Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 19:15

General

  • Target

    Loader.exe

  • Size

    2.1MB

  • MD5

    084519881ac16c16cf9206f97a68f79e

  • SHA1

    7b0fbc312ec9176a69ccb3036636e2423320cd79

  • SHA256

    89057bbeb5618835524cf8fc3a645fc5137553638520e763901fa1f2f8cdbe66

  • SHA512

    84b2867560cdbd3ca797196b208495631e49a87a2ea7451d6d68b52ea1ada0546c81d9b2e37b630440565cd53661c6541eb91c8bd662bb10780f87a7c7db5633

  • SSDEEP

    49152:4ZZosvRgdkadC7i03aQAZutzArxizJZTrEbupmpVwMgc:4ZZostak7RGuqGJZXdpmIn

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes
  • delay

    1

  • install

    true

  • install_file

    Load.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\Done.exe
      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe" /st 19:20 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2400
      • C:\Users\Admin\AppData\Local\ACCApi\apihost.exe
        "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:916
    • C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2696
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8453.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4068
        • C:\Users\Admin\AppData\Roaming\Load.exe
          "C:\Users\Admin\AppData\Roaming\Load.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2612
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Users\Admin\AppData\Local\Temp\Done.exe
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
      • C:\Users\Admin\AppData\Local\Temp\Load.exe
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3620
      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Users\Admin\AppData\Local\Temp\Done.exe
          "C:\Users\Admin\AppData\Local\Temp\Done.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4984
        • C:\Users\Admin\AppData\Local\Temp\Load.exe
          "C:\Users\Admin\AppData\Local\Temp\Load.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2968
        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Users\Admin\AppData\Local\Temp\Done.exe
            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4484
          • C:\Users\Admin\AppData\Local\Temp\Load.exe
            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4156
          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1384
            • C:\Users\Admin\AppData\Local\Temp\Done.exe
              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2904
            • C:\Users\Admin\AppData\Local\Temp\Load.exe
              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4760
            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4380
              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:5028
              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4872
              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                7⤵
                • Checks computer location settings
                PID:1772
                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3312
                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2116
                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                  8⤵
                  • Checks computer location settings
                  PID:4488
                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1360
                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:436
                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                    9⤵
                    • Checks computer location settings
                    PID:2968
                    • C:\Users\Admin\AppData\Local\Temp\Done.exe
                      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3356
                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1528
                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                      10⤵
                      • Checks computer location settings
                      PID:3668
                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5096
                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:912
                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                        11⤵
                        • Checks computer location settings
                        PID:3744
                        • C:\Users\Admin\AppData\Local\Temp\Done.exe
                          "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1572
                        • C:\Users\Admin\AppData\Local\Temp\Load.exe
                          "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3044
                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                          12⤵
                          • Checks computer location settings
                          PID:3492
                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:4656
                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4928
                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                            13⤵
                            • Checks computer location settings
                            PID:2236
                            • C:\Users\Admin\AppData\Local\Temp\Done.exe
                              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:1984
                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5064
                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                              14⤵
                              • Checks computer location settings
                              PID:680
                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4492
                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5000
                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                15⤵
                                • Checks computer location settings
                                PID:1728
                                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:1388
                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3320
                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                  16⤵
                                  • Checks computer location settings
                                  PID:1368
                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:4768
                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3292
                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                    17⤵
                                    • Checks computer location settings
                                    PID:3312
                                    • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:3012
                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1148
                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                      18⤵
                                      • Checks computer location settings
                                      PID:3292
                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:5280
                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5308
                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                        19⤵
                                        • Checks computer location settings
                                        PID:5336
                                        • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:5448
                                        • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5476
                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                          20⤵
                                          • Checks computer location settings
                                          PID:5488
                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            PID:5588
                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5616
                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                            21⤵
                                            • Checks computer location settings
                                            PID:5632
                                            • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:5788
                                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5808
                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                              22⤵
                                              • Checks computer location settings
                                              PID:5832
                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:5948
                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5960
                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                23⤵
                                                • Checks computer location settings
                                                PID:6004
                                                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  PID:6088
                                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:6116
                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  PID:6140
                                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3992
                                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    PID:2900
                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    PID:5236
                                                    • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      PID:5264
                                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                      26⤵
                                                      • Executes dropped EXE
                                                      PID:1020
                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      PID:3292
                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5304
                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        PID:5412
                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        PID:5420
                                                        • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5504
                                                        • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          PID:5676
                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          PID:5708
                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5608
                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            PID:5756
                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            PID:5660
                                                            • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5800
                                                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                              30⤵
                                                              • Executes dropped EXE
                                                              PID:5888
                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              PID:5920
                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:6044
                                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:5960
                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                31⤵
                                                                • Checks computer location settings
                                                                PID:5976
                                                                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  PID:6004
                                                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  PID:1512
                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  PID:6116
                                                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                    33⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3860
                                                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                    33⤵
                                                                      PID:4504
                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                      33⤵
                                                                      • Checks computer location settings
                                                                      PID:5320
                                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                        34⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5696
                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                        34⤵
                                                                          PID:5680
                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                          34⤵
                                                                          • Checks computer location settings
                                                                          PID:5692
                                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                            35⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4040
                                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                            35⤵
                                                                              PID:5772
                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                              35⤵
                                                                              • Checks computer location settings
