growtopia | hxxps://www[.]mediafire[.]com/file/fv9veoyx2lf2x66/GX_Image_Logger[.]zip/file

Analysis

max time kernel
654s
max time network
654s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file

Score

10^/10

growtopia zgrat evasion persistence pyinstaller rat stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/6884-482-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-484-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-480-0x0000000005140000-0x00000000051AC000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-486-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-509-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-490-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-524-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-534-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-538-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-549-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-551-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-555-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-561-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-565-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-567-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-513-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-569-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-571-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-573-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-575-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-577-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-579-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-581-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-583-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-587-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1
behavioral2/memory/6884-589-0x0000000005140000-0x00000000051A5000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinErrorMgr.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WinErrorMgr.exe

Executes dropped EXE 15 IoCs

Processes:

Ilkdt.exeWinHostMgr.exeWinErrorMgr.exeSahyui1337.exeKeyGeneratorTOP.exeWinErrorMgr.exeKeyGeneratorTOP.exebauwrdgwodhv.exeIlkdt.exeWinHostMgr.exeWinErrorMgr.exeSahyui1337.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exebauwrdgwodhv.exe

pid	Process
6884	Ilkdt.exe
6852	WinHostMgr.exe
2848	WinErrorMgr.exe
5116	Sahyui1337.exe
7236	KeyGeneratorTOP.exe
4632	WinErrorMgr.exe
7464	KeyGeneratorTOP.exe
4856	bauwrdgwodhv.exe
6764	Ilkdt.exe
2352	WinHostMgr.exe
4884	WinErrorMgr.exe
5560	Sahyui1337.exe
5536	KeyGeneratorTOP.exe
6816	KeyGeneratorTOP.exe
5148	bauwrdgwodhv.exe

Loads dropped DLL 8 IoCs

Processes:

KeyGeneratorTOP.exeKeyGeneratorTOP.exe

pid	Process
7464	KeyGeneratorTOP.exe
7464	KeyGeneratorTOP.exe
7464	KeyGeneratorTOP.exe
7464	KeyGeneratorTOP.exe
6816	KeyGeneratorTOP.exe
6816	KeyGeneratorTOP.exe
6816	KeyGeneratorTOP.exe
6816	KeyGeneratorTOP.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
606	pastebin.com
607	pastebin.com
968	discord.com
969	discord.com
567	discord.com
568	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1058	api.ipify.org
1077	api.ipify.org
739	api.ipify.org
741	api.ipify.org
1044	api.ipify.org

Drops file in System32 directory 18 IoCs

Processes:

powershell.exebauwrdgwodhv.exesvchost.exebauwrdgwodhv.exepowershell.exeWinHostMgr.exeWinHostMgr.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bauwrdgwodhv.exe

description	pid	Process	procid_target
PID 4856 set thread context of 7136	4856	bauwrdgwodhv.exe	223
PID 4856 set thread context of 6472	4856	bauwrdgwodhv.exe	227

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
4448	sc.exe
6052	sc.exe
4780	sc.exe
1992	sc.exe
4628	sc.exe
3836	sc.exe
4924	sc.exe
8012	sc.exe
6788	sc.exe
7632	sc.exe
7576	sc.exe
5084	sc.exe
6980	sc.exe
3976	sc.exe
7340	sc.exe
7288	sc.exe
5004	sc.exe
7720	sc.exe
2884	sc.exe
7088	sc.exe
8184	sc.exe
7584	sc.exe
7632	sc.exe
4200	sc.exe
2976	sc.exe
5428	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral2/files/0x0003000000000745-475.dat	pyinstaller
behavioral2/files/0x0003000000000745-522.dat	pyinstaller
behavioral2/files/0x0003000000000745-479.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
8096	schtasks.exe
2440	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Modifies registry class 6 IoCs

