Analysis

  • max time kernel
    625s
  • max time network
    627s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2022 18:30

General

  • Target

    https://github.com/NightfallGT/Mercurial-Grabber/releases/download/v1.0/Mercurial.Grabber.v1.03.rar

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1012429981684600883/LWtnCGmn_bF1uTSoWs7byLfVjb-yFKwWAwmtgIn3Noz0ASP9w56nEJnjskpxVlCEYRXx

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Modifies system executable filetype association 2 TTPs 8 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 29 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 6 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 21 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 12 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 62 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 34 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 39 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com/NightfallGT/Mercurial-Grabber/releases/download/v1.0/Mercurial.Grabber.v1.03.rar
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f70
      2⤵
        PID:4376
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:2
        2⤵
          PID:2812
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:948
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
          2⤵
            PID:1544
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
            2⤵
              PID:3540
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
              2⤵
                PID:3992
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
                2⤵
                  PID:2272
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
                  2⤵
                  • Drops file in Program Files directory
                  PID:416
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
                  2⤵
                    PID:3268
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
                    2⤵
                      PID:2352
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3584
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                      2⤵
                        PID:2592
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:8
                        2⤵
                          PID:3952
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:8
                          2⤵
                            PID:4068
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:8
                            2⤵
                              PID:3160
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4472
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                              2⤵
                                PID:4192
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:8
                                2⤵
                                  PID:3952
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2544
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                                  2⤵
                                    PID:4740
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
                                    2⤵
                                      PID:4396
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:8
                                      2⤵
                                        PID:4780
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1564 /prefetch:1
                                        2⤵
                                          PID:4568
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
                                          2⤵
                                            PID:2764
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
                                            2⤵
                                              PID:2016
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
                                              2⤵
                                                PID:4500
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:4444
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                                                2⤵
                                                  PID:4196
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
                                                  2⤵
                                                    PID:4504
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4804 /prefetch:8
                                                    2⤵
                                                      PID:3584
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:8
                                                      2⤵
                                                        PID:3468
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5044
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:3180
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8
                                                        2⤵
                                                          PID:3672
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:8
                                                          2⤵
                                                            PID:1608
                                                          • C:\Users\Admin\Downloads\winrar-x64-611.exe
                                                            "C:\Users\Admin\Downloads\winrar-x64-611.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Checks computer location settings
                                                            • Drops file in Program Files directory
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3512
                                                            • C:\Program Files\WinRAR\uninstall.exe
                                                              "C:\Program Files\WinRAR\uninstall.exe" /setup
                                                              3⤵
                                                              • Modifies system executable filetype association
                                                              • Executes dropped EXE
                                                              • Registers COM server for autorun
                                                              • Drops file in Program Files directory
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:3520
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,9076416252917245786,12676529432860990917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:8
                                                            2⤵
                                                              PID:1352
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:3752
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                              1⤵
                                                              • Enumerates system info in registry
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              PID:4884
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f70
                                                                2⤵
                                                                  PID:4708
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2392 /prefetch:8
                                                                  2⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:3496
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
                                                                  2⤵
                                                                    PID:1836
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
                                                                    2⤵
                                                                      PID:1736
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
                                                                      2⤵
                                                                        PID:4000
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
                                                                        2⤵
                                                                          PID:1296
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
                                                                          2⤵
                                                                            PID:3748
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
                                                                            2⤵
                                                                              PID:956
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
                                                                              2⤵
                                                                                PID:2560
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:8
                                                                                2⤵
                                                                                  PID:2524
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
                                                                                  2⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:1352
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
                                                                                  2⤵
                                                                                    PID:1036
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3236 /prefetch:8
                                                                                    2⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:2752
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
                                                                                    2⤵
                                                                                      PID:2288
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3504 /prefetch:8
                                                                                      2⤵
                                                                                        PID:2692
                                                                                      • C:\Program Files\WinRAR\WinRAR.exe
                                                                                        "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        • Modifies Internet Explorer settings
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4752
                                                                                      • C:\Program Files\WinRAR\WinRAR.exe
                                                                                        "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:3028
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
                                                                                        2⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:4760
                                                                                      • C:\Program Files\WinRAR\WinRAR.exe
                                                                                        "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
                                                                                        2⤵
                                                                                        • Executes dropped EXE
                                                                                        • Checks computer location settings
                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                        PID:1068
                                                                                        • C:\Windows\system32\NOTEPAD.EXE
                                                                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Rar$DIa1068.26740\readme.txt
                                                                                          3⤵
                                                                                            PID:4684
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
                                                                                          2⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:3184
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,16139428125786860328,13111829581805546630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                                                                                          2⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:4928
                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                        1⤵
                                                                                          PID:884
                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                          1⤵
                                                                                            PID:3284
                                                                                          • C:\Program Files\WinRAR\WinRAR.exe
                                                                                            "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Mercurial.Grabber.v1.03.rar"
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2368
                                                                                          • C:\Users\Admin\Desktop\Mercurial.exe
                                                                                            "C:\Users\Admin\Desktop\Mercurial.exe"
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:4760
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1128
                                                                                              2⤵
                                                                                              • Program crash
                                                                                              PID:1296
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 2092
                                                                                              2⤵