                                                                              PID:4804
                                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                36⤵
                                                                                  PID:5780
                                                                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                  36⤵
                                                                                    PID:5908
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                    36⤵
                                                                                    • Checks computer location settings
                                                                                    PID:5900
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                      37⤵
                                                                                        PID:5932
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                        37⤵
                                                                                          PID:3740
                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                          37⤵
                                                                                            PID:5948
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                              38⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:6120
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                              38⤵
                                                                                                PID:1148
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                38⤵
                                                                                                • Checks computer location settings
                                                                                                PID:3668
                                                                                                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                  39⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:5168
                                                                                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                  39⤵
                                                                                                    PID:2712
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                    39⤵
                                                                                                      PID:1388
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                        40⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:3812
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                        40⤵
                                                                                                          PID:5288
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                          40⤵
                                                                                                          • Checks computer location settings
                                                                                                          PID:1020
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                            41⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:5556
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                            41⤵
                                                                                                              PID:2064
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                              41⤵
                                                                                                              • Checks computer location settings
                                                                                                              PID:2868
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                42⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:5412
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                42⤵
                                                                                                                  PID:5240
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                  42⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  PID:3328
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                    43⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:5620
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                    43⤵
                                                                                                                      PID:4072
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                      43⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      PID:5684
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                        44⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2636
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                        44⤵
                                                                                                                          PID:3764
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                          44⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          PID:5716
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                            45⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:2836
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                            45⤵
                                                                                                                              PID:2892
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                              45⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              PID:976
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                46⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:3712
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                46⤵
                                                                                                                                  PID:5864
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                  46⤵
                                                                                                                                  • Checks computer location settings
                                                                                                                                  PID:5780
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                    47⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:5976
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                    47⤵
                                                                                                                                      PID:6020
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                      47⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      PID:5948
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                        48⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:2588
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                        48⤵
                                                                                                                                          PID:4460
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                          48⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          PID:5804
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                            49⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:3012
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                            49⤵
                                                                                                                                              PID:5484
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                              49⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              PID:2096
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                50⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:3548
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                50⤵
                                                                                                                                                  PID:1548
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                  50⤵
                                                                                                                                                  • Checks computer location settings
                                                                                                                                                  PID:3700
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                    51⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:3328
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                    51⤵
                                                                                                                                                      PID:5116
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                      51⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      PID:1136
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                        52⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1284
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                        52⤵
                                                                                                                                                          PID:2584
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                          52⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          PID:4904
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                            53⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:2820
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                            53⤵
                                                                                                                                                              PID:2616
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                              53⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              PID:5968
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                54⤵
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:5760
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                54⤵
                                                                                                                                                                  PID:6008
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                  54⤵
                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                  PID:5832
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                    55⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:5288
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                    55⤵
                                                                                                                                                                      PID:6124
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                      55⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      PID:5256
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                        56⤵
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        PID:4504
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                        56⤵
                                                                                                                                                                          PID:1544
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                          56⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          PID:1548
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                            57⤵
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            PID:5476
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                            57⤵
                                                                                                                                                                              PID:5596
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                              57⤵
                                                                                                                                                                                PID:5676
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                  58⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:5504
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                  58⤵
                                                                                                                                                                                    PID:5428
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                    58⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    PID:5716
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                      59⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:5796
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                      59⤵
                                                                                                                                                                                        PID:968
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                        59⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        PID:976
