mystic | 234bf45368d98243b625cf1c69ba15213ceae7e8c20f2ab105e52633f289788d

Analysis

max time kernel
12s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe
Size

1.4MB
MD5

f3935b22955ae50d6117ba87916058d9
SHA1

f9b6db6e857d4058272d5e4ae669d75c272baf79
SHA256

77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2
SHA512

1a2a3f19bc3b850b1a5007dda93678371744a5b1bffcc3048e963bc14d4cbd9fb9757c2456f0ea5587f9389f77da2e4d51282387447c1aa6d2d8a95becf93aba
SSDEEP

24576:jyG+4yALf5O8Jiw648ejIsGMAGF6cDnnoPjpEdyxkW2CHPCJzRJ226mqFM:2M1R9AeMTVGTCNXxkvvJzRsc

Score

10^/10

mystic redline smokeloader zgrat taiga backdoor evasion infostealer persistence rat stealer themida trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/5404-266-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5404-268-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5404-267-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5404-270-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 26 IoCs

resource	yara_rule
behavioral1/memory/4080-697-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-698-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-700-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-702-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-708-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-683-0x000001A79C220000-0x000001A79C304000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-710-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-712-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-719-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-716-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-722-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-727-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-729-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-714-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-731-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-733-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-736-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-741-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-744-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-748-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-753-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-755-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-760-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-762-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-769-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1
behavioral1/memory/4080-785-0x000001A79C220000-0x000001A79C300000-memory.dmp	family_zgrat_v1

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/7160-514-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/5728-571-0x0000000000550000-0x00000000005AA000-memory.dmp	family_redline
behavioral1/memory/5728-573-0x0000000000400000-0x0000000000467000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
4240	qG0Ky75.exe
1104	oa9gW24.exe
4468	zM6Oz18.exe
3548	1jJ16qx0.exe
3336	2LX2769.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000022ebc-1004.dat	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022e9b-840.dat	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qG0Ky75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	oa9gW24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zM6Oz18.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000022d4e-26.dat	autoit_exe
behavioral1/files/0x0008000000022d4e-27.dat	autoit_exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5804	sc.exe
6320	sc.exe
6184	sc.exe
1128	sc.exe
7276	sc.exe
5768	sc.exe
5928	sc.exe
2716	sc.exe
3084	sc.exe
5528	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5060	5404	WerFault.exe	150

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5964	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5896	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
752	msedge.exe
752	msedge.exe
2368	msedge.exe
2368	msedge.exe
2136	msedge.exe
2136	msedge.exe
5268	msedge.exe
5268	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe
3548	1jJ16qx0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4240	2080	77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe	84
PID 2080 wrote to memory of 4240	2080	77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe	84
PID 2080 wrote to memory of 4240	2080	77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe	84
PID 4240 wrote to memory of 1104	4240	qG0Ky75.exe	85
PID 4240 wrote to memory of 1104	4240	qG0Ky75.exe	85
PID 4240 wrote to memory of 1104	4240	qG0Ky75.exe	85
PID 1104 wrote to memory of 4468	1104	oa9gW24.exe	86
PID 1104 wrote to memory of 4468	1104	oa9gW24.exe	86
PID 1104 wrote to memory of 4468	1104	oa9gW24.exe	86
PID 4468 wrote to memory of 3548	4468	zM6Oz18.exe	87
PID 4468 wrote to memory of 3548	4468	zM6Oz18.exe	87
PID 4468 wrote to memory of 3548	4468	zM6Oz18.exe	87
PID 3548 wrote to memory of 1452	3548	1jJ16qx0.exe	91
PID 3548 wrote to memory of 1452	3548	1jJ16qx0.exe	91
PID 1452 wrote to memory of 4632	1452	msedge.exe	95
PID 1452 wrote to memory of 4632	1452	msedge.exe	95
PID 3548 wrote to memory of 2368	3548	1jJ16qx0.exe	93
PID 3548 wrote to memory of 2368	3548	1jJ16qx0.exe	93
PID 2368 wrote to memory of 3412	2368	msedge.exe	94
PID 2368 wrote to memory of 3412	2368	msedge.exe	94
PID 3548 wrote to memory of 2128	3548	1jJ16qx0.exe	96
PID 3548 wrote to memory of 2128	3548	1jJ16qx0.exe	96
PID 2128 wrote to memory of 1824	2128	msedge.exe	97
PID 2128 wrote to memory of 1824	2128	msedge.exe	97
PID 3548 wrote to memory of 2640	3548	1jJ16qx0.exe	98
PID 3548 wrote to memory of 2640	3548	1jJ16qx0.exe	98
PID 2640 wrote to memory of 1468	2640	msedge.exe	99
PID 2640 wrote to memory of 1468	2640	msedge.exe	99
PID 3548 wrote to memory of 1232	3548	1jJ16qx0.exe	100
PID 3548 wrote to memory of 1232	3548	1jJ16qx0.exe	100
PID 1232 wrote to memory of 832	1232	msedge.exe	101
PID 1232 wrote to memory of 832	1232	msedge.exe	101
PID 3548 wrote to memory of 972	3548	1jJ16qx0.exe	102
PID 3548 wrote to memory of 972	3548	1jJ16qx0.exe	102
PID 972 wrote to memory of 2756	972	msedge.exe	103
PID 972 wrote to memory of 2756	972	msedge.exe	103
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107
PID 1452 wrote to memory of 2532	1452	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe
"C:\Users\Admin\AppData\Local\Temp\77cb45093ccf067140c55c5c8b7df6c7ce6e77abda5f7b55e1c0da15fcdb4cc2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qG0Ky75.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qG0Ky75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa9gW24.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa9gW24.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zM6Oz18.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zM6Oz18.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ16qx0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ16qx0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:4632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,1526409765343895569,3225047892761020302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1526409765343895569,3225047892761020302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:2532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:3412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        7⤵
        