                                                                                              • Program crash
                                                                                              PID:1048
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4760 -ip 4760
                                                                                            1⤵
                                                                                              PID:3344
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 4760
                                                                                              1⤵
                                                                                                PID:4584
                                                                                              • C:\Users\Admin\Desktop\Mercurial.exe
                                                                                                "C:\Users\Admin\Desktop\Mercurial.exe"
                                                                                                1⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2736
                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i3qgymj\1i3qgymj.cmdline"
                                                                                                  2⤵
                                                                                                    PID:3344
                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2802.tmp" "c:\Users\Admin\Desktop\CSCAA1BCC95BAA94BC8A9E1610E35F5641.TMP"
                                                                                                      3⤵
                                                                                                        PID:2272
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                    1⤵
                                                                                                    • Enumerates system info in registry
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                    PID:2268
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f70
                                                                                                      2⤵
                                                                                                        PID:2820
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
                                                                                                        2⤵
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        PID:176
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:2
                                                                                                        2⤵
                                                                                                          PID:32
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
                                                                                                          2⤵
                                                                                                            PID:4012
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
                                                                                                            2⤵
                                                                                                              PID:4100
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
                                                                                                              2⤵
                                                                                                                PID:1476
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:708
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
                                                                                                                  2⤵
                                                                                                                    PID:1908
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
                                                                                                                    2⤵
                                                                                                                      PID:1672
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
                                                                                                                      2⤵
                                                                                                                        PID:2352
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
                                                                                                                        2⤵
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        PID:2200
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
                                                                                                                        2⤵
                                                                                                                          PID:640
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
                                                                                                                          2⤵
                                                                                                                            PID:3216
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
                                                                                                                            2⤵
                                                                                                                              PID:2952
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                                                                                                                              2⤵
                                                                                                                                PID:3276
                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
                                                                                                                                2⤵
                                                                                                                                  PID:1960
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
                                                                                                                                  2⤵
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  PID:4676
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1076 /prefetch:8
                                                                                                                                  2⤵
                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                  PID:2520
                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
                                                                                                                                  2⤵
                                                                                                                                    PID:4756
                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
                                                                                                                                    2⤵
                                                                                                                                      PID:4612
                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
                                                                                                                                      2⤵
                                                                                                                                        PID:1172
                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1528 /prefetch:1
                                                                                                                                        2⤵
                                                                                                                                          PID:4912
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,12732986317885483384,1504479415817090775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4784 /prefetch:2
                                                                                                                                          2⤵
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:2548
                                                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                        1⤵
                                                                                                                                          PID:3212
                                                                                                                                        • C:\Users\Admin\Desktop\output.exe
                                                                                                                                          "C:\Users\Admin\Desktop\output.exe"
                                                                                                                                          1⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Checks processor information in registry
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:1276
                                                                                                                                        • C:\Windows\helppane.exe
                                                                                                                                          C:\Windows\helppane.exe -Embedding
                                                                                                                                          1⤵
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:3956
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884
                                                                                                                                            2⤵
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            • Enumerates system info in registry
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                                            PID:3908
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa005f46f8,0x7ffa005f4708,0x7ffa005f4718
                                                                                                                                              3⤵
                                                                                                                                                PID:2368
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
                                                                                                                                                3⤵
                                                                                                                                                  PID:4264
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
                                                                                                                                                  3⤵
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  PID:2860
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1540
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1428
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
                                                                                                                                                      3⤵
                                                                                                                                                        PID:4080
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 /prefetch:8
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1612
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
                                                                                                                                                          3⤵
                                                                                                                                                            PID:4276
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
                                                                                                                                                            3⤵
                                                                                                                                                              PID:2476
                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5584 /prefetch:8
                                                                                                                                                              3⤵
                                                                                                                                                                PID:3820
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1748148146152910683,17874832246591679893,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:4976
                                                                                                                                                            • C:\Users\Admin\Desktop\output.exe
                                                                                                                                                              "C:\Users\Admin\Desktop\output.exe"
                                                                                                                                                              1⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                              PID:1884