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                          60⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:4696
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                          60⤵
                                                                                                                                                                                            PID:6052
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                            60⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            PID:5904
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                              61⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:1596
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                              61⤵
                                                                                                                                                                                                PID:6072
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                61⤵
                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                PID:4788
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                                  62⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:5956
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                                  62⤵
                                                                                                                                                                                                    PID:5900
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                    62⤵
                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                    PID:1100
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                                      63⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1072
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                                      63⤵
                                                                                                                                                                                                        PID:5588
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                        63⤵
                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                        PID:6048
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                                          64⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:1404
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                                          64⤵
                                                                                                                                                                                                            PID:5244
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                            64⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            PID:5288
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Done.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Done.exe"
                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:5080
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Load.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Load.exe"
                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                                PID:800
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                65⤵
                                                                                                                                                                                                                  PID:3032
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                  1⤵
                                                                                  • Enumerates system info in registry
                                                                                  • Modifies data under HKEY_USERS
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:2436
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd84e5cc40,0x7ffd84e5cc4c,0x7ffd84e5cc58
                                                                                    2⤵
                                                                                      PID:3640
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
                                                                                      2⤵
                                                                                        PID:624
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2040 /prefetch:3
                                                                                        2⤵
                                                                                          PID:4248
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
                                                                                          2⤵
                                                                                            PID:3772
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
                                                                                            2⤵
                                                                                              PID:4916
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3384,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
                                                                                              2⤵
                                                                                                PID:1728
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:1424
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
                                                                                                  2⤵
                                                                                                    PID:3992
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5008,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
                                                                                                    2⤵
                                                                                                      PID:5028
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5336,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:1
                                                                                                      2⤵
                                                                                                        PID:6108
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3536,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:1
                                                                                                        2⤵
                                                                                                          PID:5324
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3260,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3508 /prefetch:1
                                                                                                          2⤵
                                                                                                            PID:5380
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4480,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:1
                                                                                                            2⤵
                                                                                                              PID:3964
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3296,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3852 /prefetch:1
                                                                                                              2⤵
                                                                                                                PID:5884
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3728,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:3616
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4960,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
                                                                                                                  2⤵
                                                                                                                    PID:4040
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3216,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5464 /prefetch:1
                                                                                                                    2⤵
                                                                                                                      PID:5972
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4688,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:1
                                                                                                                      2⤵
                                                                                                                        PID:4060
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5208,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5624 /prefetch:1
                                                                                                                        2⤵
                                                                                                                          PID:516
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3188,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3524 /prefetch:1
                                                                                                                          2⤵
                                                                                                                            PID:5208
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4712,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5596 /prefetch:1
                                                                                                                            2⤵
                                                                                                                              PID:1928
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3456,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
                                                                                                                              2⤵
                                                                                                                                PID:2064
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4596,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:1
                                                                                                                                2⤵
                                                                                                                                  PID:1680
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3496,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5388 /prefetch:1
                                                                                                                                  2⤵
                                                                                                                                    PID:3292
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4692,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1
                                                                                                                                    2⤵
                                                                                                                                      PID:5768
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5436,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3540 /prefetch:8
                                                                                                                                      2⤵
                                                                                                                                        PID:3620
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5248,i,15255107518367320313,14973992530033253042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5512 /prefetch:8
                                                                                                                                        2⤵
                                                                                                                                          PID:4408
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                                                        1⤵
                                                                                                                                          PID:3992
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                                                          1⤵
                                                                                                                                            PID:5152
                                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x2f4 0x424
                                                                                                                                            1⤵
                                                                                                                                              PID:2612
                                                                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                                              1⤵
                                                                                                                                                PID:3244