        PID:3808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
        7⤵
        
        PID:3472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        7⤵
        
        PID:1736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        7⤵
        
        PID:3544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
        7⤵
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
        7⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
        7⤵
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
        7⤵
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
        7⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
        7⤵
        
        PID:5884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
        7⤵
        
        PID:6100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
        7⤵
        
        PID:4720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
        7⤵
        
        PID:6140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
        7⤵
        
        PID:5616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
        7⤵
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
        7⤵
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
        7⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
        7⤵
        
        PID:6852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
        7⤵
        
        PID:6844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7928 /prefetch:8
        7⤵
        
        PID:7000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7928 /prefetch:8
        7⤵
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8688 /prefetch:1
        7⤵
        
        PID:4516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18374312450178550746,4423313651658517446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
        7⤵
        
        PID:6548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:1824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,292530050523756962,6559160416241500399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:1468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13578615525953973256,5660286040692143599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:2756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:3480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:3328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:5424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:5476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:5852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:5876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:4352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
        7⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LX2769.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LX2769.exe
        5⤵
        Executes dropped EXE
        
        PID:3336
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6324
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 540
        7⤵
        Program crash
        
        PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7Cm46eE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7Cm46eE.exe
      4⤵
      PID:6988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8nW268RB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8nW268RB.exe
    3⤵
    PID:3140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:7160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Bx9pp4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Bx9pp4.exe
  2⤵
  PID:6576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5404 -ip 5404
1⤵
PID:7132

C:\Users\Admin\AppData\Local\Temp\8D28.exe
C:\Users\Admin\AppData\Local\Temp\8D28.exe
1⤵
PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc4d046f8,0x7ffcc4d04708,0x7ffcc4d04718
    3⤵
    PID:6592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
    3⤵
    PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    PID:1804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:6588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:7560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
    3⤵
    PID:7552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:7880
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
    3⤵
    PID:6540
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,6418719330269776517,5786309397169636387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
    3⤵
    PID:7028

C:\Users\Admin\AppData\Local\Temp\BCF3.exe
C:\Users\Admin\AppData\Local\Temp\BCF3.exe
1⤵
PID:2008
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:8060
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:5380
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:5752
- C:\Users\Admin\AppData\Local\Temp\random.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  PID:1292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:664
  - - C:\Users\Admin\Pictures\k0DtTpBVIi4ZI5KK719XhHg8.exe
      "C:\Users\Admin\Pictures\k0DtTpBVIi4ZI5KK719XhHg8.exe"
      4⤵
      PID:5628
  - - C:\Users\Admin\Pictures\MpHLVS6PaiVNJILEb9ZPSfgj.exe
      "C:\Users\Admin\Pictures\MpHLVS6PaiVNJILEb9ZPSfgj.exe"
      4⤵
      PID:6544
  - - C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe
      "C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe" --silent --allusers=0
      4⤵
      PID:5376
    - - C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe
        
        C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.54 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2f0,0x300,0x6b275648,0x6b275658,0x6b275664
        5⤵
        
        PID:5608
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\RYzZr1uXKEuCwheqcnPrCTcW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\RYzZr1uXKEuCwheqcnPrCTcW.exe" --version
        5⤵
        
        PID:3076
    - - C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe
        
        "C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5376 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231113034933" --session-guid=55f35753-4da3-4100-9a81-b3ff3b5168e0 --server-tracking-blob=OTdmNGFhOTVmNTg4NWEzODI2YzFlODk3M2IxZTAzNGU1MDRhYjU4ZWY3MjNhYTM5ZWNmZGI3NTYwYzEyY2YyYzp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5OTg0NzM2OC40NzA5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIwZDdlYThmYy02NDFlLTQ2YTktODZjZC1kNWU0ZTFjMTE4YTkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6004000000000000
        5⤵
        
        PID:5072
      - C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe
        
        C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.54 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a615648,0x6a615658,0x6a615664
        6⤵
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311130349331\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311130349331\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        
        PID:7596
  - - C:\Users\Admin\Pictures\RIeNskVmddiZ3qlQh7Y0nOzI.exe
      "C:\Users\Admin\Pictures\RIeNskVmddiZ3qlQh7Y0nOzI.exe"
      4⤵
      PID:6328
  - - C:\Users\Admin\Pictures\n73DF8DMGdj3fpv5ZYIIf1tf.exe
      "C:\Users\Admin\Pictures\n73DF8DMGdj3fpv5ZYIIf1tf.exe"
      4⤵
      PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        5⤵
        
        PID:6432
  - - C:\Users\Admin\Pictures\w5EBIOwpJCkCo7YuaQzkz2ZJ.exe
      "C:\Users\Admin\Pictures\w5EBIOwpJCkCo7YuaQzkz2ZJ.exe"
      4⤵
      PID:1616
  - - C:\Users\Admin\Pictures\oZCQQCayapiqeXbc3YG6Z0Lt.exe
      "C:\Users\Admin\Pictures\oZCQQCayapiqeXbc3YG6Z0Lt.exe"
      4⤵
      PID:4104
  - - C:\Users\Admin\Pictures\gI98ctdmpsckUN3iQnNQRn5p.exe
      "C:\Users\Admin\Pictures\gI98ctdmpsckUN3iQnNQRn5p.exe"
      4⤵
      PID:3928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\gI98ctdmpsckUN3iQnNQRn5p.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:7368
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:5896
  - - C:\Users\Admin\Pictures\fKsyzovuMsNQE2JYwuWyxuPO.exe
      "C:\Users\Admin\Pictures\fKsyzovuMsNQE2JYwuWyxuPO.exe"
      4⤵
      PID:7140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\random.exe" -Force
    3⤵
    PID:3192
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:2136

