amadey | 3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a

Analysis

max time kernel
76s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe
Size

1.9MB
MD5

0e7c3afcce5e1afbdcc07e76fcac2411
SHA1

699038b57cb6442818325a8138fa83d0e05ea4ef
SHA256

3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
SHA512

1005a9a3ae2b6902d74208f2cb58e11b71feb32d7a048961027e3b2b30b51a9cfcf9dfc74139070787a0203bdab5b5f6f6814a8df396e4e6c23b220740ec54ed
SSDEEP

49152:Bm0qroo2q2hNg2kSoeu+JL5wRHD5pasPskF:Y0joWjg2k6GtmmskF

Score

10^/10

amadey redline risepro zgrat livetraffic evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 40 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023349-664.dat	family_zgrat_v1
behavioral2/files/0x0006000000023349-678.dat	family_zgrat_v1
behavioral2/files/0x0006000000023349-677.dat	family_zgrat_v1
behavioral2/memory/4840-679-0x00000000005B0000-0x0000000000622000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-955-0x0000020223C60000-0x0000020223D92000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-957-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-959-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-963-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-961-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-965-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-956-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-969-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-971-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-973-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-975-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-977-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-979-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-981-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-983-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-967-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-985-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-987-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-989-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-991-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-993-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-995-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-997-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-999-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1001-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1003-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1005-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1007-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1011-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1013-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/memory/6872-1009-0x0000020223C60000-0x0000020223D8D000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00070000000233ce-1167.dat	family_zgrat_v1
behavioral2/memory/7072-1194-0x0000000000E80000-0x0000000000EF2000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00070000000233e4-1747.dat	family_zgrat_v1
behavioral2/files/0x00060000000233e7-3650.dat	family_zgrat_v1
behavioral2/files/0x0007000000023414-4728.dat	family_zgrat_v1

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	msedge.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/1984-684-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x000700000002340c-3776.dat	family_redline
behavioral2/files/0x000800000002341f-4784.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5544 created 3316	5544	Ground.pif	51
PID 5544 created 3316	5544	Ground.pif	51

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
136	5664	rundll32.exe

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x00060000000233e7-3650.dat	net_reactor

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2OP8223.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	7Um7OF20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	newrock2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe

Executes dropped EXE 22 IoCs

pid	Process
1244	Qv3ac95.exe
1936	1hs68Hq1.exe
2012	2OP8223.exe
5544	Ground.pif
6076	7Um7OF20.exe
5580	explorhe.exe
1396	perlo.exe
4600	leru.exe
4840	crypted.exe
6872	Setup11234.exe
6816	explorhe.exe
6632	newrock2.exe
6528	InstallSetup7.exe
6804	31839b57a4f11171d6abc8bbc4451ee4.exe
6520	BroomSetup.exe
6844	rty25.exe
7072	autorun.exe
6508	nsj5BC9.tmp
5112	msedge.exe
6796	chrome.exe
4128	msedge.exe
4592	qemu-ga.exe

Loads dropped DLL 3 IoCs

pid	Process
5664	rundll32.exe
6528	InstallSetup7.exe
6528	InstallSetup7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\perlo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000227001\\perlo.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leru.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000228001\\leru.exe"	explorhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qv3ac95.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002322f-11.dat	autoit_exe
behavioral2/files/0x000700000002322f-13.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 1984	4840	crypted.exe	166
PID 7072 set thread context of 1756	7072	autorun.exe	185

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1248	4128	WerFault.exe	190
3884	7972	WerFault.exe	318
7440	952	WerFault.exe	297
7928	3976	WerFault.exe	369

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4352	schtasks.exe
6420	schtasks.exe
6784	schtasks.exe
3020	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
6068	tasklist.exe
4048	tasklist.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31081902"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{395A850F-B1A1-11EE-9A4E-CAE9171F1CAB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "235062788"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081902"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31081902"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "237557395"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "235062788"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133495752599618780"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1176	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
2184	msedge.exe
2184	msedge.exe
3612	msedge.exe
3612	msedge.exe
5232	msedge.exe
5232	msedge.exe
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
776	identity_helper.exe
776	identity_helper.exe
4896	powershell.exe
4896	powershell.exe
4896	powershell.exe
2412	chrome.exe
2412	chrome.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
5544	Ground.pif
5544	Ground.pif
1304	powershell.exe
1304	powershell.exe
6796	chrome.exe
6796	chrome.exe
1304	powershell.exe
1756	RegAsm.exe
1756	RegAsm.exe
1756	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe
1984	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
2412	chrome.exe
2412	chrome.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: 33	5236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5236	AUDIODG.EXE
Token: SeDebugPrivilege	6068	tasklist.exe
Token: SeDebugPrivilege	4048	tasklist.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeDebugPrivilege	1984	RegAsm.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeDebugPrivilege	4128	msedge.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	6796	chrome.exe
Token: SeDebugPrivilege	1756	RegAsm.exe
Token: SeDebugPrivilege	6872	Setup11234.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1936	1hs68Hq1.exe
1936	1hs68Hq1.exe
1936	1hs68Hq1.exe
1936	1hs68Hq1.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
2172	iexplore.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
1936	1hs68Hq1.exe
1936	1hs68Hq1.exe
1936	1hs68Hq1.exe
1936	1hs68Hq1.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
5544	Ground.pif
5544	Ground.pif
5544	Ground.pif
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1396	perlo.exe
2172	iexplore.exe
2172	iexplore.exe
4552	IEXPLORE.EXE
4552	IEXPLORE.EXE
6520	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1244	4812	3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe	89
PID 4812 wrote to memory of 1244	4812	3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe	89
PID 4812 wrote to memory of 1244	4812	3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe	89
PID 1244 wrote to memory of 1936	1244	Qv3ac95.exe	91
PID 1244 wrote to memory of 1936	1244	Qv3ac95.exe	91
PID 1244 wrote to memory of 1936	1244	Qv3ac95.exe	91
PID 1936 wrote to memory of 3612	1936	1hs68Hq1.exe	93
PID 1936 wrote to memory of 3612	1936	1hs68Hq1.exe	93
PID 3612 wrote to memory of 4760	3612	msedge.exe	96
PID 3612 wrote to memory of 4760	3612	msedge.exe	96
PID 1936 wrote to memory of 4080	1936	1hs68Hq1.exe	95
PID 1936 wrote to memory of 4080	1936	1hs68Hq1.exe	95
PID 4080 wrote to memory of 3984	4080	msedge.exe	97
PID 4080 wrote to memory of 3984	4080	msedge.exe	97
PID 1936 wrote to memory of 3824	1936	1hs68Hq1.exe	98
PID 1936 wrote to memory of 3824	1936	1hs68Hq1.exe	98
PID 3824 wrote to memory of 1188	3824	msedge.exe	99
PID 3824 wrote to memory of 1188	3824	msedge.exe	99
PID 1244 wrote to memory of 2012	1244	Qv3ac95.exe	100
PID 1244 wrote to memory of 2012	1244	Qv3ac95.exe	100
PID 1244 wrote to memory of 2012	1244	Qv3ac95.exe	100
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 3612 wrote to memory of 3636	3612	msedge.exe	103
PID 4080 wrote to memory of 4000	4080	msedge.exe	102
PID 4080 wrote to memory of 4000	4080	msedge.exe	102
PID 4080 wrote to memory of 4000	4080	msedge.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe
  "C:\Users\Admin\AppData\Local\Temp\3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qv3ac95.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qv3ac95.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hs68Hq1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hs68Hq1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x148,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
        6⤵
        
        PID:4760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
        6⤵
        
        PID:3636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
        6⤵
        
        PID:4588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
        6⤵
        
        PID:3856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        
        PID:1064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
        6⤵
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
        6⤵
        
        PID:5304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
        6⤵
        
        PID:5716
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5752 /prefetch:8
        6⤵
        
        PID:4768
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5936 /prefetch:8
        6⤵
        
        PID:5340
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
        6⤵
        
        PID:3192
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
        6⤵
        
        PID:2840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
        6⤵
        
        PID:3544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
        6⤵
        
        PID:5616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,1337889940053100349,3888666742498445703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
        6⤵
        
        PID:4140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
        6⤵
        
        PID:3984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3759049675100670040,2133421692433362679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        6⤵
        
        PID:4000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3759049675100670040,2133421692433362679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
        6⤵
        
        PID:1188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16266628018250376621,11734574949539003914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        6⤵
        
        PID:5124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16266628018250376621,11734574949539003914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5232
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OP8223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OP8223.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k cmd < Bathrooms & exit
        5⤵
        
        PID:5552
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        7⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 9282
        7⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compound + Injection + Emperor + Worm + Participants + Richmond 9282\Ground.pif
        7⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Shemale + Switching + Represented 9282\Q
        7⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9282\Ground.pif
        
        9282\Ground.pif 9282\Q
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        7⤵
        Runs ping.exe
        
