijzugfqecvnlzrjfjmmnfbnpvzg"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kmltijzugfqecvnlzrjfjmmnfbnpvzg"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mhrmjbkounijmcjxqcwzuzgwoqfyokxyoc"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjewkuu"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjewkuu"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2208,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1980,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2484 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4636 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4784 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,11431903100084223479,6741209508517124289,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x128,0x138,0x7ffb387246f8,0x7ffb38724708,0x7ffb38724718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jdmjfdpbhnlfksfzmkxjbssec.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7329331664875030203,749014907352467099,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5192 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 209a4381-e3eb-466a-9efc-fca8d71e6314-00-2bl68nwmi4jw4.kirk.replit.dev udp
US 35.247.106.28:443 209a4381-e3eb-466a-9efc-fca8d71e6314-00-2bl68nwmi4jw4.kirk.replit.dev tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
AU 20.70.246.20:443 microsoft.com tcp
US 8.8.8.8:53 28.106.247.35.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:443 www.microsoft.com tcp
US 8.8.8.8:53 20.246.70.20.in-addr.arpa udp
US 8.8.8.8:53 93.22.192.23.in-addr.arpa udp
FR 194.59.31.143:4444 tcp
FR 194.59.31.143:4444 tcp
FR 194.59.31.143:4444 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 143.31.59.194.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.179.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.179.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
FR 194.59.31.143:4444 tcp
FR 194.59.31.143:4444 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\beIdRsTjIX.exe

MD5 4a69fd78447bf7d72188e565939ec6ea
SHA1 8d32b69dba3cdf02437a34113413bbf0da3bfdbc
SHA256 95c990ca8d71941250ba74ecdb8c2c2de724912b79e8a988909f9098c7123863
SHA512 95beae8b4eb42f0b3ccdd2147a345bf97e3143d0ad71a255e7c822cb3bf3c1b7660ec7bda463571d69a6818d96163e1aa7118135a7010eee0e7551482bead998

memory/3896-4-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-6-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-14-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-12-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-13-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-7-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-5-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-15-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/4796-18-0x0000000000600000-0x000000000067F000-memory.dmp

memory/4796-19-0x0000000000600000-0x000000000067F000-memory.dmp

memory/4796-17-0x0000000000600000-0x000000000067F000-memory.dmp

memory/3896-20-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/4796-16-0x0000000000600000-0x000000000067F000-memory.dmp

memory/3896-21-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-22-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-24-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-25-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-23-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-27-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-28-0x0000000010000000-0x0000000010034000-memory.dmp

memory/3896-32-0x0000000010000000-0x0000000010034000-memory.dmp

memory/3896-31-0x0000000010000000-0x0000000010034000-memory.dmp

memory/2788-38-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2788-44-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3220-45-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3220-54-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

\??\pipe\crashpad_1896_KTWSCKNYHKJDFTLO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3220-47-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2392-46-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2788-43-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2392-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2392-37-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\100e0fc1-65d9-4dca-bf04-8f7a2f227857.tmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3896-160-0x0000000004BE0000-0x0000000004BF9000-memory.dmp

memory/3896-163-0x0000000004BE0000-0x0000000004BF9000-memory.dmp

memory/3896-164-0x0000000004BE0000-0x0000000004BF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kmltijzugfqecvnlzrjfjmmnfbnpvzg

MD5 5872cf2ba95f4b1fc40b3bd67d891d2d
SHA1 eba24b680b8ad3fb6b14dec9ceed5f0d82f3911f
SHA256 cbd11810b20b3b0836bf154c145b5bd287a84b4e429bbe93e94953b76e408f7e
SHA512 647794b72eb773142720ced98805dab6d1087c61998247a7bf5646906535cf946761dde4d8be5a208677d2b717cd84562f0875a77a3e518ebd8379fa044e6a20

memory/3896-165-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-176-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-177-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-178-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-179-0x0000000000960000-0x00000000009DF000-memory.dmp

