mystic | 9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e

Analysis

max time kernel
41s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe
Size

1.4MB
MD5

b49644229596d1ac93da26c5975af054
SHA1

6a7aeb585302a3d17b3edbc3ca01e0e2cfda50aa
SHA256

9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e
SHA512

2b06f1aa5a039c4d17469516b38af134129a2a17e89345d00f28ea8ef540c97258fc11971a8eb569668c4ab217167d540bd30e3fcac5a047d497fe152e50a36f
SSDEEP

24576:wyIuub5NdnxEs5/elIsHj9GNLXDiAtFZ/tN6vvfNOf037l6s7jSi2weE003R:3Iuu1bemORGZ+4/N6vvjxhPSiZeE

Score

10^/10

mystic redline smokeloader zgrat taiga backdoor paypal evasion infostealer persistence phishing rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6176-198-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6176-199-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6176-202-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6176-200-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 23 IoCs

resource	yara_rule
behavioral1/memory/2536-668-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-670-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-672-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-674-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-684-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-686-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-695-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-697-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-699-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-701-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-709-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-724-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-727-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-720-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-730-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-717-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-734-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-712-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-736-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-738-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-740-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-742-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-656-0x0000022DBCCF0000-0x0000022DBCDD4000-memory.dmp	family_zgrat_v1

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/376-290-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/6600-547-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline
behavioral1/memory/6600-548-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 8 IoCs

pid	Process
4556	nv7GL95.exe
3764	dj6Qr97.exe
4700	jT1Vs35.exe
2204	1br43jd5.exe
5936	2fA0140.exe
6428	7mI76TR.exe
6440	8eu008LX.exe
5320	9Ct3EF4.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000022e15-957.dat	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000022dc5-854.dat	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nv7GL95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dj6Qr97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jT1Vs35.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022d86-26.dat	autoit_exe
behavioral1/files/0x0007000000022d86-27.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5936 set thread context of 6176	5936	2fA0140.exe	141
PID 6440 set thread context of 376	6440	8eu008LX.exe	159
PID 5320 set thread context of 6772	5320	9Ct3EF4.exe	162

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3164	sc.exe
3416	sc.exe
3860	sc.exe
4492	sc.exe
5372	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6648	6176	WerFault.exe	141

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7mI76TR.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7mI76TR.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7mI76TR.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6120	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
1032	msedge.exe
1032	msedge.exe
1908	msedge.exe
1908	msedge.exe
3952	msedge.exe
3952	msedge.exe
5408	msedge.exe
5408	msedge.exe
6428	7mI76TR.exe
6428	7mI76TR.exe
7148	identity_helper.exe
7148	identity_helper.exe
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found
3112	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6428	7mI76TR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3112	Process not Found
Token: SeCreatePagefilePrivilege	3112	Process not Found
Token: SeShutdownPrivilege	3112	Process not Found
Token: SeCreatePagefilePrivilege	3112	Process not Found

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2204	1br43jd5.exe
2204	1br43jd5.exe
2204	1br43jd5.exe
2204	Process not Found
2204	Process not Found
2204	Process not Found
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
2204	Process not Found
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2204	1br43jd5.exe
2204	1br43jd5.exe
2204	1br43jd5.exe
2204	Process not Found
2204	Process not Found
2204	Process not Found
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
2204	Process not Found
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe
2204	Process not Found
2204	Process not Found
2204	Process not Found
2204	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4556	2372	NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe	85
PID 2372 wrote to memory of 4556	2372	NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe	85
PID 2372 wrote to memory of 4556	2372	NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe	85
PID 4556 wrote to memory of 3764	4556	nv7GL95.exe	86
PID 4556 wrote to memory of 3764	4556	nv7GL95.exe	86
PID 4556 wrote to memory of 3764	4556	nv7GL95.exe	86
PID 3764 wrote to memory of 4700	3764	dj6Qr97.exe	88
PID 3764 wrote to memory of 4700	3764	dj6Qr97.exe	88
PID 3764 wrote to memory of 4700	3764	dj6Qr97.exe	88
PID 4700 wrote to memory of 2204	4700	jT1Vs35.exe	89
PID 4700 wrote to memory of 2204	4700	jT1Vs35.exe	89
PID 4700 wrote to memory of 2204	4700	jT1Vs35.exe	89
PID 2204 wrote to memory of 1908	2204	Process not Found	91
PID 2204 wrote to memory of 1908	2204	Process not Found	91
PID 2204 wrote to memory of 4944	2204	Process not Found	95
PID 2204 wrote to memory of 4944	2204	Process not Found	95
PID 1908 wrote to memory of 4348	1908	msedge.exe	94
PID 1908 wrote to memory of 4348	1908	msedge.exe	94
PID 4944 wrote to memory of 1916	4944	msedge.exe	93
PID 4944 wrote to memory of 1916	4944	msedge.exe	93
PID 2204 wrote to memory of 2404	2204	Process not Found	96
PID 2204 wrote to memory of 2404	2204	Process not Found	96
PID 2404 wrote to memory of 1612	2404	msedge.exe	97
PID 2404 wrote to memory of 1612	2404	msedge.exe	97
PID 2204 wrote to memory of 3924	2204	Process not Found	98
PID 2204 wrote to memory of 3924	2204	Process not Found	98
PID 3924 wrote to memory of 1004	3924	msedge.exe	99
PID 3924 wrote to memory of 1004	3924	msedge.exe	99
PID 2204 wrote to memory of 1720	2204	Process not Found	100
PID 2204 wrote to memory of 1720	2204	Process not Found	100
PID 1720 wrote to memory of 2388	1720	msedge.exe	101
PID 1720 wrote to memory of 2388	1720	msedge.exe	101
PID 2204 wrote to memory of 384	2204	Process not Found	102
PID 2204 wrote to memory of 384	2204	Process not Found	102
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105
PID 1908 wrote to memory of 368	1908	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9aedb9784dbe89935d665b0aeb35b6673a84200a167d2ebd0f0257c11bafaa3e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nv7GL95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nv7GL95.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dj6Qr97.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dj6Qr97.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Vs35.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Vs35.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1br43jd5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1br43jd5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:4348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        7⤵
        
