bandook | hxxps://filedn[.]com/lDvy0twfPspJQGA0clfyBJV/multis1/Dia-09_12569[.]7z

Resubmissions

09-08-2023 21:34

230809-1e3eqsff77 8

09-08-2023 16:09

230809-tma7wsee3v 10

Analysis

max time kernel
615s
max time network
616s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2023 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filedn.com/lDvy0twfPspJQGA0clfyBJV/multis1/Dia-09_12569.7z

Score

10^/10

bandook microsoft persistence phishing rat trojan upx

Malware Config

Extracted

Family

bandook

185.10.68.52

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4076-1255-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook
behavioral1/memory/4076-1257-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook
behavioral1/memory/4076-1267-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook
behavioral1/memory/4076-1268-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook
behavioral1/memory/4076-1270-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook
behavioral1/memory/4076-1272-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook
behavioral1/memory/4076-1276-0x0000000013140000-0x0000000014225000-memory.dmp	family_bandook

Drops file in Drivers directory 5 IoCs

Processes:

procexp64.exeProcmon64.exeProcmon64.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Procmon64.exeProcmon64.exeprocexp64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS"	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS"	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Executes dropped EXE 11 IoCs

Processes:

7z2301-x64.exe7zFM.exeIM-09082023.exe7zG.exeprocexp.exeprocexp64.exeProcmon.exeProcmon64.exeProcmon64.exetcpview.exeIM-09082023.exe

pid	process
2028	7z2301-x64.exe
3892	7zFM.exe
2612	IM-09082023.exe
1992	7zG.exe
1052	procexp.exe
2568	procexp64.exe
4468	Procmon.exe
1560	Procmon64.exe
4124	Procmon64.exe
1456	tcpview.exe
3812	IM-09082023.exe

Loads dropped DLL 4 IoCs

Processes:

7zFM.exe7zG.exeProcmon.exe

pid process

3168
3892 7zFM.exe
1992 7zG.exe
4468 Procmon.exe

pid	process
3168
3892	7zFM.exe
1992	7zG.exe
4468	Procmon.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

7z2301-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2301-x64.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4076-1253-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1254-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1256-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1255-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1257-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1267-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1268-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1270-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1272-0x0000000013140000-0x0000000014225000-memory.dmp	upx
behavioral1/memory/4076-1276-0x0000000013140000-0x0000000014225000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

procexp64.exe

description	ioc	process
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

Processes:

7z2301-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2301-x64.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2301-x64.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2301-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2301-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133360710234015464"	chrome.exe

Modifies registry class 42 IoCs

Processes:

7z2301-x64.exeProcmon64.exeProcmon64.exe7zFM.exeProcmon.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\shell	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon.exe\",0"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\shell\open\command	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Procmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.PML\ = "ProcMon.Logfile.1"	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon.exe\" /OpenLog \"%1\""	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.PML\ = "ProcMon.Logfile.1"	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\shell\open	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.PML	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File"	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon64.exe\" /OpenLog \"%1\""	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2301-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\.PML	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\shell\open\command	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2301-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon64.exe\",0"	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2301-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2301-x64.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

procexp64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exetaskmgr.exechrome.exe

pid	process
3688	chrome.exe
3688	chrome.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
2760	chrome.exe
2760	chrome.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exetaskmgr.exeProcmon64.exeProcmon64.exetcpview.exe

pid process

3892 7zFM.exe
4476 taskmgr.exe
1560 Procmon64.exe
4124 Procmon64.exe
1456 tcpview.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

procexp64.exeProcmon64.exeProcmon64.exe

pid process

2568 procexp64.exe
1560 Procmon64.exe
4124 Procmon64.exe

pid	process
3892	7zFM.exe
4476	taskmgr.exe
1560	Procmon64.exe
4124	Procmon64.exe
1456	tcpview.exe

pid	process
2568	procexp64.exe
1560	Procmon64.exe
4124	Procmon64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exetaskmgr.exe

pid	process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3892	7zFM.exe
3892	7zFM.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe
4476	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

7z2301-x64.exeprocexp64.exeProcmon64.exeProcmon64.exetcpview.exe

pid	process
2028	7z2301-x64.exe
2568	procexp64.exe
1560	Procmon64.exe
1560	Procmon64.exe
1560	Procmon64.exe
4124	Procmon64.exe
4124	Procmon64.exe
4124	Procmon64.exe
1456	tcpview.exe
1456	tcpview.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3688 wrote to memory of 5068	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 5068	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1608	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1464	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 1464	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe
PID 3688 wrote to memory of 3252	3688	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://filedn.com/lDvy0twfPspJQGA0clfyBJV/multis1/Dia-09_12569.7z
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1cb99758,0x7ffd1cb99768,0x7ffd1cb99778
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:2
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5236 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5580 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5744 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5872 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5976 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5864 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2900 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5724 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:2836