        PID:1176
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Um7OF20.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Um7OF20.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      PID:5580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000094041\2.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
        6⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:8
        7⤵
        
        PID:5320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:1
        7⤵
        
        PID:5904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:1
        7⤵
        
        PID:348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:8
        7⤵
        
        PID:652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:2
        7⤵
        
        PID:5448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:8
        7⤵
        
        PID:6620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:8
        7⤵
        
        PID:6680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=2004,i,14941108075975700800,1886585341907670652,131072 /prefetch:8
        7⤵
        
        PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\1000227001\perlo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000227001\perlo.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\1000228001\leru.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000228001\leru.exe"
        5⤵
        Executes dropped EXE
        
        PID:4600
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:5664
    - - C:\Users\Admin\AppData\Local\Temp\1000229001\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000229001\crypted.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        Enumerates system info in registry
        
        PID:4308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:1
        8⤵
        
        PID:3236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:1
        8⤵
        
        PID:6812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:8
        8⤵
        
        PID:5980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:8
        8⤵
        
        PID:1708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:2
        8⤵
        
        PID:4612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4728 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:1
        8⤵
        
        PID:1284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:8
        8⤵
        
        PID:3572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2888 --field-trial-handle=2040,i,4733853193659826268,5842489530382503971,131072 /prefetch:8
        8⤵
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
        8⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
        8⤵
        
        PID:692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        8⤵
        
        PID:4848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        8⤵
        
        PID:4216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        8⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
        8⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
        8⤵
        
        PID:792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        8⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
        8⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        8⤵
        
        PID:8168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
        8⤵
        
        PID:7248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13272398020582080317,3514414479554449216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
        8⤵
        
        PID:7240
    - - C:\Users\Admin\AppData\Local\Temp\1000230001\Setup11234.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000230001\Setup11234.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6872
      - C:\Users\Admin\AppData\Local\Temp\1000230001\Setup11234.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000230001\Setup11234.exe
        6⤵
        
        PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\1000231001\newrock2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000231001\newrock2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6632
      - C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        9⤵
        Creates scheduled task(s)
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\nsj5BC9.tmp
        
        C:\Users\Admin\AppData\Local\Temp\nsj5BC9.tmp
        7⤵
        Executes dropped EXE
        
        PID:6508
      - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        6⤵
        Executes dropped EXE
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\rty25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
        6⤵
        Executes dropped EXE
        
        PID:6844
    - - C:\Users\Admin\AppData\Local\Temp\1000232001\autorun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000232001\autorun.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        
        PID:4936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:8
        8⤵
        
        PID:6316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:8
        8⤵
        
        PID:6332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:2
        8⤵
        
        PID:852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:1
        8⤵
        
        PID:1336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:1
        8⤵
        
        PID:7128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4616 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:1
        8⤵
        
        PID:6184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:8
        8⤵
        
        PID:4144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:8
        8⤵
        
        PID:2112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=2024,i,13334606730907764994,3060246151893878140,131072 /prefetch:8
        8⤵
        
        PID:5156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7400232561542224662,4805381721133309080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
        8⤵
        
        PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\1000233001\322321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000233001\322321.exe"
        5⤵
        
        PID:5112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        
        PID:7332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        
        PID:7672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
        8⤵
        
        PID:7412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:8
        8⤵
        
        PID:3992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:8
        8⤵
        
        PID:4364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:2
        8⤵
        
        PID:5736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:1
        8⤵
        
        PID:4752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:1
        8⤵
        
        PID:6392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:1
        8⤵
        
        PID:7492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:8
        8⤵
        
        PID:3552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1820,i,11022845346815699857,15384464703016608570,131072 /prefetch:8
        8⤵
        
        PID:5928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
        8⤵
        
        PID:7272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        8⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        8⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        8⤵
        
        PID:4820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        8⤵
        
        PID:1268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
        8⤵
        
        PID:7540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
        8⤵
        
        PID:7544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
        8⤵
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        8⤵
        
        PID:7752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
        8⤵
        
        PID:3768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
        8⤵
        
        PID:7676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15505909622628904863,9548558863185811153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        8⤵
        
        PID:7244
    - - C:\Users\Admin\AppData\Local\Temp\1000234001\flesh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000234001\flesh.exe"
        5⤵
        
        PID:6796
      - C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
        6⤵
        Executes dropped EXE
        
        PID:4592
    - - C:\Users\Admin\AppData\Local\Temp\1000235001\boxApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000235001\boxApp.exe"
        5⤵
        
        PID:5848
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        6⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 904
        7⤵
        Program crash
        
        PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\1000236001\RRDX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000236001\RRDX.exe"
        5⤵
        
        PID:3240
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        6⤵
        
        PID:7616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:8
        7⤵
        
        PID:7832
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:1
        7⤵
        
        PID:1088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:1
        7⤵
        
        PID:5420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:8
        7⤵
        
        PID:7820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:2
        7⤵
        
        PID:7812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:1
        7⤵
        
        PID:7964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:8
        7⤵
        
        PID:8040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=2020,i,10605622497826522499,377983037613553841,131072 /prefetch:8
        7⤵
        
        PID:8056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        7⤵
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        7⤵
        
        PID:5376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        7⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
        7⤵
        
        PID:3768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        7⤵
        
        PID:5652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
        7⤵
        
        PID:7076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8253690326951667572,12307235647835688889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        7⤵
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\1000238001\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000238001\crypted.exe"
        5⤵
        
        PID:3464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:7784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        
        PID:7308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:8
        8⤵
        
        PID:4952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:2
        8⤵
        
        PID:7588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:8
        8⤵
        
        PID:6244
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:1
        8⤵
        
        PID:7312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:1
        8⤵
        
        PID:6424
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4676 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:1
        8⤵
        
        PID:7352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:8
        8⤵
        
        PID:7056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1992,i,2040710945609533511,7170895126728749409,131072 /prefetch:8
        8⤵
        
        PID:6840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
        8⤵
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        8⤵
        
        PID:6576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
        8⤵
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
        8⤵
        
        PID:7692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        8⤵
        
        PID:6340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        8⤵
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
        8⤵
        
        PID:4244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15903805101980839567,4289466634101403454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
        8⤵
        
        PID:7260
    - - C:\Users\Admin\AppData\Local\Temp\1000237001\support.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000237001\support.exe"
        5⤵
        
        PID:952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
        6⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 808
        7⤵
        Program crash
        
        PID:7928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1068
        6⤵
        Program crash
        
        PID:7440
    - - C:\Users\Admin\AppData\Local\Temp\1000239001\2024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000239001\2024.exe"
        5⤵
        
        PID:1464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
        7⤵
        
        PID:7188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        7⤵
        
        PID:2144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        7⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
        7⤵
        
        PID:5032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        7⤵
        
        PID:4672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        7⤵
        
        PID:1256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
        7⤵
        
        PID:6092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
        7⤵
        
        PID:4556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
        7⤵
        
        PID:7428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
        7⤵
        
        PID:4024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
        7⤵
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
        7⤵
        
        PID:6980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14556774594369193089,2023239041090382058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
        7⤵
        
        PID:7992
    - - C:\Users\Admin\AppData\Local\Temp\1000240001\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000240001\crypted.exe"
        5⤵
        
        PID:7508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        
        PID:2948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
        8⤵
        
        PID:7032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:2
        8⤵
        
        PID:8068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:8
        8⤵
        
        PID:7192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:1
        8⤵
        
        PID:5132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:1
        8⤵
        
        PID:8056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:8
        8⤵
        
        PID:5948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4664 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:1
        8⤵
        
        PID:7580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:8
        8⤵
        
        PID:7956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,542049806249892226,17313891367695705443,131072 /prefetch:8
        8⤵
        
        PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
  2⤵
  - Drops startup file
  PID:6000
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9282\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9282\jsc.exe
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:4936
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
      4⤵
      PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:6364
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 3208
    3⤵
    - Program crash
    PID:1248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
    3⤵
    PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
1⤵
PID:5564

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
PID:6816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x168,0x16c,0x170,0x140,0x174,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
1⤵
PID:7044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4128 -ip 4128
1⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
1⤵
PID:7088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc5ae79758,0x7ffc5ae79768,0x7ffc5ae79778
1⤵
PID:7624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
1⤵
PID:6236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABEAGUAZgBhAHUAbAB0AC4AZQB4AGUAOwA=
1⤵
PID:5396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffc4a7346f8,0x7ffc4a734708,0x7ffc4a734718
1⤵
PID:2112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:7344

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7972 -ip 7972
1⤵
PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:7884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7996

C:\Users\Admin\AppData\Local\Identities\gaqhsofc\Default.exe
C:\Users\Admin\AppData\Local\Identities\gaqhsofc\Default.exe
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 952 -ip 952
1⤵
PID:7656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3976 -ip 3976
1⤵
PID:6636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
11e5b848083ca1c7c3b0b6e38065d219