                                                                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                              1⤵
                                                                                                                                                                PID:1692
                                                                                                                                                              • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                C:\Windows\system32\AUDIODG.EXE 0x498 0x4a0
                                                                                                                                                                1⤵
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:4612
                                                                                                                                                              • C:\Users\Admin\Desktop\Mercurial.exe
                                                                                                                                                                "C:\Users\Admin\Desktop\Mercurial.exe"
                                                                                                                                                                1⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:1408
                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vnfttoy\2vnfttoy.cmdline"
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2104
                                                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32A.tmp" "c:\Users\Admin\Desktop\CSCDE0D2A28D9894E77A0BFF28B3C52199.TMP"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:3648
                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                                                                    PID:3380
                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f70
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1636
                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:1068
                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2176 /prefetch:8
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:3912
                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:4816
                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1540
                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:4280
                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:3428
                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:924
                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2980
                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:4856
                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:3276
                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:8
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:1040
                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:8
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:3996
                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:8
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:412
                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:8
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:3832
                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2212
                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:8
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:1492
                                                                                                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:1664
                                                                                                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:4828
                                                                                                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:2236
                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:2496
                                                                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:5104
                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5048 /prefetch:2
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:3696
                                                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:8
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:1500
                                                                                                                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,15451726420958459969,890804516793115362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:1976
                                                                                                                                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:4504
                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\PulaExe.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\PulaExe.exe"
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Looks for VirtualBox Guest Additions in registry
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Looks for VMWare Tools registry key
                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                        • Maps connected drives based on registry
                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:4864
                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\PulaExe.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\PulaExe.exe"
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Looks for VirtualBox Guest Additions in registry
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Looks for VMWare Tools registry key
                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                        • Maps connected drives based on registry
                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:3784
                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\Mercurial.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\Mercurial.exe"
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                        PID:2980
                                                                                                                                                                                                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\if42ityh\if42ityh.cmdline"
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:548
                                                                                                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19F.tmp" "c:\Users\Admin\Desktop\CSC447E69A06D2D44C0AC1AAFEB8A7EFB8F.TMP"
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:5088
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                            C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:3028
                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:1888
                                                                                                                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:5032
                                                                                                                                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c74f50,0x7ffa03c74f60,0x7ffa03c74f70
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:3044
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:708
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:1760
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:4808
                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 4808 -s 2040
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                    PID:5408
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:3488
                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 3488 -s 1960
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                    PID:5384
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:696
                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 696 -s 2012
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                    PID:5796
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:3988
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:4676
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:1156
                                                                                                                                                                                                                                • C:\Users\Admin\Desktop\Plaece.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\Desktop\Plaece.exe"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:5184
                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 5184 -s 2080
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                    PID:3208
                                                                                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\system32\WerFault.exe -pss -s 408 -p 4808 -ip 4808
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:5340
                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -pss -s 440 -p 3488 -ip 3488
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:5348
                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\PulaExe.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\PulaExe.exe"
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                      • Looks for VirtualBox Guest Additions in registry
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Looks for VMWare Tools registry key
                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                      • Maps connected drives based on registry
                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:5440
                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\PulaExe.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\PulaExe.exe"
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                      • Looks for VirtualBox Guest Additions in registry
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Looks for VMWare Tools registry key
                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                      • Maps connected drives based on registry
                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:5508
                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\system32\WerFault.exe -u -p 5508 -s 2148
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                        PID:5548
                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\PulaExe.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\PulaExe.exe"
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                      • Looks for VirtualBox Guest Additions in registry
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Looks for VMWare Tools registry key
                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                      • Maps connected drives based on registry
                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:5612
                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\system32\WerFault.exe -u -p 5612 -s 2144
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                        PID:2120
                                                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -pss -s 552 -p 696 -ip 696
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:5736
                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\PulaExe.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\PulaExe.exe"
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                        • Looks for VirtualBox Guest Additions in registry
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Looks for VMWare Tools registry key
                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                        • Maps connected drives based on registry
                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:5764
                                                                                                                                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                          C:\Windows\system32\WerFault.exe -u -p 5764 -s 2144
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                          PID:5408
                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\output.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\output.exe"
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:6056
                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\system32\WerFault.exe -pss -s 548 -p 5764 -ip 5764
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:5472
                                                                                                                                                                                                                                        • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                          C:\Windows\system32\WerFault.exe -pss -s 576 -p 5508 -ip 5508
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:5412
                                                                                                                                                                                                                                          • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                            C:\Windows\system32\WerFault.exe -pss -s 444 -p 5184 -ip 5184
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:5536
                                                                                                                                                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                              C:\Windows\system32\WerFault.exe -pss -s 556 -p 5612 -ip 5612
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:4148