Processes:

msedge.exemspaint.exemspaint.exeOpenWith.exemsedge.exemspaint.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{4389221B-4F69-4142-AD89-625E94713D25}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	mspaint.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 790597.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir7268_1302163286\script.js\:SmartScreen:$DATA	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
624	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemspaint.exemspaint.exeSahyui1337.exepowershell.exeWinHostMgr.exepowershell.exebauwrdgwodhv.exepowershell.exeexplorer.exemsedge.exe

pid	Process
4744	msedge.exe
4744	msedge.exe
4868	msedge.exe
4868	msedge.exe
7124	msedge.exe
7124	msedge.exe
6272	identity_helper.exe
6272	identity_helper.exe
6184	mspaint.exe
6184	mspaint.exe
7696	mspaint.exe
7696	mspaint.exe
5116	Sahyui1337.exe
5116	Sahyui1337.exe
5116	Sahyui1337.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
6852	WinHostMgr.exe
7756	powershell.exe
7756	powershell.exe
7756	powershell.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
6852	WinHostMgr.exe
4856	bauwrdgwodhv.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
4856	bauwrdgwodhv.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
6472	explorer.exe
1152	msedge.exe
1152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exemsedge.exe

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

Sahyui1337.exeIlkdt.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exeIlkdt.exepowershell.exeSahyui1337.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	Process
Token: SeDebugPrivilege	5116	Sahyui1337.exe
Token: SeDebugPrivilege	6884	Ilkdt.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	7756	powershell.exe
Token: SeShutdownPrivilege	6300	powercfg.exe
Token: SeCreatePagefilePrivilege	6300	powercfg.exe
Token: SeShutdownPrivilege	8116	powercfg.exe
Token: SeCreatePagefilePrivilege	8116	powercfg.exe
Token: SeShutdownPrivilege	7932	powercfg.exe
Token: SeCreatePagefilePrivilege	7932	powercfg.exe
Token: SeShutdownPrivilege	7864	powercfg.exe
Token: SeCreatePagefilePrivilege	7864	powercfg.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeShutdownPrivilege	7108	powercfg.exe
Token: SeCreatePagefilePrivilege	7108	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeShutdownPrivilege	4640	powercfg.exe
Token: SeCreatePagefilePrivilege	4640	powercfg.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeCreatePagefilePrivilege	1368	powercfg.exe
Token: SeLockMemoryPrivilege	6472	explorer.exe
Token: SeDebugPrivilege	6764	Ilkdt.exe
Token: SeDebugPrivilege	7696	powershell.exe
Token: SeDebugPrivilege	5560	Sahyui1337.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeShutdownPrivilege	7636	powercfg.exe
Token: SeCreatePagefilePrivilege	7636	powercfg.exe
Token: SeShutdownPrivilege	2588	powercfg.exe
Token: SeCreatePagefilePrivilege	2588	powercfg.exe
Token: SeShutdownPrivilege	6904	powercfg.exe
Token: SeCreatePagefilePrivilege	6904	powercfg.exe
Token: SeShutdownPrivilege	1356	powercfg.exe
Token: SeCreatePagefilePrivilege	1356	powercfg.exe
Token: SeDebugPrivilege	8116	powershell.exe
Token: SeShutdownPrivilege	7536	powercfg.exe
Token: SeCreatePagefilePrivilege	7536	powercfg.exe
Token: SeShutdownPrivilege	5680	powercfg.exe
Token: SeCreatePagefilePrivilege	5680	powercfg.exe
Token: SeShutdownPrivilege	5180	powercfg.exe
Token: SeCreatePagefilePrivilege	5180	powercfg.exe
Token: SeShutdownPrivilege	4780	powercfg.exe
Token: SeCreatePagefilePrivilege	4780	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsedge.exe

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exemsedge.exe

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe
7268	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

GX_Builder.exemspaint.exeOpenWith.exemspaint.exeOpenWith.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exeOpenWith.exeGX_Builder.exemspaint.exeOpenWith.exeKeyGeneratorTOP.exeKeyGeneratorTOP.exe