        PID:368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
        7⤵
        
        PID:4712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        7⤵
        
        PID:5116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        7⤵
        
        PID:3740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
        7⤵
        
        PID:4268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
        7⤵
        
        PID:4964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
        7⤵
        
        PID:5220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
        7⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
        7⤵
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        7⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
        7⤵
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
        7⤵
        
        PID:6012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        7⤵
        
        PID:3088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
        7⤵
        
        PID:5996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
        7⤵
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        7⤵
        
        PID:6732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
        7⤵
        
        PID:6724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
        7⤵
        
        PID:7048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
        7⤵
        
        PID:7056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8044 /prefetch:8
        7⤵
        
        PID:7132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8044 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
        7⤵
        
        PID:6916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1675066655290635044,14248512181633521529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
        7⤵
        
        PID:3988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2950247757096348301,3106358443876553551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2950247757096348301,3106358443876553551,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:4848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:1612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7801764401715971635,14742586608772379147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:1004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11188740323904190622,11202697740744435829,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:2388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        
        PID:384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:5004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:4072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:5656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:5984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x84,0x16c,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
        7⤵
        
        PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fA0140.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fA0140.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5936
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1336
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 540
        7⤵
        Program crash
        
        PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7mI76TR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7mI76TR.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:6428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8eu008LX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8eu008LX.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ct3EF4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ct3EF4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
1⤵
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6176 -ip 6176
1⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\BFFF.exe
C:\Users\Admin\AppData\Local\Temp\BFFF.exe
1⤵
PID:6600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8c9e46f8,0x7ffb8c9e4708,0x7ffb8c9e4718
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
    3⤵
    PID:6164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
    3⤵
    PID:5704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:5960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
    3⤵
    PID:6828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    PID:6672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:7012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
    3⤵
    PID:5896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:6332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
    3⤵
    PID:6980
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:8
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1745561932524179637,4934182824619077727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:8
    3⤵
    PID:2008

C:\Users\Admin\AppData\Local\Temp\F4AD.exe
C:\Users\Admin\AppData\Local\Temp\F4AD.exe
1⤵
PID:2140
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:880
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:4708
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\random.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  PID:6952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:5912
  - - C:\Users\Admin\Pictures\0ZHiup44rMqXbIuxMsYtGC3x.exe
      "C:\Users\Admin\Pictures\0ZHiup44rMqXbIuxMsYtGC3x.exe"
      4⤵
      PID:5044
  - - C:\Users\Admin\Pictures\vCDxFVdUzZutzBo9hEtXjrhU.exe
      "C:\Users\Admin\Pictures\vCDxFVdUzZutzBo9hEtXjrhU.exe"
      4⤵
      PID:7072
  - - C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe
      "C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe" --silent --allusers=0
      4⤵
      PID:5956
    - - C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe
        
        C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.54 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6b2e5648,0x6b2e5658,0x6b2e5664
        5⤵
        
        PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Ses5iyjUCRGROH1ArYdOe3ws.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Ses5iyjUCRGROH1ArYdOe3ws.exe" --version
        5⤵
        
        PID:736
    - - C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe
        
        "C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5956 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231112172647" --session-guid=29901b4a-9c61-48ca-9838-602bce6a514a --server-tracking-blob=MTJlZGQwNjdhNDk3NTdkNWE4OWE2YjEzODE3MmUyYjk4OThmMmYxODI1NjNiNTRhMDhkNjY2MWRiOWUzOWM2Yzp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5OTgxMDAwMi40NzA3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI2NWEwNzQxNi00YjIxLTQ3MjMtYWJiOS05NjUzMDhiZDQ1YjUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3405000000000000
        5⤵
        
        PID:6352
      - C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe
        
        C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.54 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6a745648,0x6a745658,0x6a745664
        6⤵
        
        PID:5404
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311121726471\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311121726471\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        
        PID:3328
  - - C:\Users\Admin\Pictures\IRKIczEWZrXriMtXrJeDU26O.exe
      "C:\Users\Admin\Pictures\IRKIczEWZrXriMtXrJeDU26O.exe"
      4⤵
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        5⤵
        
        PID:5180
  - - C:\Users\Admin\Pictures\9hsuKdjDZbTFrZ01IyDdjKxh.exe
      "C:\Users\Admin\Pictures\9hsuKdjDZbTFrZ01IyDdjKxh.exe"
      4⤵
      PID:1144
  - - C:\Users\Admin\Pictures\mjisqQwYoD0BJsVBl0jGPLce.exe
      "C:\Users\Admin\Pictures\mjisqQwYoD0BJsVBl0jGPLce.exe"
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\mjisqQwYoD0BJsVBl0jGPLce.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:5624
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:6120
  - - C:\Users\Admin\Pictures\OOYqbufI7AqxXUBZr10eShxm.exe
      "C:\Users\Admin\Pictures\OOYqbufI7AqxXUBZr10eShxm.exe"
      4⤵
      PID:5136
  - - C:\Users\Admin\Pictures\q61770NOi42gen7Kdr9vz8qH.exe
      "C:\Users\Admin\Pictures\q61770NOi42gen7Kdr9vz8qH.exe"
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\random.exe" -Force
    3⤵
    PID:3600
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:4732