                                                                                                                                              Network

                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                              Replay Monitor

                                                                                                                                              Loading Replay Monitor...

                                                                                                                                              Downloads

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                                                                                                                                Filesize

                                                                                                                                                649B

                                                                                                                                                MD5

                                                                                                                                                797d0df207ddbe3b70eabc796a2d71e6

                                                                                                                                                SHA1

                                                                                                                                                6e208f4ece6a46eb3edb8a0ab96d3127915c7c88

                                                                                                                                                SHA256

                                                                                                                                                631a1ed8264e5b18df9197c00649c7ae08395a8f62f97d47f17765b52467ba50

                                                                                                                                                SHA512

                                                                                                                                                076d07b2247eec10a66ec445dc15b5b25328084284df8b7756558509b7b2cb8f5408c5b6affd04fb440b4e7e589658dfd14fdbb54ff0a5c8b8da3b618c84a3b0

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                Filesize

                                                                                                                                                432B

                                                                                                                                                MD5

                                                                                                                                                847f935139469b68266a670a02b19c5f

                                                                                                                                                SHA1

                                                                                                                                                3ee7efa9828e7d79c754f02b1f2169ed59c231ae

                                                                                                                                                SHA256

                                                                                                                                                9bc41468c515580c39b5f2d4904aacb9e7b1a82b0ebbdfffe2b77165ac1a9998

                                                                                                                                                SHA512

                                                                                                                                                7c7de62ece07b8a41ad4f365c7081b09904f8e2096334c782c2701184b397239a9b812bc4fec7b1fe6627f50e2f1665893637e0d8e4380abf28238266884694d

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                                Filesize

                                                                                                                                                408B

                                                                                                                                                MD5

                                                                                                                                                b78e9e10ed5b0c887fb86a9e9211b15b

                                                                                                                                                SHA1

                                                                                                                                                9dd5e0f2d664f26bc0cd44be1711a026b2943eb4

                                                                                                                                                SHA256

                                                                                                                                                8bb312f40507c63d26b64bfd6a9a46895a1595a47ef3369db9e89d8b54d5207c

                                                                                                                                                SHA512

                                                                                                                                                3fbe51763b0165d4c30ae1db6b16c8ad42efe07c62c8acc94d06ae81123dce71943cedaecbd1d05e03f1bad67f9751ddfa348dfc0f90f7f5d0f216218e735bf5

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

                                                                                                                                                Filesize

                                                                                                                                                41B

                                                                                                                                                MD5

                                                                                                                                                5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                                SHA1

                                                                                                                                                d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                                SHA256

                                                                                                                                                f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                                SHA512

                                                                                                                                                de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

                                                                                                                                                Filesize

                                                                                                                                                16B

                                                                                                                                                MD5

                                                                                                                                                46295cac801e5d4857d09837238a6394

                                                                                                                                                SHA1

                                                                                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                SHA256

                                                                                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                SHA512

                                                                                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                                                                Filesize

                                                                                                                                                2KB

                                                                                                                                                MD5

                                                                                                                                                0b7db259f5bc0184bc3edc164376674c

                                                                                                                                                SHA1

                                                                                                                                                cbc524715fc8137eb6359e69b6de111f675c9d17

                                                                                                                                                SHA256

                                                                                                                                                1844e6dafcb3db4cd60059bd17e76cedd698d4846df94324348c68e53194b6d6

                                                                                                                                                SHA512

                                                                                                                                                4d6be541bf53c711a7fa2ba2ffcfff7d063c8401e4cde4d531f1e7ec31c42a595f2975fcdeed368b0328374962c9024c82c8a2fabd6347cba01fe164f19494fb

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                                                                Filesize

                                                                                                                                                2B

                                                                                                                                                MD5

                                                                                                                                                d751713988987e9331980363e24189ce

                                                                                                                                                SHA1

                                                                                                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                SHA256

                                                                                                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                SHA512

                                                                                                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                Filesize

                                                                                                                                                1024B

                                                                                                                                                MD5

                                                                                                                                                068a442e04fbb33ecd2b55b317091853

                                                                                                                                                SHA1

                                                                                                                                                a3c36782002ff0b0192fc4ea1444a6b9e4fcb5e2

                                                                                                                                                SHA256

                                                                                                                                                a9291a5405f1681baed6417d53b6a33f56a1aa81216fe203ea39e13e8e2fe5e9

                                                                                                                                                SHA512

                                                                                                                                                337e15579dd9c22d9b43d35b8e23fec3c6ed60a45fb658da690ba3dba7a5332067565ba75d0248cc628047bbeb9e4d0300a9f9363bcdfcd40b46424738bc39b4