pid	Process
7020	GX_Builder.exe
6184	mspaint.exe
7712	OpenWith.exe
7696	mspaint.exe
7600	OpenWith.exe
7236	KeyGeneratorTOP.exe
7464	KeyGeneratorTOP.exe
7188	OpenWith.exe
4200	GX_Builder.exe
2192	mspaint.exe
6984	OpenWith.exe
5536	KeyGeneratorTOP.exe
6816	KeyGeneratorTOP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 4868 wrote to memory of 1152	4868	msedge.exe	84
PID 4868 wrote to memory of 1152	4868	msedge.exe	84
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 2188	4868	msedge.exe	88
PID 4868 wrote to memory of 4744	4868	msedge.exe	87
PID 4868 wrote to memory of 4744	4868	msedge.exe	87
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86
PID 4868 wrote to memory of 3392	4868	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7ab246f8,0x7ffb7ab24708,0x7ffb7ab24718
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=fallback-handler --database="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --exception-pointers=3624955461632 --process=176 /prefetch:7 --thread=7240
    3⤵
    PID:6784
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1152 -s 1584
    3⤵
    PID:7184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9104 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9284 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=9580 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9500 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:6372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:6380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10504 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10692 /prefetch:1
  2⤵
  PID:6540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11012 /prefetch:1
  2⤵
  PID:6680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11240 /prefetch:1
  2⤵
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11044 /prefetch:1
  2⤵
  PID:6908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:6980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:7052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11892 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12384 /prefetch:8
  2⤵
  PID:7132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12228 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12144 /prefetch:1
  2⤵
  PID:7576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10332 /prefetch:1
  2⤵
  PID:7568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:7836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=64 /prefetch:1
  2⤵
  PID:7844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2404 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11032 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11772 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11884 /prefetch:1
  2⤵
  PID:7348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1344 /prefetch:2
  2⤵
  PID:7800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,5181443562557193431,6444480635641509742,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:1
  2⤵
  PID:7688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7516

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:7020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6884
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6852
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7756
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:7132
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3976
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8184
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:8012
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:7720
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7864
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7932
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:7584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:7576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:7632
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    - Executes dropped EXE
    PID:4632
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94E8.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:8096
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:7236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\image_input\ONLY INPUT ONE IMAGE AT A TIME.txt
1⤵
PID:7080

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\image_input\50lb88.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7712

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\output\50lb88.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:7696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7600

C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
  2⤵
  PID:7008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb7ab246f8,0x7ffb7ab24708,0x7ffb7ab24718
    3⤵
    PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb7ab246f8,0x7ffb7ab24708,0x7ffb7ab24718
1⤵
PID:5864

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\bin\LCompilers\version.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:624

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4856
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:7248
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6500
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:7340
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:7136
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7108
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:7288
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffb7ab246f8,0x7ffb7ab24708,0x7ffb7ab24718
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,16021628297266750648,16831390447163621424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,16021628297266750648,16831390447163621424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7ab246f8,0x7ffb7ab24708,0x7ffb7ab24718
  2⤵
  PID:7276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:8104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 /prefetch:3
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:6524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 /prefetch:8
  2⤵
  PID:7056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 /prefetch:8
  2⤵
  PID:6796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:7040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:7968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:6916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:7816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:7796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Modifies registry class
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:7012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:7040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7240 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6624 /prefetch:2
  2⤵
  PID:7584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7640 /prefetch:8
  2⤵
  PID:7920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:6256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8188 /prefetch:1
  2⤵
  PID:6756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:1
  2⤵
  PID:7648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:7320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:7784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:6936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17012285549761557572,7938894018090531165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:7636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6832

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7696
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6764
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2352
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:7372
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1828
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6788
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4200
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:7088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:7632
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6904
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7636
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2976
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:5004
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:4884
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B06.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:2440
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:6816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:7056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffb7ab246f8,0x7ffb7ab24708,0x7ffb7ab24718
        5⤵
        
        PID:8012

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\image_input\50lb88.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6984

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5148
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:8116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2896
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1500
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3836
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5428
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6052
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4924
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5680
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9095a82805dfa2ad2e595209a05ad2b

SHA1
9a2f3840baf645fe960805363593c418e0ae8563

SHA256
a5df30c1504e2cab55cdc9828d30041b195f1f280663f220e6eeccd62b31935f

SHA512
1fb7cc861c8ebe0b2cfc54ccc46856cc9b0d4bd3d074ec8aff81c3e177e14819f59c95ddc760b1a7373f28f7ec7c79a4c8a69eccb8db80a2757e4704ad1939a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
032a617ad84d442d467fa65b8b0632d4