C:\Users\Admin\AppData\Local\Temp\BFB3.exe
C:\Users\Admin\AppData\Local\Temp\BFB3.exe
1⤵
PID:6600
- C:\Users\Admin\AppData\Local\Temp\BFB3.exe
  C:\Users\Admin\AppData\Local\Temp\BFB3.exe
  2⤵
  PID:4080

C:\Users\Admin\AppData\Local\Temp\C64C.exe
C:\Users\Admin\AppData\Local\Temp\C64C.exe
1⤵
PID:6484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5328

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:8048
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7276
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5804
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6184
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1632

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:364
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5768
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6320
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5928
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:1128
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5528

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6856
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:412
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1488
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4648
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:7644

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:5664

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5404
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:6108
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:6320
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5916

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:5964

C:\Users\Admin\AppData\Local\Temp\1468.exe
C:\Users\Admin\AppData\Local\Temp\1468.exe
1⤵
PID:7348

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\195B.exe
C:\Users\Admin\AppData\Local\Temp\195B.exe
1⤵
PID:5336

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:7536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HJJDGHCB

Filesize
92KB

MD5
2c49291f7cd253c173250751551fd2b5

SHA1
9d8a80c2a365675a63b5f50f63b72b76d625b1b1

SHA256
5766d76fbd9f797ab218de6c240dcae6f78066bc5812a99aeeed584fb0621f75

SHA512
de4a9ca73d663384264643be909726cb3393ea45779c888eb54bb3fbd2e36d8ad1c30260a16f1ced9fc5d8fe96dee761a655ff3764148b3e2678563417d6d933

Download Submit
C:\ProgramData\KKFBAAFC

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5f595566f83e288991a95ff3747e1d7

SHA1
f3f4069819da237eea7e05a9caefb51d2a2df896

SHA256
50cecc4be2308132639e09216843eacc34bcde5d2cc88716a4355e3b3af643fe

SHA512
57f7ebeb715fa7205b463efa7844b1c58b0ccc681655970bd88aa5296dcc4579bb1edc8ee93dcb049275756c9e99469eee42498f84ced4996dc575b8a74ea003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2c356792d25953a353537ff99d8ff763

SHA1
795b5dca39e4408f832dfcd6142e2b8c3242686b

SHA256
aa4c2fc1c9e566ebec324eac5a10c22f8e186be43d34e78d18ddffd664647f02

SHA512
0b9529ed29de80d3e8f195370bc44ae691151fb8e25a821327809533523f09ca4c54a508eddd873430b64f688938287f70f3c8b9297038edaba9f2db94a7ecbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
73KB

MD5
d439aa40127eb4c49c97bd689cf1d222

SHA1
420b5ea10d3dc13070c9a1022160aaac4f28a352

SHA256
f38b31ffce521cb614481e3bd6ca9b130e862663ac7134ee30dfe121ec2b6091

SHA512
172c61e97d8bf3dd5b8cdb59b102c0e6e660864da859e5db451fa9820b39c4f118ee5f54fb18e60c0022eaf7570522cb18303e2a759e9143af4b14bb50a94958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ddeafcdcbf4b8551aacc8f3c48bbe7b1

SHA1
fe31de7d652cb2799a3afb1373cdb6e6033806a4

SHA256
93f43bd28694bbe9bda7ac075de4ae58fea6e4c51cccd03c0c1609a83fe3ccf4

SHA512
f3d51fa68542b2b35dd50371d376c58ce7052856dc833313c9ac08c9e0b121768f19176633d615802b4f51d9133f48007d5f4a56a03f2ae2b541db8ddaa382d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8f785e2f39756c1ad48af139c064e17c

SHA1
f538540d60c30d5a6baa2b3dd5081c76b5f26ae7

SHA256
d2e0071e1da16e8de9103a18f6fcd8184108921d88e8d9f6defb0ac91188689e

SHA512
6645e25481d09ff56934ba89317d159bdf86963c8d1184ec16cce9166db7a3d93e5dfe075a7fb40b85c27d70ec11bdfd4f295fd6b1cbfed96b4ab1ae187bfe8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7c6c45ab8c82fdb34ad74bc005fc1705

SHA1
81fa1ddc58fccbbffe6454edd3cefab3f8f72fe7

SHA256
cd08c2bfec3cbabd8064cda1769b6da8946abfc81b592373c27fbb1f9844b54e

SHA512
ec0623c221b0d75aa681d17e1dcabf59d7f26abc48e47ad79a25001487a1b5aafe919ee0cefbe0c339b6aa684408340ea231cc9799d4f11ae3a40f5c2a703280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c23bd1827fcc03f1facbf3304b810e9e

SHA1
8b389d57790057cb4efab47fb51c9fdcf2d65123

SHA256
f69910b3d72d53ee93289c17278fdf8814f310c34a2c6657a0ced22f5ce68d84

SHA512
7d883586ef8458b17127bc8d419d96fd18721efa885379eccd91f65697fcd48ed26a1a643afdcfeccd61ab794bc00433e1af428b5c68def2fdf21087715bb1e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
34e44aaa68b8d82b920d9cba0c4b4cb2