C:\Users\Admin\AppData\Local\Temp\F99F.exe
C:\Users\Admin\AppData\Local\Temp\F99F.exe
1⤵
PID:6260
- C:\Users\Admin\AppData\Local\Temp\F99F.exe
  C:\Users\Admin\AppData\Local\Temp\F99F.exe
  2⤵
  PID:2536

C:\Users\Admin\AppData\Local\Temp\23B.exe
C:\Users\Admin\AppData\Local\Temp\23B.exe
1⤵
PID:6532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:5312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5164

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5808
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3164
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3416
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3860
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:4492
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5372

C:\Users\Admin\AppData\Local\Temp\11A9.exe
C:\Users\Admin\AppData\Local\Temp\11A9.exe
1⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:2300

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2304
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:4736
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5424
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAKEGIJEHJDGDHJKJKKJ

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\AAKEGIJEHJDGDHJKJKKJDGCAAK

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\DBKKFHIEGDHJKECAAKKE

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\EHDHIDAEHCFHJJJJECAAFBKJJD

Filesize
20KB

MD5
87749284b32b003008e0935cb1487ce2

SHA1
5fb93455ecba9794f23fef622fefa6470b98a8b5

SHA256
ce3030bb2762f7d1730410b2998655b5bd63ca16b353daeb674363eddbd17683

SHA512
72ed47b3076dad410bade355bbf9b6bf1eacf447437a7c91af63a29f3641c0158d99ba5766e8a03789eee603711830ae7d5ee40987a8a52f737f9bf224a1e9a7

Download Submit
C:\ProgramData\HDGDGHCA

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\JKEBFBFI

Filesize
92KB

MD5
2c49291f7cd253c173250751551fd2b5

SHA1
9d8a80c2a365675a63b5f50f63b72b76d625b1b1

SHA256
5766d76fbd9f797ab218de6c240dcae6f78066bc5812a99aeeed584fb0621f75

SHA512
de4a9ca73d663384264643be909726cb3393ea45779c888eb54bb3fbd2e36d8ad1c30260a16f1ced9fc5d8fe96dee761a655ff3764148b3e2678563417d6d933

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5f595566f83e288991a95ff3747e1d7

SHA1
f3f4069819da237eea7e05a9caefb51d2a2df896

SHA256
50cecc4be2308132639e09216843eacc34bcde5d2cc88716a4355e3b3af643fe

SHA512
57f7ebeb715fa7205b463efa7844b1c58b0ccc681655970bd88aa5296dcc4579bb1edc8ee93dcb049275756c9e99469eee42498f84ced4996dc575b8a74ea003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2c356792d25953a353537ff99d8ff763

SHA1
795b5dca39e4408f832dfcd6142e2b8c3242686b

SHA256
aa4c2fc1c9e566ebec324eac5a10c22f8e186be43d34e78d18ddffd664647f02

SHA512
0b9529ed29de80d3e8f195370bc44ae691151fb8e25a821327809533523f09ca4c54a508eddd873430b64f688938287f70f3c8b9297038edaba9f2db94a7ecbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d04608474c6e8e006d7182336583f219

SHA1
cddf2c1c1dc061f3ac5c3832cb81aa98ffa4c8e6

SHA256
04a4a0b0418b62c240c45c12eb6b67b7aacbc36b187611fd4f03e815270d440b

SHA512
13ada847ee857d4701644d08dd3273bdae0fabe44468a9056afab5b1d8e647597f965f3ce37c9ee90ad2ec8dc37931ebb6df4b441518bbec1f6635e293d35789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
015b40a86451c9db68ccb0e0f6c4a1dd

SHA1
34e534537503da607bf5d78d28b81779f19dc880

SHA256
d3cd3c19eacfda63d0cd3cf81c923ddd8b7b0990a8b56abb0bd8f5e82cfa9832

SHA512
a4c197a4710c1620f14b91c816ca5e1ca0de6ce03df9fb8fc501494efe0794c53458a5155d196c59f7f179e2b7d832ea67d7a62fe8856dfe573e2d20642e92b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f591e89eca36794b5ac0128d22f68ac8

SHA1
80720ffe682d5335797a6728beff462a6614d83e

SHA256
f9b5949adb4a006fb69113068a1841b82b1bb12b7123f915fa4cd395dca49e06

SHA512
24da46d02fd5cbe7c9e9a29fd49064eea99741ae41f0986e91baf3e0004e2b46513993362e258eca19561cfcdb68858a2c3f871ecc40c7adcdc2b748019a58c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
812d1c7bb2bb2aa7a4bd2220868138ba

SHA1
532e926821956be3564e08b18e7d551870775ef4

SHA256
e9bad13f3c01341fb1cfbb9a786c2b65b1d30c5ccc86ca8b0d85a2533c628b29

SHA512
b6f8ef9d10a2c348bc7f6ebda723348c3fcedaca904a3f99aec410fa8b1263738aa80528dcee172efa2e0859dcea7a519407d86dab2f60745ff8d16982cd521e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2ec9376d25dcdf299da15b044e1636e0