SHA1
9ccdb8c1838250c257996ef04452814b81ccd71f

SHA256
0495dcd9b2ac93771a9ed3aa8dd88c224df36d0e0a5aecd2a49fc290cae4a9f4

SHA512
78c1612cb0efd2d007ea2bc6da4f78582f65e46f674c14ca387571ca61427a083cc79144ee7568461784838d87a3c1c0141251cc2d226cc490701a2f274749fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
62KB

MD5
7e1d3634dc2698c348b4a0198f85008d

SHA1
c4fd6f11807be8e77006b944912ce22cca9c275f

SHA256
08d5187a65c4042a12b963153408d44307f9444d22e409a06da1029e50ba28e5

SHA512
c1264d57a6001a7028cc12cd5c1c155d6d76c8ca28b1004a4f8820fcbf2ef0b3c78ca75d65ec7e9e6eed4bbfe9cfc7d5870b91899d179a228ead4fe37edeeed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
31KB

MD5
11c44c147a5f3f021a8807ff3b298417

SHA1
0c142f284b8fcf42939b338bdcd9bb14fb1b8f82

SHA256
32a62d64a1485039a9bb02b60b0ad170cb82b6e3deb36cfaeb88e7d6af242ef1

SHA512
75c8953aef90fb49342a9290a9c1cd8848cdcfc4c6ba50b9d3e3f8d937550e89c078c02d3bbf1b5dfe76275b3cc092a6487cc6c8d445b0d9acbda6658db3030f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
39e927a20ac30e1939e245a53c8fc96a

SHA1
55171f28b05a9203832eb3b55cbe73b2b3f044e5

SHA256
d7c6b89505b294a6f1960818d6ccc233db6adbe19c82d7c4d687460e1c251236

SHA512
e33ee273e9019ef4ce538d2cdc10fcf2f5c96343352abf987fff080cb60d0889991ac4dd3a50e5d341a71b04ae10961fe152353590a9411f8afb05ed8ab2ef7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3d62374f5cc602df4a2ceb4d58661508

SHA1
d26cdaafe7185b3afb86b96736989d773ce520fe

SHA256
4a4c2f2b3d53db3c1ccc56867e8b7ccffde3763c33ff4c316299917dc015f3d8

SHA512
1d3f0b0da7af9dbb59c02d34f332e83841f6ca9d58cc58547679c91d038532931b0a1d83e8162c7e4462b23329e226419666ec3fc4f201493f35db87c1ab5a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
65d10b035a27a2a6ebf49389f6312c9d

SHA1
a1589f3bf9064354d65a5d70118b5a5bd6a10309

SHA256
ea7d03e6a6530b4331c5ffa7768943dd37508647e6f3b48340cd0776d674fc4f

SHA512
e6af87ac4fb51c0cf1d047b7b0f27b85944036983e31ed0afe647bb8909458f318631b8f26b79e2b7a04cf41d6d198dc4c5cc7a4c013a99b15693aae9c0b35a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c7260e8cd9dfa1bd7cd881cacd57bd4b

SHA1
b7008576bcc4b2a95e7c197e955966ba0bfbf426

SHA256
24ed5c77ac0c6356883f519a307c546a198f84a99da6891868e6573d50480724

SHA512
5c9258559c8f7ee41d32041bb298993217bb051a1170156b62a2cb56d8a12aea5301f9fb058a234a0a316b8319c3ffe01089545dc705d769552373715ba123c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7774dd7c79d9623e6ef2b5e70eb466dc

SHA1
5de3d617ca28cd98cf5adba84b881c8484843570

SHA256
6a7d4a1b6249a6c48a7b6921c43ee285ff4dbd16bfa57379a6cde12b76c16827

SHA512
191a3062a646f03b424181873a7cbaa2efbca2e76d7fe0638dc2d2e8b7aaa346e6a04171e46352311601e552c114d8eb1cda5d516445670e6e2d7b2fe0472cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b24de9664edd96366c910ac66e983d71