SHA1
6dc44161af4ea9c58f81c17b41023b601bedc106

SHA256
80317e4f79858b2ab6342487c4361e8f11d85ee8b3879eb7a4d7998e6a61c9e1

SHA512
157c2ecea1ac57f7fa9287782c1a31e7610e3c11601425eee67d12a856902bc7724bb64e7ab2cc49585a81c5bb0166a97f97625e6232910a703d22bef9a96bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
291eb1f5aa4d6fc92e450e37c19945ea

SHA1
ad3e02a60079b8fe3c8dd2b98bb758b0bc9edd96

SHA256
2ec6f0e4800e9783bc7580767d2e8fbb887e58d2a39eacf9dbc3cdb2db4c7817

SHA512
1a922a6df1a2cd06029543bfcdda65ce405cfab647fa3a0c97d98e03766a62124535069d65ae2f99d2446f7d27cfd794bb205483319c365dfae6f3945a0d6d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cdc91a9264b0295d4a1e4186493c3789

SHA1
551470730165479682569101e87e52b03c217d09

SHA256
8b1a330ff272a2a929bac02ba99f8e0215dbafde14d6fadafc6b5496aedfc841

SHA512
1264bc2d1212fe19d344006d7a592ab97ad2a3b1bda25ffab16d49e79b97a4edd6c65111abaa7fabd9d3603f9fb458fc95b1cf5795c8d3ce61b7d82863d9d65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5b2723e9ea70253bb6b33273af7206f3

SHA1
209ed24476ee6ee4e5ec60a7860d68294ec2d50b

SHA256
a8794612fcd5f723b49d788a2effe8aac91c80a0d87cadd81392b58edca3768f

SHA512
2a611706bc713a12ac422194ba06256d47f54669d2655dd4afbcdb49b9c093a6989c1e3462430c9f32476ad8e6c432b8b24f7b0cf2588f1b422279527085bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585f22.TMP

Filesize
1KB

MD5
319ad3c08b7e58f2ccdc2634ddbd3885

SHA1
da24d60bbb6e89e385bfcfac96d19d3f7360a793

SHA256
5b18487edc9faa5c90048613e906e8ee8c634e8ef190b6ea182e868775848e65

SHA512
9dd619a88b782639d4d10dc95f70842f3090604ca820da766d620d7df82e54ac1e10fbe8193110c62abec0ee9e960c87ad0fe61cca80574d915cf42b654e292a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28c5fff304cdd278c3d7d1266a806f96

SHA1
83cf93cf425416fd96a3cf3ae12354e09ce06718

SHA256
3694563a15038d2527b30096ce7b00afbafa92ebe63dd2b1a746b5c1d20bc683

SHA512
eec93c75fcf4bb54841cd901dd69a489363e8c23fd5086aac937faeb1372d2612b3932d89df52c7ea05f12b5d62e89d62fca4cbf86028b252d6dc33144a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
72bc848a251b25d5edbae502870f2e94

SHA1
1c36aff5d27e8b35d3b4d4eeb0231b2381127de0

SHA256
fc68ebf174ff79ea08eb7351e70b8daffdfa4f3492a4c70a04c93a83ea6b1bc4

SHA512
71e94fcd7806368533dee7fca662a162523238cbc7a1f08d4ac3f0fba256f32aa98d31b34a9fff68d8f8f14c70804643d03ba16228cc5bbecddca644e7374b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
72bc848a251b25d5edbae502870f2e94

SHA1
1c36aff5d27e8b35d3b4d4eeb0231b2381127de0

SHA256
fc68ebf174ff79ea08eb7351e70b8daffdfa4f3492a4c70a04c93a83ea6b1bc4

SHA512
71e94fcd7806368533dee7fca662a162523238cbc7a1f08d4ac3f0fba256f32aa98d31b34a9fff68d8f8f14c70804643d03ba16228cc5bbecddca644e7374b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b20ae7106960bd28d777eb8505ddb5e0

SHA1
b979777a9376a1037a55e1f6d72360ba66600d4e

SHA256
3bddd8f3827e5fda31ddc58dbef29a256db762732912c5bf6700894de1a8aab9

SHA512
a0d06d149062b525fa0bb7fd5989eaf26132035dc7830a854c5efb7bac6999417aa65289b2b849a70a4817f1b2f451d870d665d15ef71fc0a55d969a40bbebc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b20ae7106960bd28d777eb8505ddb5e0

SHA1
b979777a9376a1037a55e1f6d72360ba66600d4e

SHA256
3bddd8f3827e5fda31ddc58dbef29a256db762732912c5bf6700894de1a8aab9

SHA512
a0d06d149062b525fa0bb7fd5989eaf26132035dc7830a854c5efb7bac6999417aa65289b2b849a70a4817f1b2f451d870d665d15ef71fc0a55d969a40bbebc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1fbb8d71000b17995396acbfdc0f4488

SHA1
1a4aeb0041daa35c56fcdee07b93b20d9c139890

SHA256
028564e28997c88ca5d9501c72cc57ccf1cd5c846aebdd639a3c329ca83efc51

SHA512
c8e31db4185109871db40c24b6846c2f62038642b43b80e9abd36d58e352e30394e65ac20948f8de27bec61d698d9639ec015486571423e4513b40e294a67920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e398934d565791d2635a7fd006cedaf

SHA1
69f8371b1b7f9c2d9c3990fd96a9979028d8c719

SHA256
224b22f700413755920f5a3fcab845778b25a366ddc9738bcc1b4250b8d42e30

SHA512
abd9a17b57a6cb834e7bd770de9f5363af2aabc97168c0955385a4d652407936dd13f557642c237e5ba2e7535d555da21407e698762d02f87e3b9b6ea41ed307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e635ae107cc031cb7047ca11b91a08fe