                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\Rar.txt

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                107KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                8933d6e810668af29d7ba8f1c3b2b9ff

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                760cbb236c4ca6e0003582aaefd72ff8b1c872aa

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\RarExt.dll

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                632KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                650a771d005941c7a23926011d75ad8f

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                84b346acd006f21d7ffb8d5ea5937ec0ee3daa4f

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                4724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\Uninstall.exe

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                412KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                92667e28583a9489e3cf4f1a7fd6636e

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                faa09990ba4daae970038ed44e3841151d6e7f28

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\WhatsNew.txt

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                95KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                d4c768c52ee077eb09bac094f4af8310

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\WinRAR.chm

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                314KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                81b236ef16aaa6a3936fd449b12b82a2

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                698acb3c862c7f3ecf94971e4276e531914e67bc

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\WinRAR.exe

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                2.3MB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                0b114fc0f4b6d49f57b3b01dd9ea6a8c

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                23e1480c3ff3a54e712d759e9325d362bf52fabd

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

                                                                                                                                                                                                                                              • C:\Program Files\WinRAR\uninstall.exe

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                412KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                92667e28583a9489e3cf4f1a7fd6636e

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                faa09990ba4daae970038ed44e3841151d6e7f28

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                40B

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                a3a937930c5b01ecd542f094135aa0a4

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                79234b7656f2a562129f98b27bc0762dc867d7fa

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                985145fe40ae859f59ca7f31f100fe1a194f21810f50f5fd26c4c73c25b03ff9

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                7fa94881f580973ffe4c6b67b811d47e7c104681b1fb8b36c6754ca0d29e731e89c252a9ea62e1888edf2eb3ffc8aa9f6462ed78f61c9683ddbe0d3f50f7ca41

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                90f880064a42b29ccff51fe5425bf1a3

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                6a3cae3996e9fff653a1ddf731ced32b2be2acbf

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                7KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                0834821960cb5c6e9d477aef649cb2e4

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                7d25f027d7cee9e94e9cbdee1f9220c8d20a1588