memory/3896-180-0x0000000000960000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 49222a83ea369cb00cc3c79d8446e5a0
SHA1 652461233fd5b33158b11c95e7d7a2a5cf173f1f
SHA256 c6f55fe2c97c41bb5ddb3347f4d77322ca86da487e7d9ba3f325f3a8dca4d9c4
SHA512 41afa1b0b57fadad39abf4d783912435931a6aadb39b88940b7eb2f4bef795d4ed56b3373d3803335f5c66c72cbe72fff18fda33c8bfa630cc9f3589ec1ddfd5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 3876521bb5b38a621549e3dcdaca15e9
SHA1 7b2277d408dab8a68cf35304986895d093efcf23
SHA256 bd082a9719e3d0aa1e8b966fdc21f7321ef8a77db11a9f38f400e9dff413408f
SHA512 a8461f3a3b3be8b00f3429a9c795aedb5c20b973dca4cc72aeacbee231a6ce13a24f161271be60cf525c160b5b21d20142c03229693ba9fc568adbb3681521ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 5d4e20f86e7945a2e1c5ffc802a79ec0
SHA1 5f3df65a9ff9947ae092950682c3fe0ae01ec759
SHA256 b0674daaeae8af4f7c2ab5a1c59837544db7127bb0733ef26d58c89c0eeed147
SHA512 98445897e0353c0f321a37505bee26fe5ae393cb55ee458c6838509e4e18fbb13d3468d72133e191b6805229de56fa6c52bbf87182ca8106a235606610437ada

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 6e466bd18b7f6077ca9f1d3c125ac5c2
SHA1 32a4a64e853f294d98170b86bbace9669b58dfb8
SHA256 74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc
SHA512 9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

MD5 47b97d876fdb8b775a7abdc0537838e7
SHA1 5c32085e62bf44e3ceb7eb540cdbc197b5f78e3c
SHA256 ce8eb1fd5fbd9201f86393a4b54d0b2b0d9ad7bd561d764f6c88390a28fe2269
SHA512 922cad40c800131d953be909214939c7a0c6bb2261f8af9f2c675648f43e0dea1b4deeadf54041fdf1d5a2d89c0b00752eea0aa141b1acb3dda33e7753c3a127

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 c7d022ddf02edeb535d2d8d68177d70a
SHA1 00869e0e62d6df7be2757b20d8b9518c84326f34
SHA256 0ab6115896784eee7b451565a7c46d139db8dd136a5c22791ab0f35373ffa41a
SHA512 9ed6b1f8d18c203caec364c8592b71f0aca0afe670a70838c4ee018b4e6fa65f4bab5ea91033b74b99f2fc520bce570cea68e03a5f466dd69532c18720905684

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 e58c9b00248f2c9294081afc79fc941e
SHA1 ebf84a128d83b24ae7add5ddef343e82327f944e
SHA256 afe90c59bf376693b5a3c12c0e80d05d836a8c304c59ae212c90ff4f57bad2df
SHA512 8d1f745a89ad4d4d32fee17ca4db763fd91cd15946bb7728775245734f1ba0ec0ec7622b01aea1447604e413e6183befe4cba3e672b5ff8f7fb66da9fba8a543

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 23903f42b6d33b8e144d56d58d4241ed
SHA1 5b50f140ee9393f696a8217f21e14389bd3b9002
SHA256 512cebdb3903508b1bdbb23ed760bc1c1b7edecb0a7c635f7122f5fefdd802e2
SHA512 93fe1ed2f27f17a95580c2c2c4a4cbe92e73e43e6d7e01385f30564a41250e3dccf80f23607da9297a085af289273be85629cb7b2d483f33d3e65c69e1c9d27b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 2791cf36614e481b0a54345e084918d6
SHA1 c47022d32f186e6fb2b88b396b20c6164c0cce80
SHA256 8c7350dafe9750189bbd42d2e3a7cbffd350eb7be4a8b383e7fb6def43c90afc
SHA512 4169127d918492aeaffe87cab2ab7c00c1c4c31fea5390748af2f4ade0c3210a36ab6f9f3144f8a599ac076af8ea9fc2e05e93da377f26075dfea46cd5e148dc

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 5ae754557fc300a10000e2f4d242be4b
SHA1 b0f0a7812480057db30c67b632e6b8982a1b4061
SHA256 04fbce7c19e0057a7d0185d4c64dc9dd3886a722fdc9c06c4f83562217fa0a20
SHA512 a26b76e1655bfe8ff86ea6d6ebaaaaa8299084ed7748a6228257520a7524055fbc9897bfeee955a734ba62eea697aa65987dc8f1a05f98375b5edf05b00c5875

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 460bb5bb252f40fbb7fbf27113858b88
SHA1 4ff16737b8af419209ba0a3415ece35e36ed0aed
SHA256 2f642e056fa2deb04c14418fa33c4b988acc85909298bb52277fed018fbcdbbf
SHA512 1830934d932484fa88a26d5631b847a67518da0c6667b4840e6f2759085a7ccdb15526f784efd4acf1575b4569b9a4b9d0d6de7cb0b70dc34d3b3949aa1f35f8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index