C:\Users\Admin\Downloads\7z2301-x64.exe
"C:\Users\Admin\Downloads\7z2301-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4716 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4684 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3168 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=896 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5648 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4668 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5600 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5388 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:1
2⤵
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 --field-trial-handle=1884,i,3373164621085985875,10835902936705641709,131072 /prefetch:8
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4144

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Dia-09_12569.7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3892

C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe
"C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe"
1⤵
- Executes dropped EXE
PID:2612

C:\windows\SysWOW64\msinfo32.exe
C:\windows\syswow64\msinfo32.exe
2⤵
PID:4076

C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe
C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe ooooooooooooooo
2⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4476

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SysinternalsSuite\" -spe -an -ai#7zMap21655:96:7zEvent2129
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992

C:\Users\Admin\Downloads\SysinternalsSuite\procexp.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\procexp.exe"
1⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Local\Temp\procexp64.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\procexp.exe"
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4468

C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
"C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe"
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Users\Admin\Downloads\SysinternalsSuite\Procmon64.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\Procmon64.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Users\Admin\Downloads\SysinternalsSuite\tcpview.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\tcpview.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.virustotal.com/about/terms-of-service
1⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd16d846f8,0x7ffd16d84708,0x7ffd16d84718
2⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
2⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
2⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13853422532644751746,5926389677862281599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll
Filesize
99KB

MD5
956d826f03d88c0b5482002bb7a83412

SHA1
560658185c225d1bd274b6a18372fd7de5f336af

SHA256
f9b4944d3a5536a6f8b4d5db17d903988a3518b22fbee6e3f6019aaf44189b3d

SHA512
6503064802101bca6e25b259a2bfe38e2d8b786bf2cf588ab1fb026b755f04a20857ee27e290cf50b2667425c528313b1c02e09b7b50edbcd75a3335439c3647

Download Submit
C:\Program Files\7-Zip\7-zip32.dll
Filesize
65KB

MD5
ce9564f1a1bb9d09693629dcfab40356

SHA1
f29a70fb365cc6789ec60f9fae9478f36a809902

SHA256
62ef98b00232f9d63a647e201abfb354582d3fbc342ec63df15b2a0ce514b5a6

SHA512
da9712b7e550595fd924bd0c9752e4100f9fa3a33c4e36d1c3c87058f9cd018f90fff54e5d036f3a10a45815b178c3267eae2f55239d2789930ba696446b2162

Download Submit
C:\Program Files\7-Zip\7-zip32.dll
Filesize
65KB

MD5
ce9564f1a1bb9d09693629dcfab40356

SHA1
f29a70fb365cc6789ec60f9fae9478f36a809902

SHA256
62ef98b00232f9d63a647e201abfb354582d3fbc342ec63df15b2a0ce514b5a6

SHA512
da9712b7e550595fd924bd0c9752e4100f9fa3a33c4e36d1c3c87058f9cd018f90fff54e5d036f3a10a45815b178c3267eae2f55239d2789930ba696446b2162

Download Submit
C:\Program Files\7-Zip\7z.dll
Filesize
1.8MB

MD5
4e35a902ca8ed1c3d4551b1a470c4655

SHA1
ad9a9b5dbe810a6d7ea2c8430c32417d87c5930c

SHA256
77222e81cb7004e8c3e077aada02b555a3d38fb05b50c64afd36ca230a8fd5b9

SHA512
c7966f892c1f81fbe6a2197bd229904d398a299c53c24586ca77f7f657529323e5a7260ed32da9701fce9989b0b9a2463cd45c5a5d77e56a1ea670e02e575a30

Download Submit
C:\Program Files\7-Zip\7z.dll
Filesize
1.8MB

MD5
4e35a902ca8ed1c3d4551b1a470c4655

SHA1
ad9a9b5dbe810a6d7ea2c8430c32417d87c5930c

SHA256
77222e81cb7004e8c3e077aada02b555a3d38fb05b50c64afd36ca230a8fd5b9

SHA512
c7966f892c1f81fbe6a2197bd229904d398a299c53c24586ca77f7f657529323e5a7260ed32da9701fce9989b0b9a2463cd45c5a5d77e56a1ea670e02e575a30

Download Submit
C:\Program Files\7-Zip\7z.dll
Filesize
1.8MB

MD5
4e35a902ca8ed1c3d4551b1a470c4655

SHA1
ad9a9b5dbe810a6d7ea2c8430c32417d87c5930c

SHA256
77222e81cb7004e8c3e077aada02b555a3d38fb05b50c64afd36ca230a8fd5b9

SHA512
c7966f892c1f81fbe6a2197bd229904d398a299c53c24586ca77f7f657529323e5a7260ed32da9701fce9989b0b9a2463cd45c5a5d77e56a1ea670e02e575a30