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                52a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                9aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                edcc1881af866a0367752f95a25d9103

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                4a821b1d12d053dc23462cd6cff3ce011e385d3a

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                ee009473817a83864eaae2f8b6c5872435c36e2ff7029e3edc236f0191c9f595

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                f0fba151d7adc4f9944bc5aec59b6059017dda1768c9233e339e94ded4a539901d88d66be435f5388c0fdcbe7ffb4d642f852e35010f7f163caff5973b5d7648

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                116KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                ea51abc53261e3244e585807cee1d835

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                8389de61bebe40d0d60ef0a40d9161b5b8205c05

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                3f414501ef1b8de6843e030ef9efc00eeb61c476f3e889c7a7b2080ea764faa1

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                5335b12344389ca115f153b23122eb8cb7bbc0292b0d906029dc897ba57fe9ab45bcacd9bde5b8b3441724faabf6f9154c2574f5b4242dc65c2be723a440f06f

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                40KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                b608d407fc15adea97c26936bc6f03f6

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                953e7420801c76393902c0d6bb56148947e41571

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                6KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                a431cb2d117497697a74d9fd0842c8e3

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                cadba0b26dcf07a78674ac6b9cf90993d07bd8a1

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                bdd17cb63fafbbce26a059ecae3fa03edeb6a9a8d6963cbf6d161ca147fee148

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                7e9b99dfba8ea43697da9056c3e410dbb57889f836841d70db194f3c18b2417ca73f0205306939939e540a1e962fcdf16548c3a13836da1236b3a11ff81c86bc

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                17KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                3b761451c18c4cbd57eec4b34f8b4c2a

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                666b14dbc159673fff26c07b9c2b5e243a22da24

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                15caba3645aee3169941c9301156bb6a636cf720700f8973fba6c0cfcdcc47b0

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                4d7e94c21ccb0b86384b37c6caf6b20cf05a43c63160d3a975c4ce5ab297e8d3b51260f0f64b745acb418a1ecf7e8dfcf99f140c86087a1feb76c21def5bfa20

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13305933021096491

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                b7d137ab02f6f4fbfc3eb1c1bdcee491

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                837c804157c665cd68dd014b7c03332dd3e1d65e

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                5907069ceb4f9e043dde39db1dbb298f75e8523015f43e74c86d796ec702afb3

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                638829e1b44606602912419f41950098eca53ec7948736f1866d95aa317e911135bf55552a07b9f86cd2fc4fd80a2941107b961dab7955f18142b0aca1f9032a

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                172B

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                dc28d409c98e490dce22c4195afc0889

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                2f03f790f8d723b9902040f08768de9a28c7c516

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                d16350d1378b30efd5d1a2b58f72ec429bb5538587ce193a4eb00786df724af5

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                f7676eca8826cbdbd0b22726108f85b370ea7d614273c9fe523d6bc3264e37f4cbd5718c494608ce4ddfa12a93df914ae31943b197e6d45ee8d2b248b874aa90

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                345B

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                d8571b0fb78f46541e0e87923b939034

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                6b169326e3e51beaec365f77b2b15fac918f1e9c

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                644d35bd901bee19586f8d67ea84faa02a128071443df08512a57f292eaa9e51

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                6b41814ce595918c9597891f748f8bd346d205603343149ee7a7669a67845f9d25d1dd8c3b23f2e9e8ddb740ea42323ced6889866e89b95dc2ee08a3c55bc053

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                160B

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                de92ad90be6d3364745b2f73f4c3cf73

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                9158681463bd30e5af4dda4baac81f93cedbda77

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                324B

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                4fce37edd40b4a01b8fcba5e5d68c91d

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                41052e4167ec024050db5a54f97c727bf7cdedac

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                f6b07a518536a0989226cbc069597bbf5d5b264a2c0bc67024db3db66393d0b1

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                6cf7990595ba8b502a9b92b2188f4c1c39c2deb8b35b99bb6c9fb710eb9bb9126de7cedede6d2c27ba0e9bee57850fbd66519f31b70da2d3796a5a0e9d7fd4f1