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                Filesize

                                                                                                                                                356B

                                                                                                                                                MD5

                                                                                                                                                f991256e8323c1bdf70cb93be2ce094d

                                                                                                                                                SHA1

                                                                                                                                                81553b0df9e5c53a6772b1edd34af2db295dd6e2

                                                                                                                                                SHA256

                                                                                                                                                983bb9e1ba39cda85782193c36fbdf5a05246eaba5284d0391d468d227575b62

                                                                                                                                                SHA512

                                                                                                                                                69050c07ccb7618d430a2bef55b9362e8dffc298df9dd396cf3c7dea1454ae6b28daba024e576631ed6a390d42b179f730ac1398111b3060eec1c04bf30b4ac6

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                                                                                Filesize

                                                                                                                                                857B

                                                                                                                                                MD5

                                                                                                                                                cbca87ad9c249a9e4bc4ae51e18fe37f

                                                                                                                                                SHA1

                                                                                                                                                7db94dc237380ec5221d21f6b910d3e62dc18017

                                                                                                                                                SHA256

                                                                                                                                                2ef63b0f5b0b993110b6227cc5023eaf9538aaa70d65274fa5e6281867038f8d

                                                                                                                                                SHA512

                                                                                                                                                15443d93b16754f9d50b92f7b084afc245e10e9c92a616e5644962b0300c4629065c3f2137f8d7955e05e6ea6ff569a2397a06c15275c87208fdac5717dbb60b

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                10KB

                                                                                                                                                MD5

                                                                                                                                                20ac44d4e2a79535d5f6ad4b14794ef4

                                                                                                                                                SHA1

                                                                                                                                                89b08406289e2cccd1376cef3bbce5982be87e62

                                                                                                                                                SHA256

                                                                                                                                                60cef73bd48b1048c3bf987b13ee559bd9f4177199de44355be5b9244791274b

                                                                                                                                                SHA512

                                                                                                                                                46a07fa429aa6db6713224cd41c861ee10809289453fbab275312a72774373704ca0c5c2f972a86325970fe3af1cf7d3cd63d5c88c07cee195f623ab964d1251

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                10KB

                                                                                                                                                MD5

                                                                                                                                                c87501e7dbe717295982c86e93efe552

                                                                                                                                                SHA1

                                                                                                                                                7f85525d786c3d1aa78f09693502ee1324ce67e0

                                                                                                                                                SHA256

                                                                                                                                                b734e1cd65e75e11d3d8286889c57fe6fd8db1690cd2ef3fe0caae97b453c44c

                                                                                                                                                SHA512

                                                                                                                                                77967c8d8fc87bfe8117490a8a4c2fb6fff31cfc2406aa8593e163862afc237facab2d129ab2774edd80bec2ab550c7fcc2dd84d9ddda40c618db38e116de911

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                10KB

                                                                                                                                                MD5

                                                                                                                                                fd4ac01670fad173603fe73cd3baaafc

                                                                                                                                                SHA1

                                                                                                                                                aeb251821e7fdd41cacf025a5292f9f245e57cc5

                                                                                                                                                SHA256

                                                                                                                                                b2660108e58df315d7731b5d7811ce393bf5964026eb61a2e22b088fad632dde

                                                                                                                                                SHA512

                                                                                                                                                cb123625ad233107f5b28ad76a200a5eae18be548c2f0795dd2652c5bfdb9a876c7a999acdad3c620859380a1341b92b51c6254a69f0f35eafbb0d1dd3f6ddbf

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                9KB

                                                                                                                                                MD5

                                                                                                                                                a2bd41ee750b51940afcc6296efe8e6b

                                                                                                                                                SHA1

                                                                                                                                                f0a37fc906ddce2cbeb1a75f3b5780a9c5efc7ff

                                                                                                                                                SHA256

                                                                                                                                                c960e428096e2c38c2377380db1e347aa4205d146c622652feed4bd0439a4b99

                                                                                                                                                SHA512

                                                                                                                                                1b66882e900633e147b48512a3e3f05045be099364dd70250fdba63d9e2a2fad9b00015033e7f08311792f03a1657c10673505e5a5d01e718df21e5bad165d63