SHA1
b2050413cf2da1d919a309aec6db54f2e1c1aa5d

SHA256
722dfb4b5c606851519d23a8bd20fd6c1438cb68709fcf36134beeddb9f8a531

SHA512
6d2cd08f8ff0563aa73fd86193655f82c2e058d0897e0044856505034a41f649e5b7fd7cb04815cc2a72542bc3b97b112c7e75014aac02ed275e8d8cb41be925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e635ae107cc031cb7047ca11b91a08fe

SHA1
b2050413cf2da1d919a309aec6db54f2e1c1aa5d

SHA256
722dfb4b5c606851519d23a8bd20fd6c1438cb68709fcf36134beeddb9f8a531

SHA512
6d2cd08f8ff0563aa73fd86193655f82c2e058d0897e0044856505034a41f649e5b7fd7cb04815cc2a72542bc3b97b112c7e75014aac02ed275e8d8cb41be925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
72bc848a251b25d5edbae502870f2e94

SHA1
1c36aff5d27e8b35d3b4d4eeb0231b2381127de0

SHA256
fc68ebf174ff79ea08eb7351e70b8daffdfa4f3492a4c70a04c93a83ea6b1bc4

SHA512
71e94fcd7806368533dee7fca662a162523238cbc7a1f08d4ac3f0fba256f32aa98d31b34a9fff68d8f8f14c70804643d03ba16228cc5bbecddca644e7374b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b20ae7106960bd28d777eb8505ddb5e0

SHA1
b979777a9376a1037a55e1f6d72360ba66600d4e

SHA256
3bddd8f3827e5fda31ddc58dbef29a256db762732912c5bf6700894de1a8aab9

SHA512
a0d06d149062b525fa0bb7fd5989eaf26132035dc7830a854c5efb7bac6999417aa65289b2b849a70a4817f1b2f451d870d665d15ef71fc0a55d969a40bbebc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c171ef99dec711e914f8a43eb2aaa87

SHA1
a6c9afaee067e7497d76106b91053591c59577c7

SHA256
ae5a900ae9b12e4fb9499e53eb3c538ffc26d5256db065af7c28a5c203d1162e

SHA512
774eda709576754682a62e36cab4de8bb43a5756aa603f203230bbe7b2fa18aa7ad7fd347ca13cdb4be44c3b61d3b6d43eda8fc8c3394e87fa06b2c6fa92bf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e635ae107cc031cb7047ca11b91a08fe

SHA1
b2050413cf2da1d919a309aec6db54f2e1c1aa5d

SHA256
722dfb4b5c606851519d23a8bd20fd6c1438cb68709fcf36134beeddb9f8a531

SHA512
6d2cd08f8ff0563aa73fd86193655f82c2e058d0897e0044856505034a41f649e5b7fd7cb04815cc2a72542bc3b97b112c7e75014aac02ed275e8d8cb41be925

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311130349331\opera_package

Filesize
7.8MB

MD5
4c064baa0901b2a2ac3c28ab8166e49c

SHA1
7bbd04cdaaa3e1a1ec831bb0dd31fcfe4954bc3d

SHA256
4270808f1ea197bb77dcc5d5fbd42eca8a8ebe4b094908a6bc1d5a465135b113

SHA512
0f643ad5fbffd2bd22f4fba23fbaae719eb517f1f8a85d28b41cd53970b92fd640b4b483d02f3663172296cf8dc9c0bc1769bb0311287b5ad26afe37a36687d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
df8a130ef93c8922c459371bcd31d9c7

SHA1
7b4bdfdabb5ff08de0f83ed6858c57ba18f0d393

SHA256
0a394d266e36ef9b75ae2c390a7b68fa50e5188b8338217cf68deda683c84d40

SHA512
364f4c1cb242115266eea05a05bdc1068a6ce7778ae01f84dc3e570acbf5cda134f15e0addd2c7818fba326708b30362f29279e0ce96db51a8db73729f4af99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Bx9pp4.exe

Filesize
659KB

MD5
cfa3da6c69ff6f176c2c3d08072db258

SHA1
7e7884daa427e39591e1e18a3500232e2866f551

SHA256
09967c60e38b7de30828f102018afe51228269ed5ec114af959e309a28096acd

SHA512
04122e7892efd262d90c047c7cfcaba6128a4b0de1958505a4ee230a190b38c8e26e940333ed9daa4aaa99a4758d55b7e4357b914bd3a959b84f4870a829a0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qG0Ky75.exe

Filesize
1.0MB

MD5
4a170a706c51cb6c832da72c7fad832c

SHA1
3b841811a763d67b8b4084f77ae0da6e81afe23d

SHA256
9a69398fad56edf468b0dae19f1adbeff2a8284aef05dd4971a1b002bc50e719

SHA512
57f772f3f771886b530ce65b6bc83355c4080385f0f6772c50527e11ce26aec81a8d4aed4f687cb1f5f3e126fbced992c933332acc17c0f7c75713867cbf4cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qG0Ky75.exe

Filesize
1.0MB

MD5
4a170a706c51cb6c832da72c7fad832c

SHA1
3b841811a763d67b8b4084f77ae0da6e81afe23d

SHA256
9a69398fad56edf468b0dae19f1adbeff2a8284aef05dd4971a1b002bc50e719

SHA512
57f772f3f771886b530ce65b6bc83355c4080385f0f6772c50527e11ce26aec81a8d4aed4f687cb1f5f3e126fbced992c933332acc17c0f7c75713867cbf4cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8nW268RB.exe