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
39KB

MD5
500ecdda9ad3e919a1f41c1588266a1b

SHA1
d5ddf92dc08284a48701a4d3555590bda05f77e0

SHA256
caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37

SHA512
5e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
1c3413aae8f709b9eaed08a086c109b3

SHA1
0d10682e5c29a5cc9ce595701466b5ef7b7cb6ea

SHA256
692ab8cb28662f8a0c66c5a1935419badb84264c68b492958b7e529d07ea5a8e

SHA512
a7618d0c78ca9c195dff10337c16f43e5b4cb1de78bd6216d1454346d8a7e53afb6768d4915afda8c49fd33953884d06c85696361a5264c72c99a1b8ccfefe1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
768B

MD5
f6261030b1dd08893b4acb6abfa20369

SHA1
0fb9882dd99507e3690f6fceafa23bc62123dc39

SHA256
bf4b7c51a12910c6ccfbbfa30f6930e274869f2b4550640fdcb7ab77d4c5dd49

SHA512
b4f7e320d2dc8aa823d4f19771035314b0510b4f93031f9443a320256a9e6178650542d64fc7eb6ec01b67b436747c6025f374ed94046c4ceb52db845faa87fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
1e754d547fe8a05d4798bfa80d3e60da

SHA1
7af62c0badd12e83a054b716a34d65af9d1f1f73

SHA256
ea28ec7bae5ae0698733974b845c645b5ea21c4b71ae6ed44b64c1210535dede

SHA512
1f597060bdbcb7a3b07ee206cf1a83b27afe083a3edb177b50410a3cdc404291a06e05f081916082a99e4fc9f453abbaa134eca63b3f6b55069d6b89fa675c6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
8df0efd13c2e4bd68984c45aeaf6854f

SHA1
caddf6dfb25fd6d8c0756170a35ff3ba3662f3ac

SHA256
3d0cc0d5c74d53703e473aaf4cf79a6c08e39509d9f979cbbd7080932a22c320

SHA512
e9d5d74a2f5f0098ccba42e126fbd404dba2bdf9f96f1717ce04ea0e7e178fbd2fca6413ab5394a35a55f2cfea73ff3a48e67d65d48493a0788853a6706f4a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
89a6a7231f5305320d98bc12f8ebed1e

SHA1
0d6d1e37113023481a00f7da3f7dbdf9f634aec0

SHA256
c5453b405cd6d95659a65ce7ea6afd87b80708874462e93340b107b63914fb36

SHA512
b350cca3e3fb228b0a343c6557976c8884f63ec71339e6e663e3175dc289be7c787994eaf546b869b7892ad80f70897ea95f9e47a3b57cc88f202d8b2843450f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
17ecce7c19cbfb69809cf2d54e49fafe

SHA1
e8d4941a17f20974876863aea6ae4df66e7f2c69

SHA256
fac3007830ce4d0a7fe74c9e2cf61d0552aadf9b6edbe0dc51dae928a6b541a4

SHA512
0c8c7ffb82cf8c26eada33410e79186be7f0e0e521c2934eedaa2a61585c46b36f9023ae3606ed6b6c5f8a314c7c4f0adc387e23af615fa07c869705d0bb4ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
dfdf8cbe0947f8df175993da8fa9c4ba

SHA1
f3d1a7499dd7837dcc047a98d5871d913e1ad96f

SHA256
67cc8924492dc243d8c22f6b391b998829320ba5558edaaa42436a583dfd53c3

SHA512
b15560da9f2a5d23942844765fd83103a7645b2b1ca61fb9ddc28ae2c9995556ac17e181c1250d3cc91b0a6e2ffa21a7a2f14b1a445bf13bd4cc5292c64039bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
0fb5faccc6283735e0d8763cf4429f43

SHA1
488932712cea03838ed293723452673a26b44307

SHA256
5d9ffcd6876e576675d1727dda702dc58aef255f64ee80f91d307f1ef42e4fcb

SHA512
a443340c311ed7452fb18a0d9a6f051fb505899c3b6be3521ceda2078bab0d19fbf3dd2243657957bf6d05a32a28a5947ac74972e37c372654241eebdb59b38c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
67a48d627d8836039140e5681c311ed3

SHA1
a947d7473d913a53d25166e3830c03668a193895

SHA256
dbf84c925aa459b681edee3051a608c15e236aa0efbfd26d1c208d94c556ae03

SHA512
57ef5c8d4cc3e21be53e0fe82dc584e30385afcb474a289786ac5fe2f06859fb2cc5500544fcdd25de04dc5998917b55fe427dd85bfffbe9abcd726285344089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
a4122d2af3fa9fcea0c358b991bcb1f1