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                9KB

                                                                                                                                                MD5

                                                                                                                                                f3f99b5ba208ba46cb6356211a752418

                                                                                                                                                SHA1

                                                                                                                                                a1735759002ae8d2fc4c086543f4ae4bd3dcbb66

                                                                                                                                                SHA256

                                                                                                                                                b3271f5d13a62bbfe0189943d81404a9b05ebb1a6fe64c8c0b01acfebdf001c6

                                                                                                                                                SHA512

                                                                                                                                                e24cfca795fa7f7b75b16457a3e9e69a633529516a0952263c65342c050560f4eaa4ec3bab8b2a2073721e43fddbdb24d97043aa51cf2b2e4ac76bee42e39413

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                10KB

                                                                                                                                                MD5

                                                                                                                                                73a3f9953d3f7224e7fa63bf729ec1af

                                                                                                                                                SHA1

                                                                                                                                                83ac349f1f0c98fcfec22357a96dd0f363a9d3ab

                                                                                                                                                SHA256

                                                                                                                                                cef5e03ba8e6baf376b0657eeb5c17666aeae779e4517ac8eaf294cfb5c41a04

                                                                                                                                                SHA512

                                                                                                                                                2417c0915ddadb859f76a090bc024cc9fbdf6fc05b0cdadf061697b42712feb263da4895c768f02f6b29c09aa2625ac8f23ab2cfbd7f6fae49040e49778e5eda

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                Filesize

                                                                                                                                                11KB

                                                                                                                                                MD5

                                                                                                                                                873ff98f10205f3fca120648cb3dc4f4

                                                                                                                                                SHA1

                                                                                                                                                f2e81d82534eace6e21ec4600eb3d580e728f14b

                                                                                                                                                SHA256

                                                                                                                                                a7f1d1630891f5db420cd129e7bf23651ed696e97c7792e29d9f9e29e017339a

                                                                                                                                                SHA512

                                                                                                                                                5324c765eddaad2f5ac5dd2ce06494db940b1926fa58c8d0377bcaeab2886ca23c1b76b5189077abea7e84529ce762fa5f1a6d6a995fd259f3ada48164964223

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                Filesize

                                                                                                                                                15KB

                                                                                                                                                MD5

                                                                                                                                                965b60ad54694d2b5b25f61b26d30a3f

                                                                                                                                                SHA1

                                                                                                                                                9f57cbd746c3ede2c273dca9811de0cf05d02a2a

                                                                                                                                                SHA256

                                                                                                                                                0833b776ad0c430ef60ecceeda94bfdb6c0600fd361d333ab8972d6dc194a582

                                                                                                                                                SHA512

                                                                                                                                                72328a810bb0ba85b00521887022e2952f1d423ff2ca4a4e004c30fcced32304dac99fb165650ca35996afe028c27ea4ae1315498df54c6fd8907e02a9cb7857

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                                                                                                                Filesize

                                                                                                                                                96B

                                                                                                                                                MD5

                                                                                                                                                639377be33eaa586be34bd6e189592a3

                                                                                                                                                SHA1

                                                                                                                                                e33eb15610e3a3315e9565ddad7b6ea2dba9e686

                                                                                                                                                SHA256

                                                                                                                                                1ee15ad0a9fe3dbb5b03e5bc87591d6668868d9b13b632353e330c2b28f67566

                                                                                                                                                SHA512

                                                                                                                                                4872b5bfbfeedefd2c2524bbc2246d4f78460a3ec3256f55c37a270d963f2aa42cfd2bc620eb8ac23ba947a1b7609f639e90c10d4e3d7f72e7b7b13e7812a08e

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                Filesize

                                                                                                                                                231KB

                                                                                                                                                MD5

                                                                                                                                                14bbc06672a96a6b2f551210dbbc2f84

                                                                                                                                                SHA1

                                                                                                                                                b9e21ee2d1e842c8ead5270d6740dde421e30557

                                                                                                                                                SHA256

                                                                                                                                                872041e5ca654b6ff097b8998d6289224dd66e8c225e0904cece790bb84ed13b

                                                                                                                                                SHA512

                                                                                                                                                75157baf8f5b6d4dba4d043bfbb72cb4463e3757f8984edc1467f0a884f5343762907f13148ddb1f2c4ca684791a4a7e9c50693a6df11db4df837a4f7e7b5fea