SHA1
8c080b8fccac5b53c800ca9f28557998832ef7d9

SHA256
2602060f155395b394b10929bef56a70f94a85c94cfcb0a219fd4a5471a08b4f

SHA512
b76a646a090a90bf0146620b8fe90e0c77c567c2e2c6e35ad2bc146acbae9324e82afabe6cd2e42cfe267ce49d7bf92fd5022244b220083bd6a5b8c9e37c47d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1f1612f8-9bf3-46ec-a865-f3c2322660e6.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
6364b5e8eba2431be92d4e703b478ecd

SHA1
c41dc27a2a89d3ce5afe899189c9c5449be3e5bf

SHA256
6c57f88a6eb9df86b085d72ab9a6926bb1232ee2ab86355277fcff1c97a2c9d8

SHA512
c5d665219fb0da0e3cc2e44cc39c9608b2a57b045aee957eeb91677a8383ab445859e1206799027b49568ac54fc212d28a0a50afe0a566c5f0f3ee3d92b53d5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ee0271ce-3c0e-453a-826a-1a04d841e478.tmp

Filesize
706B

MD5
2e10d10eafb3ee8e5fa9bea37431c56e

SHA1
51337db07a34d95455f96998b4fd9a66d0f197b8

SHA256
68d0fc5b0c78a55bca87a9ba88102401d7b233e8ea4e6946aa0ea3cee22654b5

SHA512
5a6dd3acf0401c13322eff8bd6ec4739f05b8dff6c7484826298192412dc69ba1f866fac283893e8360ae0e13080ca8453a0535d07e50eccb492e8380b2325a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9d714cf15945cefc74e373c0bd3bed96

SHA1
fc7b416d9754f6f2060ab689c8ce3d3117b96396

SHA256
efa0e2afe2000b9d8f60754c5694643f95706ce9f0e37026663112421ef69860

SHA512
cf15f4ffe7388460bc66b0a9458eb3e9e1b5909482731d8c1e9058d0903b77474f983ac966cf28acb4fb308850d19a67e9b28d00e714d9afdd2285d9a386431e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0ec135f34e0baa386643de9ae96648d0

SHA1
24e0d2a3fa60174cc0758d3a0921bb41dd6a876d

SHA256
32a543e29b9463536481a21791188fa20b95aacbd2dec7fe70298c972bb3283f

SHA512
ce9a04981214e376e4fb4e3ca67f712995fe4b70a2579e90c8f4fc42e39abb25ecd7b060059c5912a1057635d1395d06ed22d56bc93a3efb37203b5256971e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e7ccbd231eccb97f331c9f5cdee7fbe8

SHA1
79348d829c4ca72b9ef97f3f241f2deb04ed362e

SHA256
f8a048aa07ac0f9e31af50130c76f552d94d7fb99979f5b76afe49ac13a9512b

SHA512
6272116b4bbe7cf62d83fcd4f10e3cf9955b8b75d47be0bb180adab92adc203e8af747a9ce13413312f08b2cdc5fb9b057b8c09027294f44147e34bcb236fcf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
06c6149018e359a47df460bb14e0aa3f

SHA1
09d49c6234952159f8c626d1c3d8d823c3a5cb34

SHA256
a47cc9bcafa6392864f84592c2c907d9099f90b1316aa9f8a03f512cf2ee73df

SHA512
7f09fe577a305714c43500465d7eb25541d28cb9b6e39451fc6403fcc43524c5b797429e649965a50533e87943ac1546e19e7ae48533fbbb1c69bf3a8dbb500b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
27b98298c0236d816a1fcaf15dd71eae

SHA1
47e181a26492a99eb1e99e1f1fc0b457e3665150

SHA256
e13a20a09c753665a37997d21babceb1eadcaff6fbc3b5cd804883f18a7928ac

SHA512
e6171e398d25514dde8f0720d8c260de0936573db584d7219fac2b598f2ff34d44bbb7294e0364d24dc26c3586643e9670114311bfec729839313efb3f6a28c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
115KB

MD5
9466142913eb7ef24f07f57e343b4025

SHA1
8dfc937f14b733acfdb91f48fa6b57173d726a6a

SHA256
aa84f69dcf6b0a00e5598f2333258eecbe3c68f58844ce00fc37a06281e20f62

SHA512
f88feefa0d04c3ca6b2442987d7a061294385b68ae290e3d9af241ba20928a04d927f048f239851c6029b3594e9c3ae33a04194a6ecddd2cc8db23660621af0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
225KB

MD5
379ea8a2d6c1cb07ffea82b1f0bfd504

SHA1
84dc653ddcf8a996ef9fc7c4457ff769541da297

SHA256
dee8adac23318928148be18018183a3c2c90f756fc46bb3552d760610b8b46dc

SHA512
e14bb190cafc422e1e7db184397ec7f4bc8885b2fa5d59ab2c5c9eca67485f120334f8f00e6b6c948c4e338d3a4405309b794167fb50084593d8b992d2a0fa0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b120b8eb29ba345cb6b9dc955049a7fc

SHA1
aa73c79bff8f6826fe88f535b9f572dcfa8d62b1

SHA256
2eecf596d7c3d76183fc34c506e16da3575edfa398da67fa5d26c2dc4e6bcded

SHA512
c094f0fae696135d98934144d691cee8a4f76c987da6b5abdb2d6b14e0fc2cfcf9142c67c6a76fb09c889db34e608d58f510c844c0e16d753aea0249cfc14bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f3bb3e981a14ad3594bb8390e458606b

SHA1
d1346482537077467880ae120ce7b0e6881471de

SHA256
d0a6f7d3f66f56ae408ddaf6c1550c815c4b9d56c24b773cc34b175d94015f1b

SHA512
133672047e60c5c5d5bbf3f9dc0c7a32bdac0561ee86d5f1b342cdf46844c877792029820a897bfa4b4c483e7b5223e035fa480fa89480dd84957090f7bdde96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919ddef6d966be0cf4c7056146d35c9b

SHA1
40aa9a58db3c682346e97b99f574364c7311e27c

SHA256
91d2992d1d3e21c8a14ce0e48420ea8d041af1c18b6f4741595bf7ad10d9a42f

SHA512
3c3b52e0bebb68ecc22273114c732767f5016b93a61ea1e4bf660281e620638a15defb00d1e822a659f1d8bccf95c3f68968111060511adfc6600529523775c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
890ee2f0ebe57a51236f73f90f686630

SHA1
78bc0c7241ee1b1f5b1ee1325f73355e649f7d15

SHA256
40f6b9467c36e8a9fa25fcdef42740596e6ea31ca8edf93a8b10431e689c5b0d

SHA512
50014f7c524a928c36114684ab157e5414ea1471861f0b1e292dc3c0e01c94208e1a0381acbdc19c05430974529d78ec4a29a8904cc2d4ad6fbe1b7e45832ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e6bc3ed76374e35e640f900262c6ee6c

SHA1
89868f2b5caff7c1e68231efbc853475efc4704e

SHA256
3b97627cfc3d203c9671481cff283c193e849ccfed88a0ec7416c5dadcc73d98

SHA512
2e9672535324920e3f72b7c946ec845b230e7f256bf1990d3011831f1bb4839cf949eddf13b7e57677218de690225f2bc4cfcaa0ac16f8155e23fe6f56630914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bd25d2a2adf9280aa20f837955766a2a

SHA1
e3e4ead8e7e74bee2386ccc7f2617b9daf0ddb08

SHA256
7fa8e06a98538f57e10dbc1b7b702aec36a3bb3bfb84b12faacb1ff7ef2c4767

SHA512
f1058071bed306de6968b00533c1f27689c30de96c76c43b1d3063bdd019e5b0a0900796be966ad18ee714438c57dd26a989ed8fb4cd4b270d171ab838b147b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3bc7e8b1e465919f4bfc0c5d66d24975

SHA1
7f631e6dc540dfa88938c85cd987b931bdeb7814

SHA256
0ee2b7aef3113adee3655adca9f298378ae015693621d3dde862282236942de7

SHA512
c9e5210e1c6084f56d96a140507da7a9da7440809eb0c31eb3439ec3704d7accb655a70e194a660fb067d4ae9caac16a8ecc06f9ff1d21b1938328e994d405da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9b663d937058ca87bdff98832762035a

SHA1
bc6ecf1d216f93ec510965c8d7afaadb6b18a314

SHA256
02c370ca2bab00ed970a3de88824f26398401d2d91b253cf1ff303c106b98861

SHA512
e1d3f5ba8e1b0d8f5a2a302989c5bcdd86fa062ab7464f718f224dccb66669fbd3fa9e11e6a377af213f8e8119e56419f1db67f74626bcf70af6eae20d677193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c67df101b5bf8fb7116e7c5dd4d18fc