SHA1
79a3686dd17d6fa5d6a56726340cd8836a8be24f

SHA256
fc81cd468dc317fc67ddc04aff186afdfaf087b4feaf1478e64615284558b0b9

SHA512
73b9dca20142cb95d371920631ffcf4cc0121d9e0641f3c150d49d9f55a368ebe6b2064ee808bbf65cbe51f0460f3dffbc4411b8b877d2b2a767aad2c5e01d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
074c4af4b6c56062c13d04141f658778

SHA1
015d389c145169b872b1fe490261017ffdc8af43

SHA256
3894d5f82f727be185a8c4a840b9aec07eade25b12b236d90204342eb0c29587

SHA512
c173105d710d14c14615424d28f0e7d574abdaf8d311aa55e385846d4c51545aa1c204a06933863f22da8c44b5c99c6d2e6aefde05a91e6d093c07a80efc71a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
71b7aba68c93d8218ff017f64260a224

SHA1
8cd849122deef83352ba7e48c37247b8cfa4535d

SHA256
7f1bb4a11f6cc1d39e58859543bec4ae7b9e7d6f30e8e9446182e1e91f3bdfaa

SHA512
c6e9b026906093c5df3c34b9e5cd4f42a6a891e9b84e32e31dd584b5f27ba81b5832958a8fd956ca858851a22361de3c2d9990cc9a3dafe9b2d65b83d1ca5577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
344c3969257534d40e31d014cffb5787

SHA1
0346d4cbc783313d3436d4241cd47df4477052e0

SHA256
2ed29f89e6a91b63b508fa9c414d4319e5c86f6200dd2cf3d70b535c8f4b1a43

SHA512
64e194bdb87daefd989437f169367871983398e178b24bba9052984cc2bd95340d21d0be1ab6d20a1700d5f84798e46a0880e3e7b18918728be8fd86dad7cd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ca662e45ee44b816bdb3155e081e6c8c

SHA1
f93a80b36ab0fa8817d86a164ba3b48856e5f1eb

SHA256
025dba5dad2115e9441e2a2f069e6f70b45d68f3e82b4779d9552522890be2d2

SHA512
af92dc53ef55848bb67719a6feff6060d89a509142e958ada20013a524a944738ef46e8e8d27b7c814fc6a489e3566667cf325ef2e94877aac1900d6e25f732b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8cc3764a5ba96b8f7a2fe758f81d7cb8

SHA1
db84ae73c4728b2794523d7d9eeb0ad1ed626f4c

SHA256
47d459bf872546a969af475a04e7a24749759041b1b6ad82792f8ce7020f8256

SHA512
1f6b6d8e5ef0fd8ad12b6b0cd75506a7ff8371bb6d0fc13742082f01824803b47a2e440e5b1855894d1227510f0d53712d45943b638e5ab2a53b2e895c10b35b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c44d8874c68387ca0ed84ed7ac072ce8

SHA1
dcb18b25a6e66083c5c2c0865ef4030cc76f1963

SHA256
16cd1e92623f8b7f5d2c8274b02afc37cc27f5e4d8f5e3b529b964ab56fa230e

SHA512
f7078450252e1024df36ed57ff31087922d5bccee6b275c54e8336f0c93578375eeaf5f2172db5d129a100d8e118d8e90d4245ff146dba0509977b31279d5270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
c2426cddb390e6d8461722d26c3964cc

SHA1
79c25605cc0207ad291f1e139e1a71664435730f

SHA256
2a4bcef3b0e1379ee132521c6e28c94be2c12709f3f6533c352bc9d514ee90f0

SHA512
61dfb81ea0e584298470c32bd0a59c8ece6bd627a51de27eaebd93dd8c6dc3a015edc50245645a619cfe206feab91ecf22d7cc86e610e8b48bee4ab311cea177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
19KB

MD5
4a247b602272a51774a2ae041adb4ead

SHA1
cdeb1206a295f3adf6608c76ae306b79c0c45720

SHA256
24a7bce932a8954e1e7044fbeffa68ec2cecdcb1ed9c0e9be760a46eef2271c7

SHA512
16f757b752523005278fc86cc2138ec7d0adaf5228c9f92c8915e04ba9856c501e0754d4407a5375a61a58c371469dc19a8d36f2ce7523b486eed101c46c8c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
21KB