MD5 fca95d458f411768e25e42c8d1081006
SHA1 c5478828d48448b6e96fc71eb8ed2b928c149c69
SHA256 754d4e52f67d0650ce9ea9fc77a1a54454734c8e74173c3534abe7c82cc65f6f
SHA512 6da6f556dad8008386d5cf782222b8815f47c10bdee32376c3d8bbacc80e49da3c058a85185f6df995c5610c76b86f894b510ed77fb445f4d3dfde3c7b5918a5

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 2be677ec151673fbd83e0940a573dc66
SHA1 dc97aab65d2fb100745b31c262558b7cb58355e5
SHA256 64aaae4cdf81259231b228a0b96c0a70d11175188e9500febcbf413019a78831
SHA512 b8993ea6fd1db1c16d4fc026070b905f992d2349c55f27a9e2ccda7fc781d9409bd198b07dc8fb2b0c7b3a2fd5241a3fb6336d60a0f7b68f1df2d7538acfcb25

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 0f6473642e876f5fb946d95f3cd2d302
SHA1 8317a0be4fc3d62468ced89208dad0b7c6f8cef9
SHA256 e93566be816793e1fee9d9cc5640ab787d9dc32ffa0049b0d91e565e130a4449
SHA512 f05a6b1344310eff728618c8c774898ffdbffea4e843d8b8c9e3b0a4b648ad358859f3ed64c720394f42f15fb05deb4a1d267fd73ead92be1ed630871ba88496

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 e9e462a1b4d59e147cf6a727bce9f261
SHA1 d218f2f7f34b7dda04093f7b1508cb4b19afab80
SHA256 486868e789e1d996a1b49938857f0bdde9959c466af43b637215450be9ae8276
SHA512 abc2b373e27578688989781c7116cfa162cda8cd21619c56c4cedc4783cea6bba8a55340afcc10c218d4ee08ea75119af50ac8bf330c3042206990674224eddd

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 8411f61ee0154ff3145043e851d4f145
SHA1 e9df89f2045df11d4176baa27733cea983960e68
SHA256 67e041d2f9de7ae34d8568e1bd84767076dd543ecc8ed2ef3f1a51fc98ee80ff
SHA512 ba52827d3659577cfa2f6a13f8ebc581d09d152c547deafb0dd91052789633c961aa765436d369acd707ced908a066ad0bcdaf4590f16a0119e00b714300baba

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 119b1c73fb3b689375cdeb1c8efa9e56
SHA1 aee748df84ef79ddcbd83b09eaab94092b9a4d1d
SHA256 37df34e22fc8da8faf92b7f1eb1ed4e581a2c78288f3eda8db30259759fe9075
SHA512 953989c94a0461ec3f3350880027e85e2b397a6a8f19b9be0787b5c8cbaa6417d2852e076aed26c17b4900deeeed756c0d76b03339479efc4bb4348f4e5fd489

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 27ce3d2f4e4999ac3195150834ac6d26
SHA1 600cf42194b4f18b5d5384b38fca745feb70b048
SHA256 be8e9eb422fad4fcbc8a0024a965babab6505a63f19c5f2fdf1c3c226d28c35b
SHA512 fe46f27088fa3336d5da9bc80bf919dc29b00c57e02ebddc4b25631a3a93aec87efdc601b2bbb4e581458ca31f4a1e4d44666a655d25200abfbb8246e1691793

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 0ff38c84edb1cf11395c7587bf25f62c
SHA1 8d43612a549b358c04b2e8a31ed4de051c529fef
SHA256 b8e15528fc429c3760a6549d23d449d678904e7682dbc9eeb843558904a0a2cf
SHA512 65a12000a85389db02acbb377d5eab25fa299988ba615d15572c5b90134153d2acd61c18f604593cb8f27bcb7d4b04a62a8fab16ddfb818209f57db9be9caa86

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 4e8f56dd7d77fdb247dca2283a9dfbd5
SHA1 dbca225cc5ed59e75a3e01348f23a49a25984971
SHA256 dfcd94c9a993c01c625b8cc1bfa80121d602d92e9fed923cb0f970133ef40279
SHA512 2b326f94646d68203bb6ab396dd6c035ae84d176a6f19cbecc5c0bf120851f73ff37fd03ccacd59a04a7f6b895b47ed17fe682bc23601ec49b2609dbfe593849