SHA1
995134c7ddb4a422791464f5a8414afb4eef7de8

SHA256
3ad3d8dd367d75c0956d3dfae1366da1151a6b44c56180c55215eb36887f4d9f

SHA512
d465736905946e5fa20f69157b021b110fbfd48880ac6a3bfcc179ffbd3307045443fd99a4cbd72ca1071edc3e2c2ebbf80a84dc21579a6a1522959cc4ecc5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca60b6472d813bb9c62b9c8ca4f01fca

SHA1
8977b3a6794dee2cff497d9a87680e86d6b48901

SHA256
90151704ad16405d35e52db9f432eee25a649edb3648c20f624807e08098f200

SHA512
fe267f055db1b3e3910ed33269a4cc9378965bb072dcde2961af6df8bd5e05db6773e7acb2c8db4fe2c9b7a5ede22bb638f34d94641957aebe96c7ab0a807b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fd7f62c33b11b710da5bf29227c2fb35

SHA1
b35dee9e3587cf992f1638798dfd3254fb67526e

SHA256
3846953cc1d7e33caf2dd1161b5f2c3dd02801245408f9efbe77936d9b4cc4b4

SHA512
b9455e67b9c5da69814fc75f90607c469597c4a3cb2c30fdd34321325068f145241041fe97add5e5b81e64076038f295e696f8a96e6bd7d99296a30e351a70f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db0246062aac8fe5ec0eb2767f8286f0

SHA1
f01ce8038cad13a133bd9974b5aecac7e71463df

SHA256
aad4b1c31a07dff45614592eef5ecefc7446ede0bd4a28cdba17661242d61fa5

SHA512
1ef57c08181723e8dfb790e687a945f5266ed77b1030e93e811cdf1466edb4d0971e9ca49366e2a878492d3d1ef5fd0d608bd70cd048e8a568af6704b5f2f312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b89825bb6672c1601071acfc9d13e63d

SHA1
7cf3f8925c6c1db27bb7d5a976ee1f246a783df6

SHA256
6d27e75b21e20b78709ee516ec8b01dd66d7efa5fbffbe4fbfd24525a8561df8

SHA512
394e9235d9da5ac37d307ed2628dfeeb2734e60eb59cad606bc8751c003240db41686f19cf6286d7dd76b74b8fe4ed51e67dc835d85496792c0aa5e85e79c2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3d87917563edd9501a51766df2330bf1

SHA1
979c5a453ae049a698d9dc0993bfd0d1ae868f1a

SHA256
62ad202546dbd9713fe73b6d9fe32bc4618895c68ad5afb237b2b2e84bf743a2

SHA512
1d5fa15898fb806cab4dfd44b96516007cf1a19b30dc32809dbd8581b7f0dabce92562d7c953c07e2e5e46a0b3317415ac383a35a454cabc3f8e5f0e80fb7e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9407b5ed5788dbb6c72c0cd5d8dd5347

SHA1
5d37127058a8b02d4e76fc86638161fa45d62f29

SHA256
ddcf59a1d266112fb27567c2c288cbd62cf07278a39bd5021bcb3489bc3f2e33

SHA512
60ac61faa0dec19021002af7776055643a670761ffba66207b1c2eefbf2e8a07826e80c87fd7215e365834207aac425dcb41ff4e19a4536e037bcc7dec7c318c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39a9080339b50bb436188a8811c10808

SHA1
b44414a00e53c34aea04603fe8d123b794593012

SHA256
d5ac6fc1eafbe20d6a4fb92ef4ec21b20e6771939db6b3861dd9348a6e829d32

SHA512
5c4cdd9ed1a5a75d896b924d8a685151b20bd8b307b645c34b9cbfb5372a352e2fa9cbca6911a586576591663fb4df1f5e3183a6a3acf19b9cfb1f698ac7bdc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eab8950f-e5eb-4ccd-b5e1-3f2c77e47660\index-dir\the-real-index

Filesize
2KB

MD5
8ee9abf6f227b4feca7df257ce626cae

SHA1
98f26afd45d13175d3d3e5fec99f4b4b81664f0b

SHA256
03f84cf6a1cef9baeb7a4ec64e177ccbe4f6c8de7adbc5e0074dca301d22e9a3

SHA512
7a93d22d610249350b9edda466f261bfd592401d573d61320bd3b792d8543f745c97cc7bf45a53714d34bafc9cb19eee46454a1c69c80e427ecc8d746896e72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eab8950f-e5eb-4ccd-b5e1-3f2c77e47660\index-dir\the-real-index~RFe57e687.TMP

Filesize
48B

MD5
1a377f1217d318461e10c3784abe498f

SHA1
13289fa4aadf4291dc8ae9aa107b6460ec4c5c65

SHA256
230059b155a9324186fbad932a4d27a3c4fd5a027f039fa0960e5023655da552

SHA512
3e7cc948d3d1d4f4039726e692e6b7c9c0d47a8c42efd00c8e620c6fdaca6b169cf9fc43ae8c4dc13693e7acafd9a0da7fbc9340a7a1d1945470e01463480750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
61d6ff920accd72c1af3cdf417957c3b

SHA1
e542bc93d4fdc7b832be2a983a62d72457f09e0d

SHA256
291b35d893286f592104ae9def6abeeb8bdbaf4a1c7a174c7aac1bc8ace0d7da

SHA512
68c13f7b7826f3ff18cbbb31c45d17cdd4b099674574b5411ae6e9e82e51d8674b54f13b582733ddfdd4d41b5e73c7cad6411be0f962de71280370e38608373d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a2fd89da8f986fe7412568b8a305fc0c

SHA1
d0cf75fa69affd9108a91ef1db4283efca95d340

SHA256
fa5774b3690e0af5ff0e028db9699ea089ef2718ce9d98b8bd9297884dedd567

SHA512
25c3c642df12dfb1d5d3fcdbbec76ccaf6cafcdb9f257dbae7acc425990a7108d3ef8f65c774414529bb6f35a2bb81c8a6425040019ac5ed79947c7729784508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
b046db0250ae87d8ed04aa591f1eddc0

SHA1
9a5646ef852ec0169489f9f16beab5552222400d

SHA256
8d030337837d3ed99b61285a0dff70f660cc5ef58c5de09c68c2f26aa886b71b

SHA512
684c287114ec807dc10140932a1862bd783021a70b0df126b0f8c7450d4b5ceffe630a19b79f25b568be9d9a3f3085ebd2379873d898943971038fe0dc1d8843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
12a5e9e294a81a1e438f9b6114358d1b

SHA1
e701c19772da16962f25c76a6872417c57e3e65b

SHA256
8bf5cade0c2d8b70a1366d4db6235dd0dd668e942af341a7af86a14d9e929240

SHA512
e29317478dc6c99aafd12d63d94296538ab29d12453a2996914a0a27c8f8a8169d5251f27486ee8c99b17f0b7ad58ac4fda5e3b46dd3dc7db0792c0a9392643e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2a8b46c424d6e53c66b16dcf5c38368a

SHA1
685925dd25f1ed3166f15d9143aae00de1ee25f5

SHA256
92b9bba6e680da81b0f874a0e58ec198ce92f3050c96184774b8bc1e14dbcc10

SHA512
479683a222ed8ca82e9015b7dc96c526f5c6eb0af7c16adf874136b1ea0ed7d70250ff73dc64e96e87a00012fd5cee941466745559c67c564385e49dd6fdb3b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57dab0.TMP

Filesize
48B

MD5
1040723dcbaa8b64cfff8d6e4e870b35

SHA1
1aa58636b80b1a8c336044d0560745b343aad2e8

SHA256
c057306132139dc9c0e67371399979d7d888b2344cbbffd58638dcdb38bfc766

SHA512
cfb372bd2223de1dd619a74ebcde0fce454d107b18bc28b4f6f9b154b5cf4bfe0e45dd988f51834049ff3b30a38d5c859a796e5e1683c993625b4724a245f0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a9f783ce52688577fd6ec37a8cef996

SHA1
e0a5ca7e631986c664a38d2256e3d955d678204d

SHA256
44042eb307cdbf2c1c8903355dcbe202b1297393b8287e19d5ef6e6e58d69976

SHA512
2e0d5bf79bf50fb3ffa8f88117780a663a60671ae123a5e340f38ee327f7755bf0a04b7f0231a2fd23a6f05918cd3eaf32a264620e900bc151b9de881418daa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58538a.TMP

Filesize
1KB

MD5
b6b4c8e789c13d29028d536b6b0bd33a

SHA1
addb5bc5c45b4c7d6c03b456336146fddecd7873

SHA256
e61b02b455d2663cfc0c54358a403aebe0335efc0763a20a4186e9a93a414c8e

SHA512
e68a66552d0d87676dfe46c99502edcca60e6be4c731a5f4cf0285d1c3f721463c0d6182ebbcd5ed8047a22b3f54f442a4322a58890415eb6ab5534f3450e28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ef8e93c6-27f9-4ef2-bbda-0b997f99d0b4.tmp