Filesize
349KB

MD5
70baec4542feb73f057d4384d85ff811

SHA1
85e23c443a5af552347eea6c222bfb71dc07fc33

SHA256
8e0614c6914ee41d87ff66f8c95f4bee25deb6b4cebe527bebaa08732da8c4e4

SHA512
cacdcb7d644b9fbce8a647f6b7ff88edfc6caaaf4e032739f97223e7b23c1c52a883eadf47d5ac20e943ebb379476d60aca0aa419be384f08ad0db8c7e6d9b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8nW268RB.exe

Filesize
349KB

MD5
70baec4542feb73f057d4384d85ff811

SHA1
85e23c443a5af552347eea6c222bfb71dc07fc33

SHA256
8e0614c6914ee41d87ff66f8c95f4bee25deb6b4cebe527bebaa08732da8c4e4

SHA512
cacdcb7d644b9fbce8a647f6b7ff88edfc6caaaf4e032739f97223e7b23c1c52a883eadf47d5ac20e943ebb379476d60aca0aa419be384f08ad0db8c7e6d9b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa9gW24.exe

Filesize
800KB

MD5
63bb6b8281fe2d7fb4507c9cb31282cb

SHA1
99b91d25727d37504a7774fd98f73178bc47c638

SHA256
915e708a59c97ad5a13593cf270a56d6d3fa693917e05d51dcb75326b5d3db0e

SHA512
432ff7be6af8e3ff964dc7aef28344335495d5f76942a0c841d0caee5bd2b2b9db14ed29bd069a0cb6d462139179e600fa11400958b35d4684ed4424c5f4f054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oa9gW24.exe

Filesize
800KB

MD5
63bb6b8281fe2d7fb4507c9cb31282cb

SHA1
99b91d25727d37504a7774fd98f73178bc47c638

SHA256
915e708a59c97ad5a13593cf270a56d6d3fa693917e05d51dcb75326b5d3db0e

SHA512
432ff7be6af8e3ff964dc7aef28344335495d5f76942a0c841d0caee5bd2b2b9db14ed29bd069a0cb6d462139179e600fa11400958b35d4684ed4424c5f4f054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7Cm46eE.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7Cm46eE.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zM6Oz18.exe

Filesize
675KB

MD5
1ce6441c8a28a4066bc35c72d7ef26f6

SHA1
b97cc3e65e099cb020438faa6b478c5211760d77

SHA256
31bb7caf66d59d7a3ce4a9db6dabe1de2d9f050ceae4192eaa07304680931717

SHA512
9594a7c3a4e03f9dd01ca7cb0553860bb0f988d036a66ddde5a377dd8bb0fbc360c5c48fd23dcddebcf30c840cf839952318d73b123090fe2690b4154c631533

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zM6Oz18.exe

Filesize
675KB

MD5
1ce6441c8a28a4066bc35c72d7ef26f6

SHA1
b97cc3e65e099cb020438faa6b478c5211760d77

SHA256
31bb7caf66d59d7a3ce4a9db6dabe1de2d9f050ceae4192eaa07304680931717

SHA512
9594a7c3a4e03f9dd01ca7cb0553860bb0f988d036a66ddde5a377dd8bb0fbc360c5c48fd23dcddebcf30c840cf839952318d73b123090fe2690b4154c631533

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ16qx0.exe

Filesize
895KB

MD5
46e42f41a604394344176da6dac9fa9c

SHA1
d5bce2a49373f47633b7485301efa103f9921120

SHA256
4fd68f726850444e14d39be3ddfaab23161f6dcaed073f0967e8766207591409

SHA512
39740214d1c0e250b12d185f9e8a9e5c10f3817e30f1b5078bbaac529706f7b259a4631c88249f59e218cfed2192dec8b3ae7872ed6d3a002246a5748d08fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jJ16qx0.exe

Filesize
895KB

MD5
46e42f41a604394344176da6dac9fa9c

SHA1
d5bce2a49373f47633b7485301efa103f9921120

SHA256
4fd68f726850444e14d39be3ddfaab23161f6dcaed073f0967e8766207591409

SHA512
39740214d1c0e250b12d185f9e8a9e5c10f3817e30f1b5078bbaac529706f7b259a4631c88249f59e218cfed2192dec8b3ae7872ed6d3a002246a5748d08fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LX2769.exe

Filesize
310KB

MD5
d9ce87d093c201e785fb49c93d24ff66

SHA1
9677dd7e99e1207c8fe695c146f7aecdf2ffa575

SHA256
276e479ae1a7c7c5b79325c3ad6352d4e737a4eab5549d2f83e8ff5fc6454a9f

SHA512
926532078e7f7151888fae251f1ec2e0d2e37e89cf931728c6b40a3a3a8cc09ccfbd7a25f3280615c5ed8c665460f0b79a7ac587b87a62116b22d4f678879051

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LX2769.exe

Filesize
310KB

MD5
d9ce87d093c201e785fb49c93d24ff66

SHA1
9677dd7e99e1207c8fe695c146f7aecdf2ffa575

SHA256
276e479ae1a7c7c5b79325c3ad6352d4e737a4eab5549d2f83e8ff5fc6454a9f

SHA512
926532078e7f7151888fae251f1ec2e0d2e37e89cf931728c6b40a3a3a8cc09ccfbd7a25f3280615c5ed8c665460f0b79a7ac587b87a62116b22d4f678879051

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311130349321883076.dll

Filesize
4.6MB

MD5
0d2cf5e6c13d156467618f37174dd4b5

SHA1
a324c41cbbf96e458072f337a2ef2a61db463d60

SHA256
1845335f4172bd93f2011ff12da6f3d2f99d33740cc1f3ab2201b8205cb773b6

SHA512
f2af281d0702aab8984de88376986f09efc1f4c891353bc6bd4f2c40576ae33858912261502c78b5e0fa92f255a992d4532cf9a9e76a53b46ea263a6b60e2cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jcabe0fw.mir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\random.exe