SHA1
abe2f6bac4531a6b7eb1c326ec8ee2ebe2e8726c

SHA256
7a72ace03b9680731f293b7b89d787d762af20499273f4bab01d449f7b3ba97b

SHA512
e02f0e75236842c8da5c2c10c345a77e1c16e066d1f9d1e3b99dec0da2716a52105867884b13e46718cdf536958b545414f35b98575ed0931076aaee63fdf52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
4d8a4277ea5c5f036fb51e87f04ea715

SHA1
b2ec17147d6192f676fe7d41a01962152cc41323

SHA256
b7b2ae8d3fe8b5410e8a54a01778afd81f393eba97a996746a535026f9f77d0c

SHA512
a463bd2a124ace5d2967ee0bfc34672f05b9e937bba4ecc4a6918dc6d621b514c0f710bf17b565cc80497f940ab3d24ff57001b0b25fc560b0e87603b5e15b19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
da53bac69395b0b99441d42bbfd62ef9

SHA1
adf37d7dee48a578900be718d33ecfb861d9d413

SHA256
e1fe9f33b29c2b79d45d434e8d4ace2677a879c403458c07f0854a9eb257d341

SHA512
2fa05c915c652804b63d075ecf9a41c4d9fcfd659428945d405ae2dd2bc6e0b0064d2064e080dfd31f98b3c512bc106a2b646d106667438441d363c2fe3673b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
ee6f4c8ead7bb0bd32ed4cac5b882d63

SHA1
3e69452566a3e7f3600386eb167b0e2b9a036cb3

SHA256
683f3078f304c3d79bc4b658d74c5e61322aef9ea980b2f1de7d5c5ce9e04387

SHA512
d49ea4772d2f25f077f8a795ed84adbfeeacafb05b770acb4ef82280d3fb31c3346e35d90ca2f49546db203bbc17757f5677b7124ce20b9c39c1c7744fdb9094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
f4bd77bffad03564b9529c031f5b33be

SHA1
ca6f03b38bd4f07a943b4394d55f80de2ff7aca7

SHA256
330d7ec5f35e6f86beaa87d5b7d48a8e6cb58102179facda0e8ea4af4ccd8284

SHA512
ba04ec2b04bf73fd7a8972171db04ad6f2e324a7a3b3c031ce226f9a87bb4b7b166abbbf129227306e643b16b9b3a8b6619dadb8d41a1719d3c047095f4bed32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
345c92b7d4f2cc26adee2548f615f8da

SHA1
8a53c7ef428270b547bd875cadbb53c62f766e1a

SHA256
a6b2906d4f2aecab195bf3ba49c9bdfc484409364eb1e3d26b8e38a7d522de49

SHA512
89ba4f3c7b269a3a633a6bf50e3719b3ae27b9ac71dee687e5aa6d5c618dab84467372c5ca177528d9759b26991d146973d1d87eb17ab6b45ee67a51b8ec8a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5af6866a25a7f1784dd135e21b954a14

SHA1
53a75dfb79eb2601e2d9c3d2db5b25712dbd062d

SHA256
a6aff147703c65bb73e36e3101ea6b3160332b1aa2b9efcba857036cceb14df4

SHA512
8c6a7e7ae806cfc1bdab709eb30dc86b38481fe491177b6a583d900347e5667e738e4aa77964684aa1fc9cdefbc164ad7d527ed8e400a7be8e95e31686ef8fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
495a207359db10342c536f7761d0359d

SHA1
eb95e299626edd3a1137ec1ae150f692b7fee814

SHA256
576be4cf1c4c9fbeda2eb9a9651b52fdcc4bcf9414100577d58f1bed47838c3e

SHA512
cfbdbed66da767ab0950905fe6df6749b55b2a8e5d36cb836aa0674d4019d3efa3e05895f7979c09b6b5ff263710e64223027f62cf82c3ac0f28d26171cf8d43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
3f509a70af51537b34410b16ad7abab6

SHA1
25cf570dbac506964346a8e1167509bf5bccc96e

SHA256
8d2748b801eea322c4394ae08ae1c18767c8a3813b511e2f5df25262fbeadc6a

SHA512
608e5f0090c300137199822cb6bddb24a8c29175c5f65b13a0dd15e066368dec8275d0bb32ff842ac40492a54c6827ca6de99d263d1c6af1d8bd96da733fda10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
207684ce54c6c5d0f94128597c7d9425

SHA1
b7e262fae32332ff7b0a7c828a93315431dd223b

SHA256
a1605b7f34f4e80ea555bf28ef956090fb6579eccdbeca9876c43b669accd950

SHA512
677362184bbed82c592c5dba1039ad5e53b0fa976f86feb2c7cc46dfe41c72c0f2f6e0e8bfed8df6bc0d04ac66857918c069316373685d1e1ab06165273f515f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9db1cbf0c26cf60056f2801b21464121