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 1f84c34e0ddd5362eab15a0cdc040789
SHA1 6c76ae02d415f8fb466d324fc8251074b87552f4
SHA256 c23992d95c17a8665e5271c32f1420aefda925ff8075bc6ec3b95065c65a3aa6
SHA512 a6d6d55ad2308eabfc15a54fe5703a613ed8aefe35f17777c18fdeae7738659e49f6d7863aa7ec2bb03c3204aae52fce578effb7740f098a5cdd33049c1c3687

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 cf173784a90d6d33df91f87a9de95d87
SHA1 65254db1431a5a95a868543c78dc35312749e5d9
SHA256 24ea743f3ace1f0dbb14bfb9eaeebc0f7ee8b02758f8b776f12727535fe6e8e6
SHA512 4cc5839d9deb63ecabb3fe5cc1d5b37bb5733c52fa93adfac9dd7cbae43c4c6b75b91cd15f1d2f1d8f430e5776b6b6eac88adaf0241692347f79ee141d3d8579

memory/3896-322-0x0000000000960000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jdmjfdpbhnlfksfzmkxjbssec.vbs

MD5 f7e053e48b797abc593e596962dbfe1b
SHA1 21ffe5ee4d9d1cc574c5dd3501eaf0618e143c2e
SHA256 36ae8c98d9441fb00e5daba9b83341861f262e611a77113257d192d7ffb4642e
SHA512 a0eb7785ea8a6886ec3fd5a9ed2ff778bf6618d10cd27d30a0bb8081beafab12f27e2bcad7f05e45c77459604ee15132f0d5666590d676b49bae119dffde35e9

memory/3896-330-0x0000000000960000-0x00000000009DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 26b405e8975729cad23ef7da83375dfb
SHA1 8e0443fadec79c1c672f618c4099725c1bdf1d88
SHA256 192a05b1d7a539e1fb2acdae6bf79628126c9e816909d206f056ac6bebf81f21
SHA512 95cb4be1993b1136f136f1c2475fa778dd6fd4bfc927b54ed5731f4509f644f246333445ba6cd0f4cc84855b52c1b09d427327388da0647e1f4c72797f184e3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 3a0f7bea5655eb638f5a36caf9f640f4
SHA1 f1ee3f57fafdfaae6441806035c40b1eb4c61dd5
SHA256 3235fffcfb7e915d2e0965993fe1483092fb41e73e178660a86bfefc3f5dce58
SHA512 053f69336b258073d5a86e382b782c36a0f8e7326a53a1ecc03fcf9eda729fa32ad86d989832d4e4198385a589267f181974e552efc3c20673dde78f30d30f21

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 ac2b76299740efc6ea9da792f8863779
SHA1 06ad901d98134e52218f6714075d5d76418aa7f5
SHA256 cc35a810ed39033fa4f586141116e74e066e9c0c3a8c8a862e8949e3309f9199
SHA512 eec3c24ce665f00cd28a2b60eb496a685ca0042c484c1becee89c33c6b0c93d901686dc0142d3c490d349d8b967ecbbd2f45d26c64052fb41aad349100bd8f77

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 7e3229096c9ce52cef96cc0d46b3c11a
SHA1 6572a00f16a1d8d2681a1edcfae1984a516977a0
SHA256 705fa40c5057747323e11605e708a75bef7ef5ae06e2d3e41775e90094aa6d8b
SHA512 c52c0cb04d3203ae44c61e3b100627bdad6aa4cdabd6ce8b593bf1cfb1bccaa504fc29a9a0be2d210611149f2a32d63519bab6037285437b00cbbb10b5687698

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 20:58

Reported

2024-11-07 20:59

Platform

win11-20241007-en

Max time kernel

72s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5916 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe
PID 5916 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe
PID 5916 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe
PID 3272 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3272 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3272 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3272 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 2992 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2992 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2992 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1564 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1564 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1564 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1564 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 5440 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5440 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5440 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2992 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2992 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2992 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 5948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 5948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 5948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 5948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2396 wrote to memory of 4596 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2396 wrote to memory of 4596 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 2396 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4596 wrote to memory of 2444 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 2444 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4596 wrote to memory of 3136 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe

"C:\Users\Admin\AppData\Local\Temp\BuiltStub.exe"

C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe

C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\avyrpeppdvkvfevfismgbrdlhnxc"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kxljpwzrrdcapkjjzdgamdyuibpllsg"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nrqcqpklflunrqfnjntbxislrizuedfuhk"

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9206ecc40,0x7ff9206ecc4c,0x7ff9206ecc58