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                128KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                0820feb6c3ddcf85fe2410d66308f4f0

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                2f1a34a5c8d56a7ce025bbc990541ff6c145833b

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                c2252408e0c786dcb30e2b82d6605079caf85433164618b7933a246884afac8d

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                0dd804abf32a3b074d5c019f560ac6f95021c53e30cb6b8ac7a3df6c059407ff3f1115aa0da24ac78f79adfe4d7087fe75908934249bbfcc252d1b4dfb0b0612

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                88KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                95b45a4b38dbd8599748ae565d4fc4d5

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                9acbc0ef36e04e46a235c8035624d9f64724950a

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                b483cd8fe0b5fb247d621a73a9ff639b06095911905cb42eaacbf4ee404939ca

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                88d71067721134a4c95f8283f381a3ed07b30ee3defc88aed3d77513e17c894f86819c8a6b272a59b2e77c42ea4c273b3d033a900f98389350e93efcc81e45e2

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                13B

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                b63048c4e7e52c52053d25da30d9c5ab

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                679a44d402f5ec24605719e06459f5a707989187

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                182KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                3dc3a909b58ff44e2adca2587354227e

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                d1675b30734bc36aabc976b879cc6f3714adf55b

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                3313dc9c9770d38cf5d914a94b4fb6fd3c3103e2efc2ce043f6dd145a78f81ee

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                484b7e5d263d4b4a91a09b098905b3a7a77df38bc8d10ac0e93d6c836ce94b1979e3f3a642c4d1749c203e15da9f6d83244dd0d1ae3262e5dba28bc195b0d5f8

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                264KB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                e2dda5deb17addf9d33810739366e412

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                4b04218391fa701b4fdc3e3f159024aef420010c

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                81da940dca4f5ac1aeec5ffd114c8f562e8919db074a808388715163800cb18e

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                cf9078d13ec590ffaf842f8bdf000659d15a79255bfb86fdf1db6ddf58752a69f7efca4718f125a981c75fff48b75809f1fa8d8d8312405709f43675d6388aed

                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\winrar-x64-611.exe

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                3.3MB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                8a6217d94e1bcbabdd1dfcdcaa83d1b3

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

                                                                                                                                                                                                                                              • C:\Users\Admin\Downloads\winrar-x64-611.exe

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                3.3MB

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                8a6217d94e1bcbabdd1dfcdcaa83d1b3

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

                                                                                                                                                                                                                                              • \??\pipe\crashpad_4884_TNNEGFOUKJZNQLMX

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                              • \??\pipe\crashpad_756_QQVGDKYWPDRVMUBO

                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                              • memory/548-265-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/1068-167-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/1276-222-0x00007FF9FE280000-0x00007FF9FED41000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/1276-223-0x00007FF9FE280000-0x00007FF9FED41000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/1276-220-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                              • memory/1276-221-0x00007FF9FE280000-0x00007FF9FED41000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/1408-255-0x000000000D1C0000-0x000000000D1C4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/1408-254-0x0000000005209000-0x000000000520F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/1408-251-0x000000000D1C0000-0x000000000D1C4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/1408-250-0x0000000005209000-0x000000000520F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/1408-249-0x000000000D1C0000-0x000000000D1C4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/1408-248-0x0000000005209000-0x000000000520F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/1428-233-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/1540-231-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/1612-237-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/1884-226-0x00007FF9FDB20000-0x00007FF9FE5E1000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/1884-246-0x00007FF9FDB20000-0x00007FF9FE5E1000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/1884-247-0x00007FF9FDB20000-0x00007FF9FE5E1000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/2104-252-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/2272-215-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/2368-225-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/2476-241-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/2736-210-0x00000000071C4000-0x00000000071C7000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/2736-208-0x00000000071C0000-0x00000000071C4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/2736-204-0x0000000004D69000-0x0000000004D6F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/2736-217-0x00000000071C4000-0x00000000071C7000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/2736-213-0x00000000071C1000-0x00000000071C6000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/2736-212-0x00000000071C1000-0x00000000071C6000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/2736-211-0x00000000071C7000-0x00000000071CC000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/2736-218-0x00000000071C7000-0x00000000071CC000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/2736-209-0x00000000071C7000-0x00000000071CC000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/2736-205-0x0000000004D69000-0x0000000004D6F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/2736-219-0x00000000071C1000-0x00000000071C6000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/2736-207-0x00000000071C4000-0x00000000071C7000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/2736-206-0x00000000071C0000-0x00000000071C4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/2736-216-0x00000000071C0000-0x00000000071C4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/2860-229-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3028-166-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3344-214-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3512-134-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3520-138-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3648-253-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3784-259-0x00007FF9FDB20000-0x00007FF9FE5E1000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/3820-243-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/3908-224-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/4080-235-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/4264-228-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/4276-239-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/4684-173-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/4752-165-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/4760-186-0x000000000E094000-0x000000000E099000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-178-0x000000000E084000-0x000000000E087000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-203-0x0000000005246000-0x0000000005249000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-202-0x000000000E08D000-0x000000000E094000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                28KB