SHA1
03463473186e8d683dcd5a18b0c414f495d03a4f

SHA256
621c949f886b45c9713fa17648e76c01db70fc018e94a306ed0d727007568aa9

SHA512
f1e130661bb7cc05d000385677eaeccd88808d9355d56f5727a3eb15dcde5977a0f0287d08c25e49d7b4277d280b8b4696cc597fb2063dd2b0ada2f587a05c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
87KB

MD5
27e07f7e2b98afbdc3205a155c6dd6aa

SHA1
a782233641ea8f519b453568c4a9b504405d7f62

SHA256
9b8a2c403faed377298031b5872a83eca00fb6c73c4d4c5f7204ce7d4bd8d6d2

SHA512
64431a9d798994fcc85df114c0ecf7324ffe58e1a16fb2c037f9004cbfa4ee8952cc8639d12bd3d7442d840c39abcaf646ef3d8c61f014ee04a8f88b7ecb6773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
87KB

MD5
ee3dd04443d6fb11b0911801c5d02027

SHA1
35ae8bd1974c6e848257130978f0dc2fa45150e3

SHA256
9f9d8bf3a26b039f5bc8eff93741040d88f91bf0726918dd9ed47cfa56e2cb9d

SHA512
6ee65ea7335bac6726c5d3387ca6d416b088b91777f147fa58e4bd8c4399fbc5961f375da01aa7104e6e96fae63b5e8c3a8a1fbc0bb1c889664a46458e20779d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
115KB

MD5
58e362000c9b3a5ffb90471043257c16

SHA1
0afd99a9a63a343f69b8bf3029eef773f567e018

SHA256
ea85dc7e7a54d7b7c0fab83e72b1f4ec71e9bc4e051a5933a086a88cbbf702f0

SHA512
ce7c0e813e7a784ad4b9f177a3c4ff5a9f3bc00352fe8ef77cdd208ec7762b63d2545f9a790cbb2b4c21ef9acfd517764a8bea550b8a1a2eba66a6683b999ed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581cca.TMP
Filesize
107KB

MD5
ca5d7a434636bca26471550820c347b5

SHA1
f20987c98b32cb2f94b01b7504544c3511c22280

SHA256
5f607bbcbe8b7605d7dad107577427a2d8835d1455077364d46183650bf19360

SHA512
0a85bfe89c22fca793aea014fef4e886710683cbd6285d6bbcbccab4f43fe9aa3082a36a3cb2f3ca7c225fa22fbcfa7e92bb83197c4a0000f15d4d7549024fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7ad9bb1054aa03e39b3554833d0c3ec

SHA1
cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9

SHA256
0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189

SHA512
d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
b374284c8096e65c8cfc4e54a04d3679

SHA1
a266133c9e351aff177ce947dc3212150c7b6600

SHA256
a68f65fbced35bea3520892c31ba205b6469fa4f169073f0864239a0f894c1a3

SHA512
8683bfd4dd1102988448f6780392bc2b944588bc55158019cbb3dfcf28f4adb378f81995467899e571e9349794992b663188779cca3084113800ca63a6f68165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
651B

MD5
826b503cd8aa00df547a297e4a41d232

SHA1
432cdee3a04e6ebc40b538af0be1a484a088325c

SHA256
9189c646e46e1dac8c67af0492779c398116790b2ad80daf212f59d7ebb55cc8

SHA512
7e06f4e76d577e6cbd21c4e374f832acd6b6d634899260db5f20618ecef909009fdcc6c0899254341fd022492bf4fd38a16e5ae4222b7d59f2e2646b42f058dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3f103d18f6e1d1832b47a0d333021c5b

SHA1
c77b225ef8b21026ad04cbd1f3cf5e0759ba958e

SHA256
4ed58fbe45b7cd180a20d2ecc1ba94df53c9e9202d14a9737693c36a971378c7

SHA512
2f58a194809e9979d3003074a779d657d32bd9875274131a3037272c61c15e6b2f678f98daad486b4b48d561cd4338ff61d051368ae0e5adfdba4c67de955a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9a0b940192037867b2e7a9a629714dfc

SHA1
90e089eba7417569fcb0c0cbb1ea622ce16ad498

SHA256
2b6139654f19f09316e3c9a0c578c7cf58b0b3cd920221efc986a3e0b58b5e83

SHA512
f2c02c6257b9ed3901d095179cae46a5defa8c4cb567153a068098f491cdcb1df13647bcf4ff3b430e97d398962518cfe60d47da4478991cb5b0c47bb8ef063e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e62cc4051e1f8eaa0abda5d730a2496b

SHA1
d15346e40b196bc313cbfe5ac96b3c90b83345be

SHA256
ffb5b740b8777d010f0d32a120092084c3cd32eaceb937188d698ddc22df2fcb

SHA512
3e8f6d89c7c153177b2149d86cd8602ceafedf66f5335a86b19dfa46fc38c47f6ff9a272c3b71b4464a5921ebdf2461fba25692ca916b9715bac520bf1e81a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
2e741f27b6f86dc5da89ed27b2159661