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1884 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2132,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,11407341958493649724,14512106715643127844,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9200f3cb8,0x7ff9200f3cc8,0x7ff9200f3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1860,2030944489933584903,2035935838990178163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\meuszrujsypsllitflehn.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209a4381-e3eb-466a-9efc-fca8d71e6314-00-2bl68nwmi4jw4.kirk.replit.dev udp
US 35.247.106.28:443 209a4381-e3eb-466a-9efc-fca8d71e6314-00-2bl68nwmi4jw4.kirk.replit.dev tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:443 microsoft.com tcp
US 23.192.22.93:443 www.microsoft.com tcp
FR 194.59.31.143:4444 tcp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
FR 194.59.31.143:4444 tcp
FR 194.59.31.143:4444 tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.212.202:443 ogads-pa.googleapis.com tcp
GB 216.58.212.202:443 ogads-pa.googleapis.com udp
GB 142.250.187.206:443 play.google.com tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
FR 194.59.31.143:4444 tcp
FR 194.59.31.143:4444 tcp

Files

C:\Users\Admin\AppData\Local\Temp\HaeYSeoele.exe

MD5 4a69fd78447bf7d72188e565939ec6ea
SHA1 8d32b69dba3cdf02437a34113413bbf0da3bfdbc
SHA256 95c990ca8d71941250ba74ecdb8c2c2de724912b79e8a988909f9098c7123863
SHA512 95beae8b4eb42f0b3ccdd2147a345bf97e3143d0ad71a255e7c822cb3bf3c1b7660ec7bda463571d69a6818d96163e1aa7118135a7010eee0e7551482bead998

memory/2396-5-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-15-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-7-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/1564-18-0x0000000000CB0000-0x0000000000D2F000-memory.dmp

memory/1564-19-0x0000000000CB0000-0x0000000000D2F000-memory.dmp

memory/1564-17-0x0000000000CB0000-0x0000000000D2F000-memory.dmp

memory/1564-16-0x0000000000CB0000-0x0000000000D2F000-memory.dmp

memory/2396-14-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-11-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-20-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-6-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-4-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-21-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-22-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-23-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-25-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-26-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-27-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-33-0x0000000010000000-0x0000000010034000-memory.dmp

memory/1840-39-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1660-47-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1660-43-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 dd8d3aa4b4f81f7f2427175db7c738ed
SHA1 74afa9f2448e5e5c44b6a4a2ec39ebfbb55e6874
SHA256 cabbebdfe12327942793916bbdd541136f5e9b64b0d34237bf10420f9e6be87a
SHA512 fc1afbd15ee5bdd100cca7755042254a00c412a064b9c864f215baf2e3dc9c68a39ec4b6bed6ea8ec7fb483a956c77cc50d406f6741a79058997555d2d5afb49

memory/1840-40-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1840-42-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5948-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5948-35-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1660-34-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2396-32-0x0000000010000000-0x0000000010034000-memory.dmp

memory/5948-28-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2396-29-0x0000000010000000-0x0000000010034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 c7ed215816fddea05ea5eb001a52ec45
SHA1 ff5b59f4d82ba920e5a6f797696c93e7d8f8e69c
SHA256 caebe765e1e6fd14fdcb3d252f8ad0b0711aa7044bfac3bedba0e9eb053cc236
SHA512 3abd247ce2a3b71bebe7a9e8f8c938afdec5d7b3073343fe2b0a4be2088b1d7e9ef3a420bbdab520702a64f6dfffe808bb3c5de8ba45d41c53902413b1b19d92

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 d06c450b28a1f2297aa0e3673972cc8a
SHA1 371518c909863bf115bdb28eb219b1e934ad0868
SHA256 9084bbca08d6d5e738d5314c18773f1b2663c1aa78e1720c93ef14a4bab9fa8b
SHA512 c167c74077a2b85743e8704eec82b3a743d61bd64724977f1b7618b0616b5127197df92d58d4ead1ed50ba3c5ba18ea6c535001bd9a5bff0918ded5cbe8135d4

\??\pipe\crashpad_4596_SJPJNBKZSAFBZOEZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\avyrpeppdvkvfevfismgbrdlhnxc

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2396-170-0x0000000005290000-0x00000000052A9000-memory.dmp

memory/2396-169-0x0000000005290000-0x00000000052A9000-memory.dmp

memory/2396-166-0x0000000005290000-0x00000000052A9000-memory.dmp

memory/2396-171-0x0000000001030000-0x00000000010AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_1