                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                Filesize

                                                                                                                                                231KB

                                                                                                                                                MD5

                                                                                                                                                d908f81eabde69302d8d225ef030a9f4

                                                                                                                                                SHA1

                                                                                                                                                199f104028652402c7249f8cb5c64351a035111b

                                                                                                                                                SHA256

                                                                                                                                                ca29318fe10f54b5d361e7615e8d5aa203bba3056622d69217b81e5ea7418834

                                                                                                                                                SHA512

                                                                                                                                                4bf615446395cc0114ea8da4d538f02a2cddef2cd829386db3cfbf27bbb6aafbe2ad61d004b8a25771619e4c537535d7d693979b6c659865ab1e11f64ae75dfd

                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

                                                                                                                                                Filesize

                                                                                                                                                1KB

                                                                                                                                                MD5

                                                                                                                                                baf55b95da4a601229647f25dad12878

                                                                                                                                                SHA1

                                                                                                                                                abc16954ebfd213733c4493fc1910164d825cac8

                                                                                                                                                SHA256

                                                                                                                                                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                                                                                                SHA512

                                                                                                                                                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

                                                                                                                                                Filesize

                                                                                                                                                654B

                                                                                                                                                MD5

                                                                                                                                                2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                SHA1

                                                                                                                                                684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                SHA256

                                                                                                                                                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                SHA512

                                                                                                                                                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Done.exe.log

                                                                                                                                                Filesize

                                                                                                                                                410B

                                                                                                                                                MD5

                                                                                                                                                3bbb825ef1319deb378787046587112b

                                                                                                                                                SHA1

                                                                                                                                                67da95f0031be525b4cf10645632ca34d66b913b

                                                                                                                                                SHA256

                                                                                                                                                d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0

                                                                                                                                                SHA512

                                                                                                                                                7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Done.exe

                                                                                                                                                Filesize

                                                                                                                                                69KB

                                                                                                                                                MD5

                                                                                                                                                2453fa8ef7ccc79cada8679f06f2be53

                                                                                                                                                SHA1

                                                                                                                                                b3db41bc85d300a069e6636b5c9e7dcf0a6a95b2

                                                                                                                                                SHA256

                                                                                                                                                e0e329ca03adcd56c5ff4a5cbdaff475a1cf636dfce64b7da1a05f5c74daac88

                                                                                                                                                SHA512

                                                                                                                                                a28398843232745153b3f57d2166aca95e9f930a8334c0ffdb2db192fc8cc8b2d5f5a0a0d123a996f2aa738668209a3541ffb9ed6f42f665aefb9300cd3d45d4

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Load.exe

                                                                                                                                                Filesize

                                                                                                                                                74KB

                                                                                                                                                MD5

                                                                                                                                                4fc5086bcb8939429aea99f7322e619b

                                                                                                                                                SHA1

                                                                                                                                                8d3bd7d005710a8ae0bd0143d18b437be20018d7

                                                                                                                                                SHA256

                                                                                                                                                e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

                                                                                                                                                SHA512

                                                                                                                                                04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_di30z0ft.12g.ps1

                                                                                                                                                Filesize

                                                                                                                                                60B

                                                                                                                                                MD5

                                                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                SHA1

                                                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                SHA256

                                                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                SHA512

                                                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp8453.tmp.bat

                                                                                                                                                Filesize

                                                                                                                                                148B

                                                                                                                                                MD5

                                                                                                                                                2a3e38bdcd267221efcf50d1d857e46b

                                                                                                                                                SHA1

                                                                                                                                                524b229df430c0119f28480e152bd6cc711af3f2

                                                                                                                                                SHA256

                                                                                                                                                8f7d429daa3dbfa835176396d2d79e1e3001d4d6ba60c64613a70d9534edf2b9

                                                                                                                                                SHA512

                                                                                                                                                8dc05075566d4d65ab0999bc7e9740cb408a999905891c02a0e215f24b001a42ccbdacb022a8d426d4bcad01d76d38d30d75adba8d06f48e72aedae609335e32

                                                                                                                                              • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

                                                                                                                                                Filesize

                                                                                                                                                8B

                                                                                                                                                MD5

                                                                                                                                                cf759e4c5f14fe3eec41b87ed756cea8

                                                                                                                                                SHA1

                                                                                                                                                c27c796bb3c2fac929359563676f4ba1ffada1f5

                                                                                                                                                SHA256

                                                                                                                                                c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                                                                                                                                SHA512