Filesize
6KB

MD5
28a2244d9f1d173e5a3dbd7b75d1ef7e

SHA1
cd78e6ad46a63a5cae1d53d7e424217eaa8a4ae4

SHA256
564298d1f6c8bf683d13d320114cc8404ee56519bb5f1ca4a91918a9ca2350b0

SHA512
dff9f219a28b1572152a96716a324674d83fb634e4374dc898a57341478db24dbd1c3a255cb3acafb0eb17949527434ed98c2a7e7862c6ce7300204d73915040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e682fe0e2532acefd8e8d11538756118

SHA1
70c4befe5951df738e8dcef175b81e1f9ceee725

SHA256
1570074d6b09c0bdeef9278fb1aeee1ce04c3c6a9ed9bd7918f38f1f8a0a0c50

SHA512
e46d66274b257823af2a6dc8c9cb0455fdf2ebf544a8606186a783845075268926c2d233c8fc9b18c5bf993acce93c2da494a98afde7a5e72a00ba58732d3a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2359b8cb2ea7987e0b55d1ac7ff5cb88

SHA1
181b4d9c2ada4772d02c481f2cb32b5f87c0a576

SHA256
8132a660cc97767346b9e4cf5e311389a7e77577cebd69e30b12977d2e97aad4

SHA512
80b422dff12169f25a81795feb51faeae2740c2bf73486664f6bc439ec7f1b99cb5395f103d046dd6d86797ef62c9aa530456cc0e8005e6c01d505c7c9fbe160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f84078abe337d11d44e679a0b2980251

SHA1
5fd72c523ead4c45bf69e9627b6cfbd4d6043d33

SHA256
d9cd748f0cb06f6cc7e1591dd5e08f03da1e07a0e550343ab1cf89befdf9ab07

SHA512
79041005f20a6c11ac2bc48f1d69147b36ea70f261a09241f85c39d326f97ca675e42864ef65710345dcb95340274e7f31f42d427b550d9e903371d4feb97597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dcd3248166a1f7da21e2b5fa8fa1e7c4

SHA1
e9c1e0c7639a8329f2e092511dc1289e29c7d73b

SHA256
f28bed066d77e1a4794b2ad04a48bb044ae3bdf63348d11801cd0f1d08c6beb7

SHA512
3c78c081b6491c615e53e0a366c069aaa94d951fd17d610b9e05bef89fd3c50ac14955637dcb685116971a01ea502635326984c5c66a0c89fec2fe4efb44ff7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
80ffedfe85ab1c1aa7e1f6d8885011c3

SHA1
31da4166aee270852ae0e9b8bad4153974f48e04

SHA256
367d6320a0b2eeacb46bf45625913a679df9047e87896bac79a642a237f48370

SHA512
e382b2e7a095d412320fa259b8b2ab79f3265959c045c96583e7beae4b3159ec24979a49d1c03592846a1303845604dfdd3a90e982685e388ee2774a3e73b318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AXLYU2E\cookie_info_card_image_1[1].png

Filesize
21KB

MD5
3669e98b2ae9734d101d572190d0c90d

SHA1
5e36898bebc6b11d8e985173fd8b401dc1820852

SHA256
7061caa61b21e5e5c1419ae0dc8299142ba89c8169a2bd968b6de34a564f888a

SHA512
0c5f0190b0df4939c2555ec7053a24f5dae388a0936140d68ed720a70542b40aaf65c882f43eb1878704bea3bd18934de4b1aac57a92f89bbb4c67a51b983ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AXLYU2E\cookie_info_card_image_3[1].png

Filesize
34KB

MD5
b63bcace3731e74f6c45002db72b2683

SHA1
99898168473775a18170adad4d313082da090976

SHA256
ea3a8425dcf06dbc9c9be0ccd2eb6381507dd5ac45e2a685b3a9b1b5d289d085

SHA512
d62d4dddb7ec61ef82d84f93f6303001ba78d16fd727090c9d8326a86ab270f926b338c8164c2721569485663da88b850c3a6452ccb8b3650c6fa5ce1ce0f140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6AXLYU2E\cookie_info_card_image_4[1].png

Filesize
16KB

MD5
9978db669e49523b7adb3af80d561b1b

SHA1
7eb15d01e2afd057188741fad9ea1719bccc01ea

SHA256
4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c

SHA512
04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\cookie_info_popup_image_3[1].png

Filesize
46KB

MD5
621714e5257f6d356c5926b13b8c2018

SHA1
95fbe9dcf1ae01e969d3178e2efd6df377f5f455

SHA256
b6c5da3bf2ae9801a3c1c61328d54f9d3889dcea4049851b4ed4a2ff9ba16800

SHA512
b39ea7c8b6bb14a5a86d121c9afc4e2fc1b46a8f8c8a8ddacfa53996c0c94f39d436479d923bf3da45f04431d93d8b0908c50d586181326f68e7675c530218ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\cookie_info_popup_image_4[1].png

Filesize
37KB

MD5
01ef159c14690afd71c42942a75d5b2d

SHA1
a38b58196f3e8c111065deb17420a06b8ff8e70f

SHA256
118d6f295fd05bc547835ba1c4360250e97677c0419c03928fd611f4f3e3104b

SHA512
12292194bb089f50bb73507d4324ea691cc853a6e7b8d637c231fadb4f465246b97fd3684162467989b1c3c46eabb3595adb0350c6cf41921213620d0cff455b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q9YQXK50\cookie_info_card_image_2[1].png

Filesize
20KB

MD5
c1164ab65ff7e42adb16975e59216b06

SHA1
ac7204effb50d0b350b1e362778460515f113ecc

SHA256
d7928d8f5536d503eb37c541b5ce813941694b71b0eb550250c7e4cbcb1babbb

SHA512
1f84a9d9d51ac92e8fb66b54d103986e5c8a1ca03f52a7d8cdf21b77eb9f466568b33821530e80366ce95900b20816e14a767b73043a0019de4a2f1a4ffd1509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q9YQXK50\cookie_info_popup_image_1[1].png

Filesize
49KB

MD5
55abcc758ea44e30cc6bf29a8e961169

SHA1
3b3717aeebb58d07f553c1813635eadb11fda264

SHA256
dada70d2614b10f6666b149d2864fdcf8f944bf748dcf79b2fe6dad73e4ef7b6

SHA512
12e2405f5412c427bee4edd9543f4ea40502eaace30b24fe1ae629895b787ea5a959903a2e32abe341cd8136033a61b802b57fe862efba5f5a1b167176dd2454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\cookie_info_popup_image_2[1].png

Filesize
46KB

MD5
beafc7738da2d4d503d2b7bdb5b5ee9b

SHA1
a4fd5eb4624236bc1a482d1b2e25b0f65e1cc0e0

SHA256
bb77e10b27807cbec9a9f7a4aeefaa41d66a4360ed33e55450aaf7a47f0da4b4

SHA512
a0b7cf6df6e8cc2b11e05099253c07042ac474638cc9e7fb0a6816e70f43e400e356d41bde995dce7ff11da65f75e7dc7a7f8593c6b031a0aa17b7181f51312f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\hLRJ1GG_y0J[1].ico

Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094041\2.ps1

Filesize
175B

MD5
55ab68aafe5cfee343ea811d1dff07e7

SHA1
a58acd209cc60c0e2828f4f3cb9376eddfca8792

SHA256
8e1f2f27efc551464f4e34c2e130cd7cb9f065c8687a774d1372884b7457e085

SHA512
2b7484cfa27a861d5097440289d0d0b6a5a0f8937e84bbdaf707b5e089503f1da0edaf32115bde9867d990683d14265df3cab66b281ca31053c57145a07da9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000227001\perlo.exe

Filesize
1.2MB

MD5
f3e008b551321d629c14dc2af73d79f2

SHA1
3bcb9682e6e9c3087a552cfe56df0e51eeb5b944

SHA256
d02d4143e71f4cd4e1244af83f71e403ab501b76d7496ea1b3531c9ed43d4f99

SHA512
329516462b845194cd5f95e3617fb6b5fc5d8dd3969d0a21e7b34b4e21a5ae05fd71e66a4d800dc867edade0f2a18d9a03bee81c03b4e1b2cd005d0e88df90fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000227001\perlo.exe

Filesize
905KB

MD5
2f275121441aa260d714e47a6cb8055f

SHA1
659d6a8ac61710a11fdc82f7fc93cadfb0114526

SHA256
45af5be2010a6c0339bd9fd5f9857f75baa8aa46b60b750271386fac1f04ece9

SHA512
e7df35404d829a1fc231ca382cae2c55f66fb772555618ea11a676163d752cdfca8ec7dec25f4e83de8c61168627bb026a2192cadcf6e98e5f9fe4a3fe6b25de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000227001\perlo.exe