MD5 1a32ea14d79fec2ef40f005281caa219
SHA1 ceef9d9a19dbe7d7ba5f7b7d730c32a993480e26
SHA256 13df69b23d47cc94773effb2a0a5788344641f06971127c1b8394167d4b7dc7f
SHA512 7a515d9439cfe8418eca778a6f1dd7e9269ba8a4630844ac1dc65b9ab2c53fa51f991ebfa3698e480a7d9c710e1fcb2bb46269f33c1ccb962943d43110c2bce7

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\index

MD5 17850e7330e0475f9876fb2754c5cee8
SHA1 5b7a6ef50cb46b564425b39f9b86f2e76492033a
SHA256 0df30e847505535bb4e26755b05ab7ca9aea1840b87c7e8828e81231e03bf2d0
SHA512 545f5e9f8ab2b81785a68fad506deb8fa90f1b8837b258b31b094a0bcf5b6dc50a65b12143b324e65c95289b953190fac5ff980094c53499b7d3f878c18c27ee

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 c2551481a625a246f9e007b44985fe07
SHA1 dbbc42fc0adb671db9a6dec07ee8a0d7d9f80d4e
SHA256 d1b3a0930ed341efd203f7ec4fdbe769d3d635eaabad23c09eff2a4589387348
SHA512 a3e2e03745009df700e74d36d50ec99c6b881b825858e52b389635e2ece38e7194f23e7221d9465c9f094ce50885ed626c82355ce15251a56c042eb481676246

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Safe Browsing Network\Safe Browsing Cookies

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 12b011f11e4205418d6dd77e9131caf2
SHA1 5f5d19570d8f8b9da10af7b7c3ca489dd8b58b47
SHA256 05f4d958bac46d6340b3ce3c80d8004ecd05d75f77c29e1632080f5bc85fd075
SHA512 6a0f7c0ffe02c28719f9703738f1cf5922662be8eb2f9e35ce750e83d3be05b42824d5fa76769941c921dfea3950592ef7b76d2019e892ef9ee1ba094b5a45f1

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Trust Tokens

MD5 7289d4bdfbd73ed571278f95cb4c1939
SHA1 7c911f54243d9777a34666f4526a49c7e7aea244
SHA256 2d4ccf8ac8ae4f5c6ec8e0566210ff56585b6ba0290501a1a11ed9b23bfc226e
SHA512 6e7d48e18b0317449807c4ac2c377b3cccf5bd6121077d51152d7e188ba1ea3cf62372b7611036938986dd0c84465dbd747fe8580e3a699f8470229a6d57a749

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Reporting and NEL-journal

MD5 770c937fca638db9db9f18d323000a17
SHA1 2bea247461a4a2be975eabd9bb68e12a11eb6433
SHA256 0d555b9972bda6744f0a4b9655a7079b1c94ecec1a9581a39a956c43a95b7238
SHA512 69c5bb887a07c5ade4d9f6692744a259d4c4cd2cc28f81646e63f5d5662efc893c4bf72ad104289a09e58f9b25610957d3412f87ac475469ed25a324c3b0c83c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Reporting and NEL

MD5 5f080b35a2352f916d574e049ffa88c5
SHA1 bb4cdb42ea2c454bcb92fac028696d65b4b91697
SHA256 10ce46995378459151b5a072d6ef1e54867ce57edcc1520ec6a0965b5ff432ff
SHA512 b9862a5ba6723d3859bb1baecc04df0bf14a3d6c06278fd7cfbbba2412fd0dc5dceca969a9e1fe967a8f29764cb800f475b3270f3d1c2868f56a2d1586125bea

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 dd0a193d7ca05fdf6b54dd21593223f1
SHA1 d9674f0e88b3ae83865f47e50adf35b677c4d20a
SHA256 c2ac7a49ed834ddda086137a53c96bc5df491c1bda91a063e65c6f1224d9235d
SHA512 6bb2f2896189f5dffd331cb05f8b157717a62d920e549612ff9ea0298f9526d1b1473b61f33d2c28f14bae7430e4ed543be7655e7a3fc89c559e77e3a2f68384

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies-journal

MD5 0c9c680f5d0c9b3501223ab70766b2f9
SHA1 b49d4fe0c632ccd00b4345903654ee9441fae747
SHA256 e7a2d0172e16ce5fbfedd55b12ffb52630d3e6f5c0939711707e7cc1995609c2
SHA512 642f660fe3ed7497fe1bcc72fb6b428181f52bdc1c220397d17a74eee3c0362e1c3faee2e916ae1cac5ce7f1cc466ecf9301e0249ebb6a67f8ad3ff989260323