SHA1
569d0d38ba9b56bcfc85b8199e12439ebac01440

SHA256
0959e8d9c404b5892741114474d72ee6f7db9585a0eef0cd01c6ad2430020be1

SHA512
5639daef14f27d3dae283fd599838e5cecb33ebe1a03ff9280f6ade125c6deb2ca0f8e558d6927f9eb58ff0f834692d175484860e0d999e233e4bd2114d90a56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b372b03ca00d846eaf58dae91239a980

SHA1
d9147cb11248a025a30f04c505b6bab542d0a144

SHA256
7e86e41b321639f769897f492134cb09ceb9e8f871c72f8e756e7e6bd17a65e5

SHA512
730e0391d3f5d6ba3c1f36730190d99851825bf92604f8e6ee9cbcdf71a05e6e863c1901b3894b411f78e138e21fbb13e4e4bdcb77ac2fdd5009f73d522cdc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
49c8f4d93edd0e98de8d09f84f34713d

SHA1
5b9f4fea035fe1f428d2b8e580ece8161526d050

SHA256
19f3e2baa792ea045bd11df71da9716dd8782a6ad49697bdf9b9a0712063bdb1

SHA512
e1be45423ba0ffdc7b419a0ad5ce8cb8a4dd9862aeaf49e0fbc4fafa992fe2fe8db24ceed3add60d3a1de75f074c8927826938e006193a03f8f9efb9edc68aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1ccab465dff44c7d3d674e9e4fe61275

SHA1
ae9c84283113731d51dfa5ea7f22dddaa97e8974

SHA256
08234b88e7dac5dd501991009123cb24d2ef9899563a6a4b6814c5c6dec07850

SHA512
8b1cb79c43e2e4379e35f7b7bb6578d2a193ccaf5d51d7adf9e7d86712773ee5fddd519fce29960f0571a2ba0715f2be7065b5f2ae70415f1c258875f22bb2e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5888a3.TMP

Filesize
1KB

MD5
d0d297b033e2324c7f52675ce099219b

SHA1
9bf5d98611b5f5c5e130d984bc8b7da3c0275f26

SHA256
013fdbe409b7540f5754cd6f147a7a42e32e2f9e51ebbeaec89acb4e28246180

SHA512
7319725da671e6aad826d57fcc03781d0f92c4579b79617b9e732ffef66278effa84a1c4e515a905c1d9cfb34ecdf5195594e58171add821bf9660533812b569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5e36099657bd98cf6101d27f400f2748

SHA1
878c9c5616779fab2dccac79c693d047d6ac338e

SHA256
a7a1f977f7c7e41d349162255aff0be76d1355b314f9fba48f835a4945b5096f

SHA512
1a87aed99b8d545378244c3328d5f55d643c780123810f9622daf7e97bf548ae8eb321df075097be731feed4e2d2807c1ff3341e5c8d3cbe5fd342e8183aaad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5e36099657bd98cf6101d27f400f2748

SHA1
878c9c5616779fab2dccac79c693d047d6ac338e

SHA256
a7a1f977f7c7e41d349162255aff0be76d1355b314f9fba48f835a4945b5096f

SHA512
1a87aed99b8d545378244c3328d5f55d643c780123810f9622daf7e97bf548ae8eb321df075097be731feed4e2d2807c1ff3341e5c8d3cbe5fd342e8183aaad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4fd2b428e6a4c5cd7dc2a16fcf6fbd4f

SHA1
ebf8c9d59ddbb5e63d9bd74806e90830f70b1aa3

SHA256
07e18a00f3f7400539fbea9d6790ca194965316088f0b1396af5c03f7006f9c5

SHA512
4ed085f9b3f71256b87c49c2bb27a7b37585ac122c585273e805e8bf25e80617529c81fcf0462f766c690156ed28a7c62f5acc3c9e413b9523f75c230257dbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4fd2b428e6a4c5cd7dc2a16fcf6fbd4f

SHA1
ebf8c9d59ddbb5e63d9bd74806e90830f70b1aa3

SHA256
07e18a00f3f7400539fbea9d6790ca194965316088f0b1396af5c03f7006f9c5

SHA512
4ed085f9b3f71256b87c49c2bb27a7b37585ac122c585273e805e8bf25e80617529c81fcf0462f766c690156ed28a7c62f5acc3c9e413b9523f75c230257dbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
5e36099657bd98cf6101d27f400f2748

SHA1
878c9c5616779fab2dccac79c693d047d6ac338e

SHA256
a7a1f977f7c7e41d349162255aff0be76d1355b314f9fba48f835a4945b5096f

SHA512
1a87aed99b8d545378244c3328d5f55d643c780123810f9622daf7e97bf548ae8eb321df075097be731feed4e2d2807c1ff3341e5c8d3cbe5fd342e8183aaad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
85d85b5dbfc343a9b670b2301e0ecad2

SHA1
22d4aec3b63f9e43a363628c3b06217896ac9d11

SHA256
62ee64fa2b63aaf17c87d65aa34607dc301893604fb6962d3dd068de75738ca2

SHA512
70a8f1616a508ef4e1564a909b6ff7c944bf00621848cf43497851837023f1c741c2f699fd73f12845e3f138e42bd105edddeee64c12d9e6fd7ab0e375a7ad24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aeaf34b779e737bbcaaaf862ba592f63

SHA1
aca783c4a55a91b147a4990bbcbcc1ea870718a7

SHA256
7c7412515f40e0473f6b0cc13b941ac5f76eca8341ad3cca501e1b2a33b7b1aa

SHA512
9e2aa27cbfaad90fe1714caa6c063885eab4a848b733780f9b573151ef9bfa690a089bfe00ad05d330daab80e6fb950f49730f82d350de5936f986b80072561c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4fd2b428e6a4c5cd7dc2a16fcf6fbd4f