SHA1
53ab67854d09425462c026d8f54ccb425402adc6

SHA256
3d0e9b92d8c5c6c3a15613200a9eb9f1fcfc61a88e753e633c34f93e6d898c81

SHA512
78c9930a3c14b4706ca2603dd355ffcb1984b4c07263b2afddb2f625471e68b05ba7a0d192c183b0d621885cb96cd720ff796c398e48b0972b23652c0018ad46

Download Submit
C:\Users\Admin\AppData\Local\Sysinternals\tcpview.ini
Filesize
376B

MD5
cf35573c6da25ee3ad66c5ab78749037

SHA1
663cc56c930100bb54d0a2ecdd1f615320827fa3

SHA256
690308d20c83fa05f94801b3d7a280b3663fbcc9630599742a521fa9cf4fc98f

SHA512
1004e134cc38ee8040171ba1c9c76bd8dd05afadfa423aebfa4a63f9103c33b71a708815bb912de1fb0cba2f19647fd4fcffd45a5ba27c4a0bede667976b6912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
Filesize
2.6MB

MD5
e4086e56beb16c4b4b57e381b8151232

SHA1
154423a97f5491b1b58e87dc4be1bd7c7c71e243

SHA256
8822e28f46ba3c12256d947e5786ed30c3311c1829cf1ef86634f7fdf1a9710c

SHA512
7cd44316558d9a3e6a8b983d0e8946b21714e3f36b0d386b964e975f27a72cab89bfb9d1d0e2d0661a48e7c38296b0ab91da8ec88349f05daf1a9b93143a5a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
Filesize
2.6MB

MD5
e4086e56beb16c4b4b57e381b8151232

SHA1
154423a97f5491b1b58e87dc4be1bd7c7c71e243

SHA256
8822e28f46ba3c12256d947e5786ed30c3311c1829cf1ef86634f7fdf1a9710c

SHA512
7cd44316558d9a3e6a8b983d0e8946b21714e3f36b0d386b964e975f27a72cab89bfb9d1d0e2d0661a48e7c38296b0ab91da8ec88349f05daf1a9b93143a5a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
Filesize
2.6MB

MD5
e4086e56beb16c4b4b57e381b8151232

SHA1
154423a97f5491b1b58e87dc4be1bd7c7c71e243

SHA256
8822e28f46ba3c12256d947e5786ed30c3311c1829cf1ef86634f7fdf1a9710c

SHA512
7cd44316558d9a3e6a8b983d0e8946b21714e3f36b0d386b964e975f27a72cab89bfb9d1d0e2d0661a48e7c38296b0ab91da8ec88349f05daf1a9b93143a5a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\procexp64.exe
Filesize
2.3MB

MD5
a0773a1a0102cfe56855b95b654ff400

SHA1
809fc843f89a49f3a56c8d8552e3fd6d1fa1bebe

SHA256
35bd4e71b67655192a2b5159e7a7303d8332cd81df2842bf2679d92adbf57e25

SHA512
9ff45c55338300f0f47219732a0252a856f305000f22955f1e6207ec131d8896f7564c621864ecec4228a488e786cad5e1a127230e60f031a83072c988c73d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\procexp64.exe
Filesize
2.3MB

MD5
a0773a1a0102cfe56855b95b654ff400

SHA1
809fc843f89a49f3a56c8d8552e3fd6d1fa1bebe

SHA256
35bd4e71b67655192a2b5159e7a7303d8332cd81df2842bf2679d92adbf57e25

SHA512
9ff45c55338300f0f47219732a0252a856f305000f22955f1e6207ec131d8896f7564c621864ecec4228a488e786cad5e1a127230e60f031a83072c988c73d47

Download Submit
C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe
Filesize
7.4MB

MD5
742ca32835a3a5ba88d15ece43258b81

SHA1
06c01f7ca3054abaef63284e9274965d9669a64e

SHA256
a2c03411091d19696a9f695444a74c40ba60c9412517ecd2e029998dafaeab3b

SHA512
6615f60eb3e6ee291991eb9ccd425bff19ed8ec77d121a15d6f2a2d6d34f45485ca184ae2f65564a481de314fb646e27ec6d43aa4a7172714905d7a699b7f82e

Download Submit
C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe
Filesize
7.4MB

MD5
742ca32835a3a5ba88d15ece43258b81

SHA1
06c01f7ca3054abaef63284e9274965d9669a64e

SHA256
a2c03411091d19696a9f695444a74c40ba60c9412517ecd2e029998dafaeab3b

SHA512
6615f60eb3e6ee291991eb9ccd425bff19ed8ec77d121a15d6f2a2d6d34f45485ca184ae2f65564a481de314fb646e27ec6d43aa4a7172714905d7a699b7f82e