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\9f812da6-7340-4e02-bd61-a782539c38e9.tmp

MD5 3aa4709c9f9f713b11c10f8a3b0b4941
SHA1 c612be8d49f5adabdf34a2a8d9563fc8a235e09a
SHA256 fae14e6b871af2142e5fde724ad9e908d6b0dc914ff27c5d95fb6a93669b1957
SHA512 cc609ab31f9e63bb04dce166de703716be16224e8c1bf5bab09493b48144c099ae005c8120d6a97befef6303d5d3f4d8933919a3e5552e59bf21d3de4cf65392

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data For Account

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 b160d6eaabcfbee02ff2f9462de777f2
SHA1 aeb60087507a69aea9fc50e57c1b3d976b7edb52
SHA256 bfae726b6a5fa1c5617935cecc7c1b14773d3a0791d0aa1a5643b4bdd41cc69a
SHA512 f1a8ad2159681e16c6ee9c55a84723090e4a4c277abfb269378d3c03fb70e15f266d26d85c918063f09777dabdae919312d0e9467c962bc20a280c132251d4eb

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 4e9ca2cd7eb5428e01758ae3a4dd07c5
SHA1 c8eb4059f9cbc4cc7c45c6be562861e1ddb33c80
SHA256 87d84fa35a692b43067b968329f2666792bee21ea40b8a454321b21dbc832db7
SHA512 4543c3c32adcebbd472025f2711b7b374436a0faa53ec96db6bbaee81f75b30a26271950c6ada7b6f5a176dc72c93d209084581b5c1f10a0bd86f6e6431625e8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

MD5 7e2f49369cefbf4d1cbdf2e74962ed78
SHA1 22ded06f323fb56fc0d691410e5ac21fa70b92b0
SHA256 14860b15c96ff59e8337313b203acfa8d0e9396f7390e355d959431af47de696
SHA512 2f3d074f6c435625a8eefb05ca67f37332e501c9ddba432645c6a1b40104a16b95c32c46bc2c31319e0eeed8be2522e9e9cec4c4cad4327ccfaeadcf24121aa0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\databases\Databases.db

MD5 315332044706528a5fe8a6dde075f0b3
SHA1 00afb7ad87d6b357f2ab8d7717a67951a2a9f0aa
SHA256 05cf19b9848e82ca48587087b680ad6e5bf0c898e9505125e3b6ef46f7371d75
SHA512 6e8553ab19864090437b9c006832a704cd3afde129af4b272598ca0e1da81e473aed4add82f857bfce30042924fe6072958e766d7154c8d70ce0ba8ab6744fe6

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\f_000003

MD5 d4586933fabd5754ef925c6e940472f4
SHA1 a77f36a596ef86e1ad10444b2679e1531995b553
SHA256 6e1c3edffec71a01e11e30aa359952213ac2f297c5014f36027f308a18df75d2
SHA512 6ce33a8da7730035fb6b67ed59f32029c3a94b0a5d7dc5aa58c9583820bb01ef59dd55c1c142f392e02da86c8699b2294aff2d7c0e4c3a59fce5f792c749c5ce

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\f_000002

MD5 24393e2ccc4e7a164f062df993d27335
SHA1 c8f960244677439e72295d499440f295ae5be7c5
SHA256 3ecbdf289749ebf07b749a91eb3db3d1f8fc338e5cae2dae22730fb893736130
SHA512 a675af57b19197f17a1be1351c3cee6a291f23dc2614081bd7bd71adbe5eb0d191c4d50b295d43b3a002d48454a24ef9e4dc52510f2db54dcfe0c8e71948d10c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\f_000001

MD5 90e8780035ef1be10e72c238a469f317
SHA1 964a0dba1f311a96fc0124d79515507201e046ac
SHA256 49a753a7179e99c6052021c8f058028c133d0ecb86f7c163a4dd3ddc88a6a341
SHA512 bde8137185968996375bcf7f33b24f04adfac33caf4462607bc001132efc0ad11d5c2b50d8d4c2fea71ac72474c989fc7ed00ff0418fbf04687ca514250db510

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_3

MD5 b9e33841b565859f32a00dd8620557d6
SHA1 91d6421d4ee0ca913f1c21087057c8074caea99b
SHA256 47ed187d8b4e725e36a237afd97f532641ed869adba724cb140c796a22147701
SHA512 7dcbeee28bdba192bf9338f59b922427f93e355aa4738eb797ce27ab4816fda524f8ae2980d6da0f9af0aa20f0207d08a3d83d3344f4ad32952a987f0ae49364