SHA1
ebf8c9d59ddbb5e63d9bd74806e90830f70b1aa3

SHA256
07e18a00f3f7400539fbea9d6790ca194965316088f0b1396af5c03f7006f9c5

SHA512
4ed085f9b3f71256b87c49c2bb27a7b37585ac122c585273e805e8bf25e80617529c81fcf0462f766c690156ed28a7c62f5acc3c9e413b9523f75c230257dbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
99955b0e301f4f3e7a602488d956d267

SHA1
05f11925b2b0c639d5c52085b65e5dce43623a08

SHA256
2482c71e2f6a7174f8a51896efbfa07fe9a2a41d69a57f061440d3dfd4f03a42

SHA512
9cba48d1a56e1789e5e4a2b1f5ec21f0298a346147040b8a3ba2d8b56f729ccc7eaf19459580ae65a2da753a3e036e030b90ad44e7375ecaaef6167e7d6e8376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
974d6e44ab7589eeda6f932e04bfa66f

SHA1
063a4ddc664f037efab65474c52c9fdf78f85e74

SHA256
57fba14ac711c392ce8014c2d0956e4bca777a612aaf5eb3dbac408efa83f034

SHA512
4666199d427a8c8a513f49c46b8eeb22f5172c528842fa1e31ae0e0be588145a97191d7f55f3c2a9881f8980864c5182653e338bc3bdb56119f5e9c7b5606385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
85d85b5dbfc343a9b670b2301e0ecad2

SHA1
22d4aec3b63f9e43a363628c3b06217896ac9d11

SHA256
62ee64fa2b63aaf17c87d65aa34607dc301893604fb6962d3dd068de75738ca2

SHA512
70a8f1616a508ef4e1564a909b6ff7c944bf00621848cf43497851837023f1c741c2f699fd73f12845e3f138e42bd105edddeee64c12d9e6fd7ab0e375a7ad24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
85d85b5dbfc343a9b670b2301e0ecad2

SHA1
22d4aec3b63f9e43a363628c3b06217896ac9d11

SHA256
62ee64fa2b63aaf17c87d65aa34607dc301893604fb6962d3dd068de75738ca2

SHA512
70a8f1616a508ef4e1564a909b6ff7c944bf00621848cf43497851837023f1c741c2f699fd73f12845e3f138e42bd105edddeee64c12d9e6fd7ab0e375a7ad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311121726471\additional_file0.tmp

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311121726471\opera_package

Filesize
12.3MB

MD5
8d2c98826ab64debe90f742a718dd0d9

SHA1
b6a7ae16895e258821b1590a28b446a06d04c785

SHA256
91277f80d243db2c83b4f66509e1e8274d017e3d910deafdbbfacb9b415818ce

SHA512
62e437b3aaef738ff757f9a8da1f42b7edc2ab4a75d4902644ae4bb11ec8d418124ec63477a26b0ac13324ea9878c6e319553cc13caf29d14f06707c26386b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
df8a130ef93c8922c459371bcd31d9c7

SHA1
7b4bdfdabb5ff08de0f83ed6858c57ba18f0d393

SHA256
0a394d266e36ef9b75ae2c390a7b68fa50e5188b8338217cf68deda683c84d40

SHA512
364f4c1cb242115266eea05a05bdc1068a6ce7778ae01f84dc3e570acbf5cda134f15e0addd2c7818fba326708b30362f29279e0ce96db51a8db73729f4af99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ct3EF4.exe

Filesize
624KB

MD5
eb37ca7eb9f064b84ab535492faa21ff

SHA1
eca43881ceff3140c0564987df7fe3f3417eedec

SHA256
bcb2e9a5932bc61fc20cb0bd0b4616c4e8dd5e17359a4ff81628808b35c4d0af

SHA512
fb7e9cd34168019c7be774dc88993231a2eed4ba66bdae19bdf7958aeffb6cfce746e7376c2672cc5a905616af25898dd53ff82794f61f79402e2e906af5c59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ct3EF4.exe

Filesize
624KB

MD5
eb37ca7eb9f064b84ab535492faa21ff

SHA1
eca43881ceff3140c0564987df7fe3f3417eedec

SHA256
bcb2e9a5932bc61fc20cb0bd0b4616c4e8dd5e17359a4ff81628808b35c4d0af

SHA512
fb7e9cd34168019c7be774dc88993231a2eed4ba66bdae19bdf7958aeffb6cfce746e7376c2672cc5a905616af25898dd53ff82794f61f79402e2e906af5c59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nv7GL95.exe

Filesize
1003KB

MD5
1b5750625524009c0692f642e6b8767f

SHA1
6b524e6a78dfcdca8c0aad20c317b7fd0c10f48c

SHA256
3c25132fcef206b5152dcdedd4474aeff07bc2e9cfea088f92e9b19f20e131e3

SHA512
9d287117a7a5dc8ef270e6448f3032a4fc1bd58383a0fa10978dc79fb29fcf8d280eef12cff2eeaf5d355eb27d6f78d9688a8a7a72d8ff336e721c718dbd4aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nv7GL95.exe