Filesize
679KB

MD5
4dc9348656651c4c867ac26ac2d555fc

SHA1
b57ff1204acfee82fada5c19531cb1a41371ed93

SHA256
e0affc9b68dcb1f052c295b3ce268b5a4336f59641041b87f841f518c4f66b60

SHA512
32077a6abbc1f5328c5e3c74dff484b77b66a9e28961823d5022b92e466329c913821f1ceab59ac5837ea40522f6387ee7180f1b8cfea1a12bfe4cd3bfb2bfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000228001\leru.exe

Filesize
704KB

MD5
526fbe3aedb6f1c3fed5df5b84ff17e9

SHA1
a77b79391e0ab77bfeec7ba6bcadbcf390edd745

SHA256
b5d34b224f477c9bc58b718adc1ead42f382ad51cde25e367074f125f7e709f6

SHA512
52ce747ffaf4543004afe02d6b25df47e5f82326faa2dc5f105009cd5b5e55b8355c3cd0d2c1af68ec770a5cc52e2f22cd4795b03cc95859bd5c9c9576921fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000228001\leru.exe

Filesize
259KB

MD5
2422e4dcd3263a7e3fb1e1815f81fe98

SHA1
e20524d608de81b9304bd8e4690b40ab7df410a8

SHA256
24a0c440744fed7bf77ce30d10e7195fb8386caf5b10e1f4f1db9f18d91847f1

SHA512
dc1b1da156fb5ee279b2e8d5fddc5cf30cd9752c343e3bba216a3db37728b7607fb8529af3d07c3069ed2f9596f529a2020c06087001e20f757c656f75cd19b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000228001\leru.exe

Filesize
9KB

MD5
31aaaf09394f96b64b42d33f9cbd9db8

SHA1
f18833e13322e33362124e70736232f0c85ca808

SHA256
aebb43d05404c9d9375debfc07891fcbe490dc3154927348928880734a4adad2

SHA512
6bb7ba29f0201e48be1a986d517181e23e77067c85065a15dcc86f4a42b99ba17b60690a9a1663ee11fe39b93fd75111df66de73df0f912a5a71bacecd0a441e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000229001\crypted.exe

Filesize
102KB

MD5
8b67c40afbd2302793c75dddf424ead2

SHA1
1c5901ef1e971f3edf3df8bba4a6c6fab9797827

SHA256
d3b2344943a07747cf477df2b00456de99c3f694f32cbcc054dcfb5b2037f1f9

SHA512
d92138b2b5fcd07bc4fe09f753cc8126b977ebded076288e7843e1b7aa761af2ee0e1ea8b968d9af2c3a5768c8ab6e677007dd3106ba39090b96916c9c6b67e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000229001\crypted.exe

Filesize
57KB

MD5
95670aa7d6f99f76bf19288617f1afec

SHA1
69d715e69269304e90228809888f040760cf00b1

SHA256
e440fe6514119fe938e571bc9ed728c1ca6e10d51f3980659abeeaf201074b12

SHA512
9c05a1f6b20fab5669e18552343c6bd5e676511cc6305dec0769e3b3f2f8fd1a0a3ce10acc7622775a8c960770d4878f4ab7ef8cc391a8e6261a2b21eae1b825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000229001\crypted.exe

Filesize
55KB

MD5
0452a032179701e2248469226465e8f3

SHA1
f2a620d71cdf6aa1fb3a89f1922d4f3b9e8265b7

SHA256
bfdbebf1953d36b1602bc70cd1c912f06c1911189855ff59adeb01994a428976

SHA512
7389875d5624f39a9d830ea4ae1494138f03d2929fbe734b9d5870f7c384290802884621dec2998fc70c344cc5f1bdb528d730a98864f04151ebdfffde62c8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000230001\Setup11234.exe

Filesize
128KB

MD5
41ed88662d14cdfdc4230f960ecb794c

SHA1
e823fb04364e3c429d118ec1792a7c0110fc7f1a

SHA256
ff1bf4867e993cc0c9eaac0db0f15a95cf889723e0b6bc8601ac9b8d8269d063

SHA512
770e7f5111cdab0196eebb41e919987538e09d3eec6e39614bc7491bdc87190d235013a1d1e51d8d6dcc202b5593891c7f8c564a695eaaa27cbc7431f2e8f05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000231001\newrock2.exe

Filesize
145KB

MD5
1333e79c669c826b6d148fd1f3b6dafa

SHA1
a30bc4d211a170283584a6b0aa0092a7b56b04b7

SHA256
c5e7adb0e92292fe0b9c9b72f3ed2af49740ef81a4f395b8cdbb8b80ae5cf365

SHA512
140993f5dec74c18769b0664e96a5405c7dbaf19d307f626f5ea72497efaecbd6f7a693da7222a1f122e3996461df84e4e26d0b9c6b276e99579b0049cde3f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000232001\autorun.exe

Filesize
103KB

MD5
e4fbd06d4222a27f575841ba936d1612

SHA1
629f11d1ddea2e81b74930e63167947e8762dfff

SHA256
f96ed72b87fea96f881b77c6804830de3fff57c000f82ec12bac51a5db0abeb4

SHA512
1b92694a18e0677148d0d5206789d0ecc663db4987b0b7d4930e35b5eb7a7ad47ae32e6564e222405a01eb3077a8f32aefde9559cb703247c6704c50f87ff96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000233001\322321.exe

Filesize
38KB

MD5
b9b0fdf271c5dc1bd66f97d0ab768d88

SHA1
6f327a56927b0165f3ec4249533a87fd3e837bb9

SHA256
58e031f1a7c0e0a1c70b3e6f206bdc16f506108bf3056152517706c4e4dd74f1

SHA512
5d1973f349d531296c1a5786305907ea3f7d91dc27a0cea708ca308a5ac1dede918e979b7a0d934e7fb88e61c3ef7393faf60e88c61d6ad49184da48cde2ac48

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000234001\flesh.exe

Filesize
56KB

MD5
64a99a84e367f2c805f2d8b5b19c3c6c

SHA1
65fcd2ce2a4416f13624949bcfb1c3f791d56088

SHA256
fad8259cc13739984490fba262d1871f6366e548fe14fdc764d6c28ab7e16822

SHA512
5db24ca57baf4c6a007d3f748a8240787e4ff47baa5ed957d7a1234ef39f0166bb9aa514510f32428634b6da8a85692613467ff4559bfad10125cd3fa0a33afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000235001\boxApp.exe

Filesize
934KB

MD5
08b31e1da4428c3c9e2e374f7d7928a9

SHA1
c87046b17d9a07811ad726796e3d995a83dc5cc0

SHA256
3f2302c2382cc9d1e40ca2dd84f05a93d638d3a966b91fe4e99007dc2b07eead

SHA512
fe3bbe30dfcfbd1a4e97c78c09604e26b730e7da7e4245ef8cfab42ddbf4173d8a51c53d2c93d4368533dd6b844907a317067c099db3123148e7ca8caecdda58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000236001\RRDX.exe

Filesize
300KB

MD5
93fbecdc07883afe612fb3e63e3d0a78

SHA1
47211fbb7feb2bcf90b39146cf4997455832dc5d

SHA256
d796ffc19f9268d4b060464f55a284f8c53781a1bea8e067f3814f09731b6a41

SHA512
35942a4b2c2167b92509c4a0287be3f9ea3ded33808c15110b68184efb42d9d267a73c676c8fc567cf71f68ac717164eadcc136f07aecdd2597967c6d40eb064

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000237001\support.exe

Filesize
1.6MB

MD5
f239e95ba1eabaee4a0d4033ab403f19

SHA1
5941587d42aa21eef64beb715cbb911b856708c7

SHA256
3149ab09f8cbd542f83d6047b748fb56326ba09a9d5922538e328ddcc228e7b0

SHA512
6a20986ac044bf6a9d085cf6d3097f76167caadcb2b2ca8a8770dc4980e9b36d4eb463894161dd391db05a3a899d9dd376a5592805efa456c539eb96b97f11a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000239001\2024.exe

Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
106KB

MD5
1054ec05d4616fa06fe6bfc77c9241db

SHA1
86ebd2790b38f87a0af2c5e38a3ed1bbd7da0ee1

SHA256
ab566b0dfbdcb8605f9f1f2bcdf37658ff88005d5db13f105089c7bf78ec81bd

SHA512
61f06eb094c611fd803adcb7eacdc91150ce31752e5015a9ece4e0b1e3007bd271527d43506fde1a1ba9b2d690077d6e9dca47d4f83146d070e5d2c79a02e89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9282\Ground.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\9282\Q

Filesize
1.3MB

MD5
a1dc40d6b8208cf18d6a5925b53804a1

SHA1
71dba246e9951aad0ef8a927101d5094157e432b

SHA256
656295f9f968e1c5bb18ea47e3584eee80a45f046b990962280ae385499e972a

SHA512
b2e04f00e72a180a52ba8634e7cbee73feaba8ffca97bb46fcf7485ec22da4dd79d0fed2f68c2e5cc72a45e56141fc45d32d1b9b1e07b30d18eb009911dd3b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bathrooms