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_2

MD5 d15e480e0e485a1bb94ff772ca6ea081
SHA1 07b84060e8abaef549a3bbf836eb63445832f0e9
SHA256 8b0b879e50d6309e735c64c31dd79413fd4cc51b6f379667d88ea007dfdfb7e0
SHA512 ee94c8f50d7714df64cb841c9524e74237d3cd4baf1bebd16cc60629a5c74bf41563b08b7709c3752df6195b03abbb938765e16991a5ef12e115c4fd4dddc351

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Cache\Cache_Data\data_0

MD5 f85546b775ce67695589003d39460501
SHA1 5525aa9b6b223ce228ca8b2acf9818cfab6cced3
SHA256 774bd75564ef0d2eee70301150569258df684878d4af24cec30ed0ecb72e069f
SHA512 e0bdd6bc47a84dfb4a5d2b67476077a0d97ca2303bca6535f832c0a7ee69446c29c9172bd5e5b27ce4c274e780d4a0cc0c6b0fcc36069a0c2ba5ecdff8375598

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Affiliation Database

MD5 abd5f8ea3d9a79d25ad874145769b9fd
SHA1 0e5cb55791194d802b3d3983be3a34d364d7a78d
SHA256 50e624ab71e65f7bff466e9066621f0ee85e87f74eacd85f1952433294e1c5fd
SHA512 19126380f34e2a2517fda41cb1b824b4a0fb467b60126120deab669288fc3e851da481655dc1887f17762b6394957c4bee882dc233f7564433e25d947c80e66b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 c82ccd7e6c493cd42e4bec6c6d9b2ca3
SHA1 92f1ec9ee32ea7f53618af7f72c837c6601b995d
SHA256 9c24b731e0a6135f11536280e8282548c3b91e2893571c5c01a196bb41ff37ef
SHA512 0ddc5eefce6348276db49346e2b0ff9ff331378393a8968cf78caf0a3268e42f1fc0c2a6cd2584a552155d5b8ba2b797d405801c6d868a171e71b9069c3c8f38

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 f384ce78baae1d78de7f5abb02186317
SHA1 470e5c71e40aee9e7c545f9030b95a556b37c3e2
SHA256 3ceca09d46973e1d7bebf2463975e6d1fa8521e59c0661e017ed5739f30a2243
SHA512 282c6702aec9b346e8ed45cbcc9352032b726f57f2cad7aeda391065b95d2bc927bef959681586f55c2cff9bda2845efb4af12c037ab15cfd5b22bda655bae33

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\e69b95fe-d277-45b3-a1e1-a4dc873164fc.tmp

MD5 45664785514259d8edc301e73b5b3973
SHA1 c3ffb751a29bb86ae6203176a4ae61fe192d283a
SHA256 7031123ed12f75349f794238ff3f5e8d868b7ca60aab52ba999d33bcf4e88896
SHA512 339be02d2973add05374511b404a54713f582f41ecfba546e789c0efb5985043ebb71d20500cf1005c255b7c773bdfaa3efd4e6818a6eb49b50d89034cd20494

memory/2396-364-0x0000000001030000-0x00000000010AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 268962da15f2c7df7de563f3e8ffc960
SHA1 c13e7f9b6d8724dc433b896f8ec4cbdd5912fdb8
SHA256 29341c0dc494de924b5a319391d9633f24c8c873d14993c380b1097e310dd830
SHA512 38f15e745be5373c7c6baae215c390d9d2c789d492665995865db54f10b2940706d0aad687f348e69f1db76971f4b0e38f90f2ea87ca646e3c7db593a3401526

memory/2396-430-0x0000000001030000-0x00000000010AF000-memory.dmp

C:\Root\logs.dat

MD5 7995e8a185be89f77f5330b81b6abad9
SHA1 3001512e3d3322306f78f9ececcb09afec707e3c
SHA256 47ed02e4f5b54025485f30995e4d10319ebace179a067c12debf0931c32f0ffc
SHA512 2ce2061b7eb57f04133df6dadb9f58cfe99c1742353a1947e936b24a4197da9b7b14ccd941092c97c125df279f3d7d9b6d285d0fc0ef1af496f0df19ee959826

memory/2396-433-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-434-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-435-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-436-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-437-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-438-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-441-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-446-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-449-0x0000000001030000-0x00000000010AF000-memory.dmp

memory/2396-452-0x0000000001030000-0x00000000010AF000-memory.dmp