Filesize
1003KB

MD5
1b5750625524009c0692f642e6b8767f

SHA1
6b524e6a78dfcdca8c0aad20c317b7fd0c10f48c

SHA256
3c25132fcef206b5152dcdedd4474aeff07bc2e9cfea088f92e9b19f20e131e3

SHA512
9d287117a7a5dc8ef270e6448f3032a4fc1bd58383a0fa10978dc79fb29fcf8d280eef12cff2eeaf5d355eb27d6f78d9688a8a7a72d8ff336e721c718dbd4aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8eu008LX.exe

Filesize
315KB

MD5
6c48bad9513b4947a240db2a32d3063a

SHA1
a5b9b870ce2d3451572d88ff078f7527bd3a954a

SHA256
984ae46ad062442c543fcdb20b1a763001e7df08eb0ab24fc490cbf1ab4e54c8

SHA512
7ae5c7bce222cfeb9e0fae2524fd634fa323282811e97a61c6d1e9680d025e49b968e72ca8ce2a2ceca650fa73bc05b7cf578277944305ed5fae2322ef7d496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8eu008LX.exe

Filesize
315KB

MD5
6c48bad9513b4947a240db2a32d3063a

SHA1
a5b9b870ce2d3451572d88ff078f7527bd3a954a

SHA256
984ae46ad062442c543fcdb20b1a763001e7df08eb0ab24fc490cbf1ab4e54c8

SHA512
7ae5c7bce222cfeb9e0fae2524fd634fa323282811e97a61c6d1e9680d025e49b968e72ca8ce2a2ceca650fa73bc05b7cf578277944305ed5fae2322ef7d496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dj6Qr97.exe

Filesize
781KB

MD5
bc3cb96ff7ab5f23a685630657b40146

SHA1
f864527591d4211157720e201c09886e85fb3fe1

SHA256
3d9865d2deb24fcf49f74c78c538cba078f06ed84b72dab2107b743e3ced2907

SHA512
14db3e1702c52cc34bb78eb042f1f895d3516c29b606ee61764a43adb370d77681fcd036cf08138deec9300c2685b28e932e61e48443e1762d2999422b1daa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dj6Qr97.exe

Filesize
781KB

MD5
bc3cb96ff7ab5f23a685630657b40146

SHA1
f864527591d4211157720e201c09886e85fb3fe1

SHA256
3d9865d2deb24fcf49f74c78c538cba078f06ed84b72dab2107b743e3ced2907

SHA512
14db3e1702c52cc34bb78eb042f1f895d3516c29b606ee61764a43adb370d77681fcd036cf08138deec9300c2685b28e932e61e48443e1762d2999422b1daa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7mI76TR.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7mI76TR.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Vs35.exe

Filesize
656KB

MD5
fad6893406167c34e61dfaa1594fe265

SHA1
94b8e113d23e75c2738b8bef7bf31b75e0069d84

SHA256
1ab258cfcd15a98d5a200ed4649d3e3cdf0877b160e04b7a2802cd6d3f4d4f8e

SHA512
18d2aa2114c94b781f538f919e9ce032da0ca050d0674b359661478886d78acfe3f857d8fbd26edebf55b61623eea855c6b96a56ef05384528973433368b8d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jT1Vs35.exe

Filesize
656KB

MD5
fad6893406167c34e61dfaa1594fe265

SHA1
94b8e113d23e75c2738b8bef7bf31b75e0069d84

SHA256
1ab258cfcd15a98d5a200ed4649d3e3cdf0877b160e04b7a2802cd6d3f4d4f8e

SHA512
18d2aa2114c94b781f538f919e9ce032da0ca050d0674b359661478886d78acfe3f857d8fbd26edebf55b61623eea855c6b96a56ef05384528973433368b8d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1br43jd5.exe

Filesize
895KB

MD5
ab9367d246557176b9ece58a8817aa4b

SHA1
65e25367366a7a738027eaf0826e9b3610078abf

SHA256
e41f4f01c308d9e1c81cd9c984a7c8e1796b8ca7a26923968d7a916146a03f1f

SHA512
71fe6e13eedde1b266a6ccde09fe28e6325a1b3a5b70c282fad5c8d94829461107a7de78797cf16e0502349154f969261ae51830870639f5724a7de1991207ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1br43jd5.exe

Filesize
895KB

MD5
ab9367d246557176b9ece58a8817aa4b

SHA1
65e25367366a7a738027eaf0826e9b3610078abf

SHA256
e41f4f01c308d9e1c81cd9c984a7c8e1796b8ca7a26923968d7a916146a03f1f

SHA512
71fe6e13eedde1b266a6ccde09fe28e6325a1b3a5b70c282fad5c8d94829461107a7de78797cf16e0502349154f969261ae51830870639f5724a7de1991207ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fA0140.exe

Filesize
276KB

MD5
f01c232ea03cd5aa7b9de4a1fd38660f

SHA1
a6069b3a83f8dcf1fe5a2a79eb8bdb5ecf36af0e

SHA256
ac85ca8d2ebc786b040e841b8dfa97546a0e255246797b4cc9fdeccf14ac6dba

SHA512
1b39bc97fa866ded9fb56edc01d85db1f43460961f4c1f494d024304058c7696f71c42075d2bda76f97d896b7f236247549679c2685382962effeec8ad603ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2fA0140.exe

Filesize
276KB

MD5
f01c232ea03cd5aa7b9de4a1fd38660f

SHA1
a6069b3a83f8dcf1fe5a2a79eb8bdb5ecf36af0e

SHA256
ac85ca8d2ebc786b040e841b8dfa97546a0e255246797b4cc9fdeccf14ac6dba

SHA512
1b39bc97fa866ded9fb56edc01d85db1f43460961f4c1f494d024304058c7696f71c42075d2bda76f97d896b7f236247549679c2685382962effeec8ad603ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_231112172645846736.dll