Filesize
13KB

MD5
06f64f2a25edd9c8d0262dde166a1d42

SHA1
7e8b485ca8b2edd83971ab1a6ec18d949084a221

SHA256
c425c0f20f34352fdfdb58bcc171816545054699441aab55fb6a52ed4414af20

SHA512
4909ff9af190252972d40d1cbc7def9cfb15c109895ba4d8985dca65573a029cb792b95a1b43b604a114c9b2db286643f83e7c4192850d77b33d72a363b67a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Compound

Filesize
256KB

MD5
40573224ccacb0aa66b031a46a38b3a6

SHA1
b4801575615f1576941896edaa81b84b7b8124a9

SHA256
f6bb00459a40530999a6b031550fa3981f2c8b7223193f523cb97b54a8d23339

SHA512
fe60b13e9070e364007241acf94546ce02d383c33e124cb0b9c2a14faa930956a92c0cac1117848cd6e8b0976eaf3cb3da88c6cd0a1b1262964ff64aec884a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emperor

Filesize
265KB

MD5
991e1a0ee926380463e21fa7a14f0336

SHA1
39fefb15b780fb2eb413714b6f92bb6a092f84f0

SHA256
c7558fcde8989b8f2c4331b397f3831955b71fdd018a32d8b29e6c7ac0a92ec5

SHA512
d8f12854eaf3c361ff7d785fc8b1488075a19e9ea8fb9cabc3b74f7e756fac6b4ce1152d44e538c16122efd329fa19395f2c838f84d01bf232932e3591726967

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Injection

Filesize
109KB

MD5
64d016dba22c1697278a80e3dd576674

SHA1
fbc6dc1f40f80596fcf8970b049376a06c979919

SHA256
aabc0c269a6a2968693918ecaebbf81977f15b18df457d1986b0d455db57e9c2

SHA512
d4ec577f427bf798d3f6408a4b52b54637563d9984a5ca0c032803f9ebf2f277b5fd7b50b3f1714cf20c8232ae02db515eafa36133f6caecc6fb7b60834eb46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participants

Filesize
108KB

MD5
08eefcff298044d71a6eccb2c955aa08

SHA1
232740869bff9e4f393b74f59bddf2b6246ee1cf

SHA256
44b5a2cecff2b34e81fdd1d084ed1db8a99fcce0f6d0aaf9ed06d422c859345e

SHA512
aa50d379bf792d537a6155a20ae0a636bb6ab695174ad1a46caf7da83efb6452aaabcce7d852aa4ef41187727dfc365311b3c69294c7934ddb83951519ff1780

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Represented

Filesize
405KB

MD5
3654dbe39ba2acb69b34fe5eddcd2126

SHA1
68fff66551d976c6ad51de364882db237e840594

SHA256
46692865d6fb2effbd46fe22f9a6639e36c55179d29d6538b9dff06202d783e1

SHA512
09c90dbc170c4bded9af2b555a5ac20d73c66fefa167a60992b0b25dedeb137813abcfe8221a6e413de442af07691bd853431f3a7cff7bd05a02844976445d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Richmond

Filesize
83KB

MD5
42c2fa801d3bebb90a2385128440876a

SHA1
58a6c2983762f51cceeff6825d924f6791d59935

SHA256
329380e1c6dec8cdfb58c7023f445d459308048e018042c873073edc6fbde3ed

SHA512
d6dd37f32a8ece5952a3030f3230cc8f684fa116d12ccb153aafae84fa511eabfa4f71e0ad32c4b6f1fa1473f3fc2cb7bb799c3b1c6f615cfe658ac6c71d024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Shemale

Filesize
483KB

MD5
e80765c02b30794c1480dbdbdad24c61

SHA1
292152a1a0b26c6c6cd1ddee1103e3d209326741

SHA256
bdfe7e54bd2109f70cde6b01af6fc249bad650283cd172e14da0f39047ca41dc

SHA512
0053a66dbcc955810d17cc9714d9d3a74373276384853317c2dd8fd01217dce41203863b86a29f3f24e2a477e664a4d3f062361f72794f73dfdb2cf6800a428b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Switching

Filesize
433KB

MD5
ae8223c522ab1eeba31ef25639029104

SHA1
1a9f92f14a99bfcb48ffd2caaeda27f17cc507e6

SHA256
0fcd261d91351f1306f7a6bc906a56009444507ec9e30ab98544815df022d02c

SHA512
ec82de7626baeef12614346d8b42f5384b64cff0b268c2e3feb110bfa57ae533360ed5bcf75dbada221ba2a702a4422636078f9fc747b012974a543b1148968f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Worm

Filesize
103KB

MD5
5a46d241bef48b68a037ded410047a5e

SHA1
253a1c7acfc7df67e48e01375931512b65c425ea

SHA256
a70a987c9f1116dab03c590857c27f4678f1f71a3c237ee08fad501e995dbd0e

SHA512
5b88b0260de3759772fa5d354a5bf34b9d7a16129cbf52501dd8076ae50576aed20aef945d7bf84f180b6b89c07f025d17d57d93b36424aa64edb7ca2f525a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
13KB

MD5
be78407a417816143c853c0935927c2b

SHA1
a2177cf846f622534a660948624f0b2f6dfbb740

SHA256
b298abd440d7a4db0f536ae36ee743ad895ac379f8eeca8b39ce0d86cb5775aa

SHA512
9ec38a5f0d5bdf2a885c5f16f2afc7a1db9b752dc54aa0e964fdf0779ad8439d20053bb51a7faaa3222a74b560f480bd34840e2888e3c9036feb935a291ce6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Um7OF20.exe

Filesize
256KB

MD5
50a1c3c2a5f74ff50251f1f6ce66ca8b

SHA1
8b0a5d95a6b63bbdf6dba83e0a55aefae1c5af89

SHA256
e8a354e57d633900c5b4896eace18ed1dcfc961b65789eba3dd42c2c564886fb

SHA512
0e2d297f0750741dc39cca5d53d2113f3ab6f20f04015e01fae7f08b5254b4904255b7cb39a318c079513f99699fbd8de01dd35b276638088e57ad25b4fabe28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Um7OF20.exe

Filesize
320KB

MD5
d9697baa672eede485086dfcaa4b0a79

SHA1
81c141afd788ec4d0b136b4c467a46ba77ee6fdf

SHA256
630e72dc3c63225d9ae40afa906bd17f0053d6ed6d41a9d6669b70f7109d4ba9

SHA512
769d731a274e166754c9ab1617fb2bd4e84ecf957da7933d21fb4564853d7750aa61640bf0bad5cc1dd0b97d68995dc60624d75d3dc99d0b6e3950d553804f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qv3ac95.exe

Filesize
1.2MB

MD5
d73f0d0edfa3ccc7accc2246cd349947

SHA1
a1f1bde240e83628290f64af3ba0217df95e49d7

SHA256
ae08fcd902c712178f6667a29b512d0e456b22d409dc42877551ae2a54205ea5

SHA512
0b32b405da059251d4573a64abf33ceef6a3728346a94fcde6f4b755d2bc2ad4c3886f84b1a16f63434d5c68d5b281b50aad7446e09ae3c62ce34ddab60521e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qv3ac95.exe

Filesize
1.2MB

MD5
ec482eaaa312d903bbc23a89b532083d

SHA1
d53239af8d4b4e4b27eeab26a7ff12becbd7440a

SHA256
e1734d8bd9050089dec99d2574b2ec47c91fac26a7e211fc20115a5f45863705

SHA512
daf4697816ac0c31b036b39a6bc32b5c2f71a69a85fe353af40f4776b62935aceefa61a15c01c605e6f1f44fe3830b7907fe05d895e713996e97d4e3cfe30a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hs68Hq1.exe

Filesize
260KB

MD5
bd31e6b07e78a9a41d79177eedbbea92

SHA1
c2ee0cb95418f5705d75d5b53a8ab06918228db1

SHA256
d497cc6fe51365fb4b90941aafd00358eaa799a94d9c6cf51ac3020d2f70d5cc

SHA512
23bfa9faa7131a871e382abc7c3f26dba89b35abb42b7e076adc03fb13f38a5399cfc05a9b4652d32fd6048d66dd30c1decfa0818c61bfe98db50454ef0d215b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hs68Hq1.exe

Filesize
426KB

MD5
44fc01227f519fdc0af53851ea987f71

SHA1
756b336ba0ca64f693b1fa597edce2f1ae497627

SHA256
b3c7ebd3d6bf845a71db24bab1700f504feb0e9015d87a0bd98c4aa23d5cf8b2

SHA512
86b7fc12639c20f87ad95690b0f99b2f1aecb27cab9a0cb70ce18465cf379c4cb58ff5edbedf09d6686dd3cac57869494a11aa24a060ba08235281151728d2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OP8223.exe