Filesize
141KB

MD5
326781a332c7040492dc96b13fb126e5

SHA1
d03d8e89a6c75a14f512eeabf180a2f69d30e884

SHA256
0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28

SHA512
e701babafad09f1115511949f3061275bc6fbc54756d40f038aa9be708ff06736413367395bff7e157035aa9260ada439ad9a8d4c2c48c14de94c42f6ec0c2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
221KB

MD5
82cd8d85dc427bfd991758f573525d23

SHA1
8a9f53dced366c5afb0e2a26186059fc34f9423d

SHA256
728a6f117ca91dfa121d74832b9eac2b995ec9887700c7832603730e0300bf4b

SHA512
422ecd38f2d744138dbc9994756407c4bccb9d539cda18bcf873824d1658c9fd264f31af356e171ff728e98d1a90e88af776b238b8fb7d4b4102ff9a8cc10e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
01ffa7b0baa2d7190ff9006edf85b233

SHA1
3ad84e7fcaab334b16d8a29d2468d4cddb802edd

SHA256
2f395588b2bb263ac2e7381d5a5ae9253a92d3cfce2370ede571e75ce006e9af

SHA512
a0ec69ea8d2a1f0dda1ccdedaab96b1e7f70108c9569f59cab24182a163d45be3d1a72262c61f553a35ff87477aa1907cf4d654ec72406e46b0bedd195996cc8

Download Submit
C:\Users\Admin\Pictures\MpHLVS6PaiVNJILEb9ZPSfgj.exe

Filesize
5.2MB

MD5
9873907d252dcecd6baea9a11ac4b0da

SHA1
102562c75d3dbb2c9b2922674f83c5f0f36e3d0c

SHA256
a5c68511132b9590f0d60bc6fa5f43999c25d636d0b29aae1ff3787688907fe7

SHA512
2054607e09f31d65060a8b8205755f785b5ea0be9b248977b00fa95ed2938313309876d91b7fef5d33866024cf52cf0dd7a73336e703e035770e24b506db19c8

Download Submit
C:\Users\Admin\Pictures\RIeNskVmddiZ3qlQh7Y0nOzI.exe

Filesize
4.1MB

MD5
1aa4b7fe66f4cdeab235562d59d08f87

SHA1
69cc7fbf494b89bdf329bd5036bb8039596e0184

SHA256
741891f7a8dd46182ae9925663d89a5b5e74f93ecf1e773bc30fe96f8e09ffbe

SHA512
4532660a5ddbd0f2f8d52de8533565539ec63651f8d3a1ef942f1cd8fbe5ad5ca0cae5ddb65debe4b82d03ab14ee0fca8f407df62c55efe69e316f3a383c7a5f

Download Submit
C:\Users\Admin\Pictures\RYzZr1uXKEuCwheqcnPrCTcW.exe

Filesize
2.8MB

MD5
772e504b00200f2c7ad87ddf60920097

SHA1
ca8777f54321f78b9eccc5176ce7ecac5978356a

SHA256
880d1747410a2fcb3bc47bf54157ba12a1e18b6e46e6de55e25c67bd09bfdccf

SHA512
9ab1e2add8b217157c82225dc62cf7c7295352eadff803dc01c8b68f94b59b17b6e958a954a3c7afa69811ab951fb0aafdd0c25b3fe230d200a94f1d1b7a9d8c

Download Submit
C:\Users\Admin\Pictures\cBdTGxwseopvacbKFMoXTBdv.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\fKsyzovuMsNQE2JYwuWyxuPO.exe

Filesize
4.8MB

MD5
ff6c6212c086b2ea7bb1537a6e9b0abb

SHA1
f058d292f83c16450af74d870056cb742d23b3a3

SHA256
1abe626a7cbd4639f1ba56a6c4dab7f2dd9ad08396eb80ee4a21b0f7ef69d875

SHA512
3b495b12a67cc1cfb73a195ffe62bcccd3d8cf7a8abe556f493d74c835e453b8ad80529b4a24150b25c0eee2807d5fc9e0d43f572869a926435017311cdd97d5

Download Submit
C:\Users\Admin\Pictures\gI98ctdmpsckUN3iQnNQRn5p.exe

Filesize
145KB

MD5
90dd1720cb5f0a539358d8895d3fd27a

SHA1
c1375d0b31adc36f91feb45df705c7e662c95d7d

SHA256
e69a88b0f9ec61f4acf22f9a3d96f60eb3a04db58a74eb4315700ac465de9e01

SHA512
c6e3f1e03f93f6aaa1b93bca21f3a93d6539ede45b06869d3a1daf983d5f1c68bc7e8895126b3d02d4b85854ac3991ecada77ddff2cbdc81c1e93f1f12c4ada1

Download Submit
C:\Users\Admin\Pictures\k0DtTpBVIi4ZI5KK719XhHg8.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\oZCQQCayapiqeXbc3YG6Z0Lt.exe

Filesize
221KB

MD5
4ea71b88c6102990496206084fe59321

SHA1
32e2ccdb47350a561353fe2393f34839e3eef887

SHA256
f3a9883557b07a8bbe3ad42bf14420eb6a719c7e331c5611fe532edee2642cb6

SHA512
b7eb56da2f7ccbd70c7ec1064530e61419bb7b33eae1a74ae620caa4f58be562ee9f8edf07248d45165234fd42dba63d9b6d5d616b3815db7ef170c5b466cf39