Filesize
4.6MB

MD5
0d2cf5e6c13d156467618f37174dd4b5

SHA1
a324c41cbbf96e458072f337a2ef2a61db463d60

SHA256
1845335f4172bd93f2011ff12da6f3d2f99d33740cc1f3ab2201b8205cb773b6

SHA512
f2af281d0702aab8984de88376986f09efc1f4c891353bc6bd4f2c40576ae33858912261502c78b5e0fa92f255a992d4532cf9a9e76a53b46ea263a6b60e2cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21d1mc3v.qlm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\random.exe

Filesize
141KB

MD5
326781a332c7040492dc96b13fb126e5

SHA1
d03d8e89a6c75a14f512eeabf180a2f69d30e884

SHA256
0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28

SHA512
e701babafad09f1115511949f3061275bc6fbc54756d40f038aa9be708ff06736413367395bff7e157035aa9260ada439ad9a8d4c2c48c14de94c42f6ec0c2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
221KB

MD5
82cd8d85dc427bfd991758f573525d23

SHA1
8a9f53dced366c5afb0e2a26186059fc34f9423d

SHA256
728a6f117ca91dfa121d74832b9eac2b995ec9887700c7832603730e0300bf4b

SHA512
422ecd38f2d744138dbc9994756407c4bccb9d539cda18bcf873824d1658c9fd264f31af356e171ff728e98d1a90e88af776b238b8fb7d4b4102ff9a8cc10e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
bb08e0bd0171dc59d497cf679bd5e78c

SHA1
a403c4c1023afc95c5cda265a81ced173e3f5cc6

SHA256
9cd6f498e88a22d662eb7df124732cb104168fd8e4637988bbee1ab253d5d265

SHA512
dc085eb09ef52be57e8150855adcfcd1822c8f6f98d28e9bafe8f20a848fc9c2941b801deac8817d9e26540fe565a7c603af8346a7ae88f9c3e32f15fd9fecfd

Download Submit
C:\Users\Admin\Pictures\0ZHiup44rMqXbIuxMsYtGC3x.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\9hsuKdjDZbTFrZ01IyDdjKxh.exe

Filesize
4.1MB

MD5
33e2408ab2f3f47b3ad395d65edba49e

SHA1
b86af85e8e438c12c7abd1b047edd229cf67219b

SHA256
2652450865e1ce350dd9674cb08100d68e4018bf5b6f74720c57e03f5ad98c23

SHA512
d7e4fc31361b2933a0ad1aa3a4020452b7d84232eb5ecba411edaf68c6041242d6b3677bf25393965a5b54b555cf4307d2984aa1423afcbebff9833bdd5905fc

Download Submit
C:\Users\Admin\Pictures\OOYqbufI7AqxXUBZr10eShxm.exe

Filesize
221KB

MD5
4ea71b88c6102990496206084fe59321

SHA1
32e2ccdb47350a561353fe2393f34839e3eef887

SHA256
f3a9883557b07a8bbe3ad42bf14420eb6a719c7e331c5611fe532edee2642cb6

SHA512
b7eb56da2f7ccbd70c7ec1064530e61419bb7b33eae1a74ae620caa4f58be562ee9f8edf07248d45165234fd42dba63d9b6d5d616b3815db7ef170c5b466cf39

Download Submit
C:\Users\Admin\Pictures\Ses5iyjUCRGROH1ArYdOe3ws.exe

Filesize
2.8MB

MD5
6110deb699078e8183f13558727713db

SHA1
81aa008e1f816d492eda06980557a63ce31623ba

SHA256
f454ea280d7c61c6ac2a070e748407a630752a5c0e7baf9ce71f59df004b6cce

SHA512
b7f5d57b0d6f7a184ce10f396ab9ed367dc3353182a4064dbb7e9ba9a2ae2eaad4a3c485ee57a0e1dfbf92f31c34aa8a7d204551ca40c17d6f2e68c5072f9df7

Download Submit
C:\Users\Admin\Pictures\l3Q05olBASf3GMzvnljiR41z.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\mjisqQwYoD0BJsVBl0jGPLce.exe

Filesize
145KB

MD5
90dd1720cb5f0a539358d8895d3fd27a

SHA1
c1375d0b31adc36f91feb45df705c7e662c95d7d

SHA256
e69a88b0f9ec61f4acf22f9a3d96f60eb3a04db58a74eb4315700ac465de9e01

SHA512
c6e3f1e03f93f6aaa1b93bca21f3a93d6539ede45b06869d3a1daf983d5f1c68bc7e8895126b3d02d4b85854ac3991ecada77ddff2cbdc81c1e93f1f12c4ada1

Download Submit
C:\Users\Admin\Pictures\q61770NOi42gen7Kdr9vz8qH.exe

Filesize
4.8MB

MD5
ff6c6212c086b2ea7bb1537a6e9b0abb

SHA1
f058d292f83c16450af74d870056cb742d23b3a3

SHA256
1abe626a7cbd4639f1ba56a6c4dab7f2dd9ad08396eb80ee4a21b0f7ef69d875

SHA512
3b495b12a67cc1cfb73a195ffe62bcccd3d8cf7a8abe556f493d74c835e453b8ad80529b4a24150b25c0eee2807d5fc9e0d43f572869a926435017311cdd97d5

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/376-561-0x0000000007750000-0x0000000007760000-memory.dmp