Download Submit
C:\Users\Admin\Desktop\Dia-09_12569\IM-09082023.exe
Filesize
7.4MB

MD5
742ca32835a3a5ba88d15ece43258b81

SHA1
06c01f7ca3054abaef63284e9274965d9669a64e

SHA256
a2c03411091d19696a9f695444a74c40ba60c9412517ecd2e029998dafaeab3b

SHA512
6615f60eb3e6ee291991eb9ccd425bff19ed8ec77d121a15d6f2a2d6d34f45485ca184ae2f65564a481de314fb646e27ec6d43aa4a7172714905d7a699b7f82e

Download Submit
C:\Users\Admin\Downloads\7z2301-x64.exe
Filesize
1.5MB

MD5
e5788b13546156281bf0a4b38bdd0901

SHA1
7df28d340d7084647921cc25a8c2068bb192bdbb

SHA256
26cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd

SHA512
1f4da167ff2f1d34eeaf76c3003ba5fcabfc7a7da40e73e317aa99c6e1321cdf97e00f4feb9e79e1a72240e0376af0c3becb3d309e5bb0385e5192da17ea77ff

Download Submit
C:\Users\Admin\Downloads\7z2301-x64.exe
Filesize
1.5MB

MD5
e5788b13546156281bf0a4b38bdd0901

SHA1
7df28d340d7084647921cc25a8c2068bb192bdbb

SHA256
26cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd

SHA512
1f4da167ff2f1d34eeaf76c3003ba5fcabfc7a7da40e73e317aa99c6e1321cdf97e00f4feb9e79e1a72240e0376af0c3becb3d309e5bb0385e5192da17ea77ff

Download Submit
C:\Users\Admin\Downloads\Dia-09_12569.7z
Filesize
5.4MB

MD5
9ebf6e587d1139064b378221b1f83960

SHA1
24d0bb9368e095866958ce549a7909f414a6b7bf

SHA256
50dfc58fdc66606110c7709f261cee0de7bd35a1f02734c9133d34707b86cc30

SHA512
616a9d77807ad4675cf1c3e5752f84d948221d5cb391010d7a2526546511b48e10bd277a9d2ab40f4bd4938d1bc6dcd17442705936694547c8bc7ce4f80450b9

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite.zip
Filesize
45.2MB

MD5
c7e0dc5ffd628d65470182759f5d7597

SHA1
199252b39d8293276217e3885450be2b6b5f0aa0

SHA256
1a07dc0f192efcccbf5dce3294254d04d7c7f9a94752ee07d63606606ef9ebbf

SHA512
27d914319b79260202a298d200dfff4ca72cc235ec2ece0f5628d0c8991b580776f597164cfa08c4174b8e9bcf60b2ce69e09f305568f5f3a25e443be9457dc2

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe
Filesize
5.0MB

MD5
47f5883f958d1145f4e00b117d5370fb

SHA1
7c4e493d72a9a8eaadeea82c4ad829f9c0af76ed

SHA256
000dfdba292fa2f0617cad9c1dc8c32a9652b77e8e54d0636806d9b894419a3b

SHA512
1c27cd3a31f791cbe1ab4e1dbedcccf3e35f1f74a8ddb2cd5a27c723c9f45b414d3d697565bb14ee34c4e89bea251f018247c34e6fe4a4a7763846f2d2814dd4

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe
Filesize
5.0MB

MD5
47f5883f958d1145f4e00b117d5370fb

SHA1
7c4e493d72a9a8eaadeea82c4ad829f9c0af76ed

SHA256
000dfdba292fa2f0617cad9c1dc8c32a9652b77e8e54d0636806d9b894419a3b

SHA512
1c27cd3a31f791cbe1ab4e1dbedcccf3e35f1f74a8ddb2cd5a27c723c9f45b414d3d697565bb14ee34c4e89bea251f018247c34e6fe4a4a7763846f2d2814dd4

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\Procmon64.exe
Filesize
2.6MB

MD5
e4086e56beb16c4b4b57e381b8151232

SHA1
154423a97f5491b1b58e87dc4be1bd7c7c71e243

SHA256
8822e28f46ba3c12256d947e5786ed30c3311c1829cf1ef86634f7fdf1a9710c

SHA512
7cd44316558d9a3e6a8b983d0e8946b21714e3f36b0d386b964e975f27a72cab89bfb9d1d0e2d0661a48e7c38296b0ab91da8ec88349f05daf1a9b93143a5a6d

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\Procmon64.exe
Filesize
2.6MB

MD5
e4086e56beb16c4b4b57e381b8151232

SHA1
154423a97f5491b1b58e87dc4be1bd7c7c71e243

SHA256
8822e28f46ba3c12256d947e5786ed30c3311c1829cf1ef86634f7fdf1a9710c

SHA512
7cd44316558d9a3e6a8b983d0e8946b21714e3f36b0d386b964e975f27a72cab89bfb9d1d0e2d0661a48e7c38296b0ab91da8ec88349f05daf1a9b93143a5a6d