Download Submit
C:\Users\Admin\Pictures\w5EBIOwpJCkCo7YuaQzkz2ZJ.exe

Filesize
4.1MB

MD5
05f8fedb9b645fd9a172f7bd0fa29928

SHA1
edd75603b440bf1cd6ca7791de0f2701278098b3

SHA256
2d34fe146d8502ccc47c98f70b4bdd1c5576994d1265fe1415af6444d8b54a41

SHA512
9c6797c0ccecf9a27cd5eb7092e0355c0b185794b177321fa299294b846cc0a8ee47f16ad7cbba1a0e85e3c6683ccefb917dc52b9117f7ce167345afdc3dab12

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/664-724-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/664-717-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/664-726-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/1292-671-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/1292-687-0x0000000004F80000-0x0000000004F9A000-memory.dmp

Filesize
104KB

Download
memory/1292-684-0x0000000004C50000-0x0000000004C6C000-memory.dmp

Filesize
112KB

Download
memory/1292-723-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/1292-666-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/1292-682-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/2008-619-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/2008-618-0x0000000000070000-0x0000000000D18000-memory.dmp

Filesize
12.7MB

Download
memory/2008-680-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3168-432-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/3192-735-0x00000000046C0000-0x00000000046F6000-memory.dmp

Filesize
216KB

Download
memory/3192-740-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/3192-743-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3192-745-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/3192-747-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/3192-794-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/3928-804-0x0000000000C40000-0x0000000000E78000-memory.dmp

Filesize
2.2MB

Download
memory/4080-731-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-753-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-688-0x00007FFCC2E50000-0x00007FFCC3911000-memory.dmp

Filesize
10.8MB

Download
memory/4080-785-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-697-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-698-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-700-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-676-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4080-769-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-702-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-708-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-683-0x000001A79C220000-0x000001A79C304000-memory.dmp

Filesize
912KB

Download
memory/4080-679-0x000001A7B4CC0000-0x000001A7B4CD0000-memory.dmp

Filesize
64KB

Download
memory/4080-710-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-762-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-712-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-760-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-755-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-719-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-716-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-722-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-748-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-744-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-727-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-741-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-729-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-714-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-736-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/4080-733-0x000001A79C220000-0x000001A79C300000-memory.dmp

Filesize
896KB

Download
memory/5404-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5404-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5404-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5404-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5628-850-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5728-573-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5728-677-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/5728-795-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/5728-580-0x0000000008BF0000-0x0000000008C0E000-memory.dmp

Filesize
120KB

Download
memory/5728-576-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/5728-577-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/5728-578-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/5728-696-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/5728-581-0x0000000008CA0000-0x0000000008CF0000-memory.dmp

Filesize
320KB

Download
memory/5728-571-0x0000000000550000-0x00000000005AA000-memory.dmp

Filesize
360KB

Download
memory/5728-579-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/5728-610-0x00000000090F0000-0x000000000961C000-memory.dmp

Filesize
5.2MB

Download
memory/5728-609-0x0000000008F20000-0x00000000090E2000-memory.dmp

Filesize
1.8MB

Download
memory/5752-672-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/6484-849-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/6484-846-0x0000000006010000-0x00000000061A2000-memory.dmp

Filesize
1.6MB

Download
memory/6484-830-0x0000000005E60000-0x000000000600A000-memory.dmp

Filesize
1.7MB

Download
memory/6484-663-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/6484-674-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/6484-664-0x00000000006C0000-0x0000000000AB8000-memory.dmp

Filesize
4.0MB

Download
memory/6484-681-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/6600-646-0x0000027C2F310000-0x0000027C2F3D8000-memory.dmp

Filesize
800KB

Download
memory/6600-647-0x0000027C2F4E0000-0x0000027C2F5A8000-memory.dmp

Filesize
800KB

Download
memory/6600-630-0x0000027C169B0000-0x0000027C16A96000-memory.dmp

Filesize
920KB

Download
memory/6600-632-0x00007FFCC2E50000-0x00007FFCC3911000-memory.dmp

Filesize
10.8MB

Download
memory/6600-685-0x00007FFCC2E50000-0x00007FFCC3911000-memory.dmp

Filesize
10.8MB

Download
memory/6600-654-0x0000027C168E0000-0x0000027C1692C000-memory.dmp

Filesize
304KB

Download
memory/6600-624-0x0000027C14A40000-0x0000027C14BA0000-memory.dmp

Filesize
1.4MB

Download
memory/6600-634-0x0000027C2F230000-0x0000027C2F310000-memory.dmp

Filesize
896KB

Download
memory/6988-434-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6988-273-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7160-528-0x0000000007820000-0x0000000007832000-memory.dmp

Filesize
72KB

Download
memory/7160-522-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/7160-521-0x0000000007740000-0x0000000007750000-memory.dmp

Filesize
64KB

Download
memory/7160-519-0x00000000075B0000-0x0000000007642000-memory.dmp

Filesize
584KB

Download
memory/7160-518-0x0000000007AC0000-0x0000000008064000-memory.dmp

Filesize
5.6MB

Download
memory/7160-517-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/7160-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/7160-526-0x0000000008690000-0x0000000008CA8000-memory.dmp

Filesize
6.1MB

Download
memory/7160-527-0x0000000007980000-0x0000000007A8A000-memory.dmp

Filesize
1.0MB

Download
memory/7160-529-0x00000000078B0000-0x00000000078EC000-memory.dmp

Filesize
240KB

Download
memory/7160-534-0x00000000078F0000-0x000000000793C000-memory.dmp

Filesize
304KB

Download
memory/7160-625-0x0000000073ED0000-0x0000000074680000-memory.dmp

Filesize
7.7MB

Download
memory/7160-639-0x0000000007740000-0x0000000007750000-memory.dmp

Filesize
64KB

Download