Filesize
64KB

Download
memory/376-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/376-309-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/376-308-0x00000000085E0000-0x0000000008BF8000-memory.dmp

Filesize
6.1MB

Download
memory/376-298-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/376-553-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/376-297-0x0000000007750000-0x0000000007760000-memory.dmp

Filesize
64KB

Download
memory/376-324-0x00000000077E0000-0x000000000782C000-memory.dmp

Filesize
304KB

Download
memory/376-317-0x00000000077A0000-0x00000000077DC000-memory.dmp

Filesize
240KB

Download
memory/376-315-0x0000000007700000-0x0000000007712000-memory.dmp

Filesize
72KB

Download
memory/376-294-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/376-295-0x0000000007A10000-0x0000000007FB4000-memory.dmp

Filesize
5.6MB

Download
memory/376-296-0x0000000007500000-0x0000000007592000-memory.dmp

Filesize
584KB

Download
memory/880-716-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/880-630-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2140-657-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/2140-586-0x0000000000BB0000-0x0000000001858000-memory.dmp

Filesize
12.7MB

Download
memory/2140-585-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-668-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-738-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-717-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-730-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-720-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-646-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2536-727-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-724-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-656-0x0000022DBCCF0000-0x0000022DBCDD4000-memory.dmp

Filesize
912KB

Download
memory/2536-663-0x00007FFB88F80000-0x00007FFB89A41000-memory.dmp

Filesize
10.8MB

Download
memory/2536-664-0x0000022DA2B20000-0x0000022DA2B30000-memory.dmp

Filesize
64KB

Download
memory/2536-734-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-670-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-742-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-672-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-674-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-684-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-712-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-686-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-740-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-695-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-709-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-697-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-736-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-699-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/2536-701-0x0000022DBCCF0000-0x0000022DBCDD0000-memory.dmp

Filesize
896KB

Download
memory/3112-263-0x0000000000C20000-0x0000000000C36000-memory.dmp

Filesize
88KB

Download
memory/3600-726-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3600-766-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/3600-729-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/3600-795-0x0000000006470000-0x00000000067C4000-memory.dmp

Filesize
3.3MB

Download
memory/3600-721-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/3600-722-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3600-754-0x0000000005A10000-0x0000000005A32000-memory.dmp

Filesize
136KB

Download
memory/5912-702-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5912-719-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5912-713-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/6176-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6176-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6176-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6176-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6260-662-0x00007FFB88F80000-0x00007FFB89A41000-memory.dmp

Filesize
10.8MB

Download
memory/6260-629-0x0000020EFC600000-0x0000020EFC64C000-memory.dmp

Filesize
304KB

Download
memory/6260-595-0x0000020EFA900000-0x0000020EFAA60000-memory.dmp

Filesize
1.4MB

Download
memory/6260-598-0x0000020EFCF80000-0x0000020EFD066000-memory.dmp

Filesize
920KB

Download
memory/6260-609-0x00007FFB88F80000-0x00007FFB89A41000-memory.dmp

Filesize
10.8MB

Download
memory/6260-611-0x0000020EFD070000-0x0000020EFD150000-memory.dmp

Filesize
896KB

Download
memory/6260-619-0x0000020EFD150000-0x0000020EFD218000-memory.dmp

Filesize
800KB

Download
memory/6260-610-0x0000020EFC660000-0x0000020EFC670000-memory.dmp

Filesize
64KB

Download
memory/6260-621-0x0000020EFD320000-0x0000020EFD3E8000-memory.dmp

Filesize
800KB

Download
memory/6428-206-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6428-270-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6532-759-0x0000000006430000-0x00000000065C2000-memory.dmp

Filesize
1.6MB

Download
memory/6532-627-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/6532-747-0x0000000005CD0000-0x0000000005E7A000-memory.dmp

Filesize
1.7MB

Download
memory/6532-780-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/6532-654-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/6532-628-0x0000000000B70000-0x0000000000F68000-memory.dmp

Filesize
4.0MB

Download
memory/6532-799-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/6532-808-0x0000000005C50000-0x0000000005C60000-memory.dmp

Filesize
64KB

Download
memory/6532-637-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/6600-560-0x0000000000A70000-0x0000000000AC0000-memory.dmp

Filesize
320KB

Download
memory/6600-639-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/6600-559-0x00000000091A0000-0x00000000091BE000-memory.dmp

Filesize
120KB

Download
memory/6600-558-0x0000000008B70000-0x000000000909C000-memory.dmp

Filesize
5.2MB

Download
memory/6600-555-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/6600-552-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/6600-557-0x00000000089A0000-0x0000000008B62000-memory.dmp

Filesize
1.8MB

Download
memory/6600-554-0x0000000007600000-0x0000000007610000-memory.dmp

Filesize
64KB

Download
memory/6600-548-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/6600-547-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/6600-556-0x00000000088D0000-0x0000000008946000-memory.dmp

Filesize
472KB

Download
memory/6600-669-0x0000000007600000-0x0000000007610000-memory.dmp

Filesize
64KB

Download
memory/6772-310-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6772-321-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6772-323-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6772-318-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6952-644-0x0000000000D80000-0x0000000000DAA000-memory.dmp

Filesize
168KB

Download
memory/6952-652-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/6952-715-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/6952-665-0x0000000005890000-0x00000000058AA000-memory.dmp

Filesize
104KB

Download
memory/6952-661-0x0000000003030000-0x000000000304C000-memory.dmp

Filesize
112KB

Download