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\procexp.exe
Filesize
4.4MB

MD5
7289aa6c0f2c41c29c9b33caf1c15779

SHA1
96387ab157168b22111e3c70b22364c9b71639c4

SHA256
0ab0116b34db0e7168dd5c5b1c917bbb1d38235ece4430348f068914b4ab87a6

SHA512
f98d4541a31df87e80a8dbce0c783585f9b471a0388bf179b8c3cfaf65366212349b059a17a7b6d1c5704a86c6af5184f0b9c5d99e590a6a1a60dae943300d0b

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\procexp.exe
Filesize
4.4MB

MD5
7289aa6c0f2c41c29c9b33caf1c15779

SHA1
96387ab157168b22111e3c70b22364c9b71639c4

SHA256
0ab0116b34db0e7168dd5c5b1c917bbb1d38235ece4430348f068914b4ab87a6

SHA512
f98d4541a31df87e80a8dbce0c783585f9b471a0388bf179b8c3cfaf65366212349b059a17a7b6d1c5704a86c6af5184f0b9c5d99e590a6a1a60dae943300d0b

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\tcpview.exe
Filesize
922KB

MD5
7ce89829f9fb955dc377529c461852fd

SHA1
8b14f5345bfcfac08c31c284c1a0eee2cd53bcfb

SHA256
9775b4bbe23b8eb93727efe0a6d0b160ae5132a10b223f43200499cf0051a18f

SHA512
7b9cd587ba53f632a1eff914a6a4bfc345b2232ed6dc02dfefa9bc9aebe06ff7836c1698077f41483a34b0610e92549b1a4baf8b9e9b29c28469f53ec6722e0c

Download Submit
C:\Users\Admin\Downloads\SysinternalsSuite\tcpview.exe
Filesize
922KB

MD5
7ce89829f9fb955dc377529c461852fd

SHA1
8b14f5345bfcfac08c31c284c1a0eee2cd53bcfb

SHA256
9775b4bbe23b8eb93727efe0a6d0b160ae5132a10b223f43200499cf0051a18f

SHA512
7b9cd587ba53f632a1eff914a6a4bfc345b2232ed6dc02dfefa9bc9aebe06ff7836c1698077f41483a34b0610e92549b1a4baf8b9e9b29c28469f53ec6722e0c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 44483.crdownload
Filesize
1.5MB

MD5
e5788b13546156281bf0a4b38bdd0901

SHA1
7df28d340d7084647921cc25a8c2068bb192bdbb

SHA256
26cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd

SHA512
1f4da167ff2f1d34eeaf76c3003ba5fcabfc7a7da40e73e317aa99c6e1321cdf97e00f4feb9e79e1a72240e0376af0c3becb3d309e5bb0385e5192da17ea77ff

Download Submit
\??\c:\program files\7-zip\7-zip.dll
Filesize
99KB

MD5
956d826f03d88c0b5482002bb7a83412

SHA1
560658185c225d1bd274b6a18372fd7de5f336af

SHA256
f9b4944d3a5536a6f8b4d5db17d903988a3518b22fbee6e3f6019aaf44189b3d

SHA512
6503064802101bca6e25b259a2bfe38e2d8b786bf2cf588ab1fb026b755f04a20857ee27e290cf50b2667425c528313b1c02e09b7b50edbcd75a3335439c3647

Download Submit
\??\c:\program files\7-zip\7zg.exe
Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
\??\pipe\LOCAL\crashpad_2460_WUUZSTNMUGWGRLGE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_3688_LHVMWJENAELGLMXD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1560-1226-0x00007FFCEA460000-0x00007FFCEA470000-memory.dmp

Filesize
64KB

Download
memory/1560-1225-0x00007FFCEA460000-0x00007FFCEA470000-memory.dmp

Filesize
64KB

Download
memory/2612-536-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2612-552-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-1247-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-1248-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-1249-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-535-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-566-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-1252-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-524-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2612-551-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2612-1273-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/3812-1251-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3812-1274-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/3812-1275-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4076-1257-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1255-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1267-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1268-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1270-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1272-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1256-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1276-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1254-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4076-1253-0x0000000013140000-0x0000000014225000-memory.dmp

Filesize
16.9MB

Download
memory/4124-1233-0x00007FFCEA460000-0x00007FFCEA470000-memory.dmp

Filesize
64KB

Download
memory/4124-1232-0x00007FFCEA460000-0x00007FFCEA470000-memory.dmp

Filesize
64KB

Download
memory/4476-565-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-564-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-563-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-562-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-561-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-560-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-559-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-555-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-554-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download
memory/4476-553-0x0000022A55CE0000-0x0000022A55CE1000-memory.dmp

Filesize
4KB

Download