                                                                                                                                                c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                                                                                                                              • C:\Users\Admin\Downloads\Loader.zip

                                                                                                                                                Filesize

                                                                                                                                                2.1MB

                                                                                                                                                MD5

                                                                                                                                                eac7fe177734fad674dd89e3db205aaa

                                                                                                                                                SHA1

                                                                                                                                                7cb4e2a116c9186d27964dfe19bc60bd3e48393d

                                                                                                                                                SHA256

                                                                                                                                                c92ea83f50af7717023de2d09b5a1d6e7975d9faf7d9758100d80b23946016d3

                                                                                                                                                SHA512

                                                                                                                                                fb85fc58af4c07257dae9b9e256d590fa2cc6e4d0978922e7e1a71c236e64496941e9fb0fde0b94d34ef037258b2ffc5a6604435a89d19b6ed1fcd0793834352

                                                                                                                                              • memory/1312-87-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40KB

                                                                                                                                              • memory/1892-1-0x00000000004A0000-0x00000000006C4000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                2.1MB

                                                                                                                                              • memory/1892-10-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                10.8MB

                                                                                                                                              • memory/1892-0-0x00007FFD8F053000-0x00007FFD8F055000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                8KB

                                                                                                                                              • memory/1892-29-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                10.8MB

                                                                                                                                              • memory/2468-25-0x0000000000710000-0x0000000000728000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                96KB

                                                                                                                                              • memory/2468-39-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                10.8MB

                                                                                                                                              • memory/2468-30-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                10.8MB

                                                                                                                                              • memory/2468-28-0x00007FFD8F050000-0x00007FFD8FB11000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                10.8MB

                                                                                                                                              • memory/3236-31-0x0000000000120000-0x0000000000138000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                96KB

                                                                                                                                              • memory/3236-32-0x0000000004F50000-0x00000000054F4000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                5.6MB

                                                                                                                                              • memory/3236-33-0x0000000004A40000-0x0000000004AD2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                584KB

                                                                                                                                              • memory/3980-113-0x0000000007100000-0x000000000710E000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                56KB

                                                                                                                                              • memory/3980-115-0x0000000007210000-0x000000000722A000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                104KB

                                                                                                                                              • memory/3980-85-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                120KB

                                                                                                                                              • memory/3980-84-0x0000000005760000-0x0000000005AB4000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                3.3MB

                                                                                                                                              • memory/3980-70-0x00000000054F0000-0x0000000005556000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                408KB

                                                                                                                                              • memory/3980-69-0x0000000004CA0000-0x0000000004D06000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                408KB

                                                                                                                                              • memory/3980-68-0x0000000004C00000-0x0000000004C22000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                136KB

                                                                                                                                              • memory/3980-60-0x0000000004D10000-0x0000000005338000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.2MB

                                                                                                                                              • memory/3980-56-0x00000000045F0000-0x0000000004626000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                216KB

                                                                                                                                              • memory/3980-94-0x0000000006170000-0x00000000061A2000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                200KB

                                                                                                                                              • memory/3980-116-0x00000000071F0000-0x00000000071F8000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                32KB

                                                                                                                                              • memory/3980-86-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                304KB

                                                                                                                                              • memory/3980-114-0x0000000007110000-0x0000000007124000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                80KB

                                                                                                                                              • memory/3980-95-0x0000000071910000-0x000000007195C000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                304KB

                                                                                                                                              • memory/3980-112-0x00000000070D0000-0x00000000070E1000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                68KB

                                                                                                                                              • memory/3980-111-0x0000000007150000-0x00000000071E6000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                600KB

                                                                                                                                              • memory/3980-110-0x0000000006F40000-0x0000000006F4A000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                40KB

                                                                                                                                              • memory/3980-109-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                104KB

                                                                                                                                              • memory/3980-108-0x0000000007510000-0x0000000007B8A000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                6.5MB

                                                                                                                                              • memory/3980-106-0x0000000006B90000-0x0000000006C33000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                652KB

                                                                                                                                              • memory/3980-105-0x0000000006B70000-0x0000000006B8E000-memory.dmp

                                                                                                                                                Filesize

                                                                                                                                                120KB