Filesize
1.2MB

MD5
ccf135420c402d0af406cec69dfb5a7b

SHA1
284dfe66966f81891462bf6d775638c13f705deb

SHA256
ea58c0f92710e282e606ea0ffdc25ebc8960594fcaf7a121a04746de37aedce4

SHA512
077c278b25c7256e9ccf06592036cd3470106d1221db5d9f9db4eddfe2e169dd1ae245dbdc368323772967f4f4afa84667870d8015c5a924b5cc17ff6ca435c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Filesize
64KB

MD5
faa96fe702350084f85d52198afdd1e6

SHA1
299b2324a4b17f98ad8d0182cd2bf13bad70e817

SHA256
80241932b99c0a6ec337fc65afd781100668f161e8da15c0f56e8735b963141c

SHA512
cb4155a133d2b54ed21587f922c1d27d45230649aa88a9acac72c17436dd2c5465c99f1c3ae8e581028b61e37ed227ef38a452f3f62bad4bebcc25f032892738

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lx3wwws.lzr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Filesize
426KB

MD5
9a0b7ee713610b8395c8f0580a3b1e3d

SHA1
e44a9e7ec6fe06ae6ba1b9518db78e95ad451942

SHA256
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357

SHA512
0f7acbc99ef4b91eba1db5b50a352f29432da25bbd3c4364947dad3d1ce2ccc3b9f95f75e66a22cd11d7fcd8bfcc6903ba646b2e8543767bce4b6b786736f8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA46FNApAqMj8lm\9dgc7kzZB0a8Web Data

Filesize
92KB

MD5
46a9527bd64f05259f5763e2f9a8dca1

SHA1
0bb3166e583e6490af82ca99c73cc977f62a957b

SHA256
f226fe907da2a1c71bff39823b1cb5063431c7e756ca79e6e86973f1b7c46742

SHA512
f49e5b0f584765fc93cc6d972553b7acfc618a950022ad9d1b05bc3185dd685d9fe8ea3d6376c6b257fda49f9db52e73770b3ef0612943c96c818c5d0e0f5241

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA46FNApAqMj8lm\gNYfztG9eFqwWeb Data

Filesize
116KB

MD5
f660f3d4e18522043287404937a31951

SHA1
5cba58eebb9c18fd7d74304ce67bd71d2cb4c9c8

SHA256
6e84a85fa7abc597bf483edadb6e25219bb17a318f367224df7f409ded757fc8

SHA512
7ab6ebb223e4ba3f86814beb910d1f1afd63a6a3abfbae28ea54da2f06cb024f3ac9c0e192ba00f66f309cd4906f5872f0b5e26cb2394d52ec037732f9bd5694

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm561B.tmp\INetC.dll

Filesize
1KB

MD5
c7ae096c02849c7eeb07623b18de8a59

SHA1
9f57c75aa9f96121413a793d356d876a09f564ca

SHA256
711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0

SHA512
2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
106KB

MD5
cf98b959d1255fcb53ac0730daf8f4af

SHA1
7d65e992bf68d5fc30df2a20bc1a2216938aaa81

SHA256
0cf65e890eeea10192eddfc21af4e335abead4313b86eac2f27a931760f73a75

SHA512
5884f5ea32f4c98e2c50a52923d1725ffaf473d89dd79db2508c5976918b9fa6cb6795a2309842dc79600b3243c2da193effe9df0000314c963f25918a597d31

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1396-522-0x0000000000920000-0x0000000000E36000-memory.dmp

Filesize
5.1MB

Download
memory/1396-523-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/1396-618-0x0000000000920000-0x0000000000E36000-memory.dmp

Filesize
5.1MB

Download
memory/1984-724-0x0000000006310000-0x000000000635C000-memory.dmp

Filesize
304KB

Download
memory/1984-692-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/1984-1209-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/1984-1204-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1984-684-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1984-696-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/1984-693-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/1984-710-0x0000000008120000-0x000000000822A000-memory.dmp

Filesize
1.0MB

Download
memory/1984-1031-0x00000000095A0000-0x0000000009ACC000-memory.dmp

Filesize
5.2MB

Download
memory/1984-1026-0x0000000008EA0000-0x0000000009062000-memory.dmp

Filesize
1.8MB

Download
memory/1984-718-0x0000000008290000-0x00000000082CC000-memory.dmp

Filesize
240KB

Download
memory/1984-713-0x0000000008230000-0x0000000008242000-memory.dmp

Filesize
72KB

Download
memory/1984-708-0x0000000006770000-0x0000000006D88000-memory.dmp

Filesize
6.1MB

Download
memory/1984-686-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-682-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4840-681-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4840-685-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4840-690-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-683-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4840-680-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-679-0x00000000005B0000-0x0000000000622000-memory.dmp

Filesize
456KB

Download
memory/4896-652-0x00000000072C0000-0x00000000072D4000-memory.dmp

Filesize
80KB

Download
memory/4896-489-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/4896-573-0x0000000007330000-0x00000000078D4000-memory.dmp

Filesize
5.6MB

Download
memory/4896-475-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/4896-552-0x0000000006250000-0x000000000626A000-memory.dmp

Filesize
104KB

Download
memory/4896-473-0x0000000004730000-0x0000000004766000-memory.dmp

Filesize
216KB

Download
memory/4896-474-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/4896-592-0x000000007FBD0000-0x000000007FBE0000-memory.dmp

Filesize
64KB

Download
memory/4896-593-0x0000000007080000-0x00000000070B2000-memory.dmp

Filesize
200KB

Download
memory/4896-551-0x0000000006CE0000-0x0000000006D76000-memory.dmp

Filesize
600KB

Download
memory/4896-594-0x000000006F980000-0x000000006F9CC000-memory.dmp

Filesize
304KB

Download
memory/4896-476-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/4896-604-0x0000000007040000-0x000000000705E000-memory.dmp

Filesize
120KB

Download
memory/4896-472-0x0000000072DA0000-0x0000000073550000-memory.dmp

Filesize
7.7MB

Download
memory/4896-609-0x00000000070C0000-0x0000000007163000-memory.dmp

Filesize
652KB

Download
memory/4896-477-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4896-524-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/4896-658-0x0000000072DA0000-0x0000000073550000-memory.dmp

Filesize
7.7MB

Download
memory/4896-654-0x00000000072F0000-0x00000000072F8000-memory.dmp

Filesize
32KB

Download
memory/4896-617-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/4896-619-0x0000000072DA0000-0x0000000073550000-memory.dmp

Filesize
7.7MB

Download
memory/4896-620-0x0000000006D90000-0x0000000006D9A000-memory.dmp

Filesize
40KB

Download
memory/4896-650-0x0000000006DA0000-0x0000000006DB1000-memory.dmp

Filesize
68KB

Download
memory/4896-651-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/4896-490-0x0000000005D40000-0x0000000005D8C000-memory.dmp

Filesize
304KB

Download
memory/4896-562-0x00000000062A0000-0x00000000062C2000-memory.dmp

Filesize
136KB

Download
memory/4896-653-0x0000000007300000-0x000000000731A000-memory.dmp

Filesize
104KB

Download
memory/4896-483-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/4896-488-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/6520-1199-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/6632-1190-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/6632-1091-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/6632-1087-0x0000000000910000-0x0000000000FC8000-memory.dmp

Filesize
6.7MB

Download
memory/6844-1192-0x00007FF73D780000-0x00007FF73D7EF000-memory.dmp

Filesize
444KB

Download
memory/6872-961-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-985-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-941-0x0000020209160000-0x00000202093C0000-memory.dmp

Filesize
2.4MB

Download
memory/6872-942-0x000002020B1C0000-0x000002020B2FA000-memory.dmp

Filesize
1.2MB

Download
memory/6872-953-0x00007FFC412F0000-0x00007FFC41DB1000-memory.dmp

Filesize
10.8MB

Download
memory/6872-1009-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-1013-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-1011-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-1007-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-1005-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-1003-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-1001-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-999-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-997-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-995-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-993-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-991-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-989-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-987-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-954-0x000002020B330000-0x000002020B340000-memory.dmp

Filesize
64KB

Download
memory/6872-967-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-983-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-981-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-979-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-977-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-975-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-973-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-971-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-969-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-956-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-965-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-963-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-959-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-957-0x0000020223C60000-0x0000020223D8D000-memory.dmp

Filesize
1.2MB

Download
memory/6872-955-0x0000020223C60000-0x0000020223D92000-memory.dmp

Filesize
1.2MB

Download
memory/6872-952-0x0000020223B20000-0x0000020223C58000-memory.dmp

Filesize
1.2MB

Download
memory/7072-1212-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/7072-1194-0x0000000000E80000-0x0000000000EF2000-memory.dmp

Filesize
456KB

Download
memory/7072-1197-0x0000000070740000-0x0000000070EF0000-memory.dmp

Filesize
7.7MB

Download
memory/7072-1206-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download