                                                                                                                                                                                                                                              • memory/4760-201-0x000000000E085000-0x000000000E088000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-188-0x000000000E094000-0x000000000E099000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-185-0x000000000E08A000-0x000000000E08F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-200-0x000000000E094000-0x000000000E099000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-184-0x000000000E08F000-0x000000000E094000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-199-0x000000000E08F000-0x000000000E094000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-183-0x000000000E087000-0x000000000E08A000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-182-0x000000000E08A000-0x000000000E08F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-198-0x000000000E08A000-0x000000000E08F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-197-0x000000000E087000-0x000000000E08A000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-181-0x000000000E087000-0x000000000E08A000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-180-0x000000000E084000-0x000000000E087000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-196-0x000000000E084000-0x000000000E087000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-179-0x000000000E080000-0x000000000E084000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/4760-195-0x000000000E080000-0x000000000E084000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/4760-187-0x000000000E08F000-0x000000000E094000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                20KB

                                                                                                                                                                                                                                              • memory/4760-194-0x0000000005249000-0x000000000524F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/4760-189-0x000000000E085000-0x000000000E088000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-177-0x000000000E080000-0x000000000E084000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                16KB

                                                                                                                                                                                                                                              • memory/4760-176-0x0000000005249000-0x000000000524F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/4760-175-0x0000000005249000-0x000000000524F000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                24KB

                                                                                                                                                                                                                                              • memory/4760-174-0x00000000053F0000-0x00000000053FA000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                40KB

                                                                                                                                                                                                                                              • memory/4760-193-0x0000000005246000-0x0000000005249000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-172-0x0000000005250000-0x00000000052E2000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                584KB

                                                                                                                                                                                                                                              • memory/4760-171-0x0000000005800000-0x0000000005DA4000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                5.6MB

                                                                                                                                                                                                                                              • memory/4760-192-0x000000000E08D000-0x000000000E094000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                28KB

                                                                                                                                                                                                                                              • memory/4760-170-0x0000000000550000-0x000000000088A000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                3.2MB

                                                                                                                                                                                                                                              • memory/4760-191-0x000000000E085000-0x000000000E088000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                12KB

                                                                                                                                                                                                                                              • memory/4760-190-0x000000000E08D000-0x000000000E094000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                28KB

                                                                                                                                                                                                                                              • memory/4864-257-0x00007FF9FDB20000-0x00007FF9FE5E1000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/4864-258-0x00007FF9FDB20000-0x00007FF9FE5E1000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                10.8MB

                                                                                                                                                                                                                                              • memory/4864-256-0x0000000000F00000-0x0000000000F10000-memory.dmp

                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                64KB

                                                                                                                                                                                                                                              • memory/4976-245-0x0000000000000000-mapping.dmp

                                                                                                                                                                                                                                              • memory/5088-266-0x0000000000000000-mapping.dmp