MD5
ae9041cea8591b15cffa9efad4b1be55

SHA1
fb0d5a13a95bab0834ac9bbd8cbf130f74960f7d

SHA256
11204f1bec5826dee4d285723e62c84eccd3b8aa6ac6e1ecc4755f310eb0ac82

SHA512
641075c75f4c573685069fb7700b17df08ab4bfbbf2ae84ae34188dffaaefaec06bf751f311de4c9668d04a5e60357e6b659066193dbd00bf67d9053316944f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
4b6c60644b20355950f8520316d32699

SHA1
5ae15764f579f059eaca0544ac716b4c8497fc22

SHA256
13a8e5bd57490170928337e23e6a1b343b0b6eb6fbe29559298e194455c28c9c

SHA512
8a637ea4f63cd4899afbfbe4f635fa5569ec22b17e888f3bb292bd2315a6893e3d51a8802e0a4d0a4338850e3e805ceafd982a1b9081958bf1df86269b502535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
e2a89541f16acf0f3f662dd550bb46ba

SHA1
8c72e626e8dc643a629fa55d57014018bffbe650

SHA256
567600472f958e999fc4e5956bddd002610eef8fc1198a526124b49a73f9bed8

SHA512
7ed1364f74a2d37f70f48677a9a8b48a7e53726aaf620afa91008f1b10a7779d26c80243c8e410f12c2eee49324f3909ad8dccd82687f2d5d59c25a7b61e32e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
70491333d6a673d95cc68ed16b521918

SHA1
8743ff29d90c9928b5bcfc13b381f98d2582e873

SHA256
8b52c009a15001a5e535335df296b057ed14bc9432431883b2753eda8c0524a1

SHA512
0004750af08964fd870b098d72220f51baa4b9c12691a83a6bdb255d718a0740360b67bc9a818daf4272a8babbb39886aea0445b4052b6ef26af927eb8f1936a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c7c0cd9fd46598c8f6b2d06fb0a8ab6

SHA1
0fabeb31901905e9a12e15dd9cdeb36cc925ec1f

SHA256
944fd89f2a68f01631c79a75d0db84d8715545ee261f5f35568df420b3e80bb4

SHA512
9136e4aab41cdfec65d8f8dbc6492ff7287964f8a75c2e31432d274232747377220e41bc4fa168ab84bc1c9810847fac20e7acba95d7b659c5977fe8ea068c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
22c440e3db5f89ea7d1089aafc51cbb6

SHA1
f24898b1877e195ba6f406726f84e8383bd8d835

SHA256
528a7ccd1a8e18ab02941616a4d5478cdf8b9f213512a44854dd9bb8d9d6fef5

SHA512
14e2a2bec409b95822ec22d5219eedc8a73d6ae320d3e515e2db95d3f730311a342f62d10459a141e7d8c894909afaa3fabdf4acfd8bb84757d365c8bb384488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
f581a25fbcd1815144ecd6beb24c073d

SHA1
7cf1bb4bdbafdc652aa944feb808c37c071e96bc

SHA256
5fd0b3b2d0f8fe64df469cab6e4468ef97fd18b9509d052c1fb2de83f280c32d

SHA512
d300b467debc298a28bfc4c4b6cc7cfbf53018a990532e4f989a65c398546cfefc2039e43c6a81107473f707e95cbdadfdea02821ddd9ae97ecdacacad10c3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
84890cd08e1222034b879a355e7bc8b6

SHA1
459244da35b5891c15e423ea554b19bbc79991e8

SHA256
24e770b733cd39c6d5273fc9229f334e95801fd512b6577c5859eab887bf565e

SHA512
1e6dfd2bd2bd325c79786b253ffaa57165cdcd7e44c020627f33174cfa558cdd98f5fd3bd48eae733224b1c27e78895a4ba71a0750bfa79a888201a38497fbe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
80102898b11c9158a84b4086ffdc53e7

SHA1
f6d5966d87a524c2715a5e7933f53d911f8f31ad

SHA256
13cf398397decca328f9d2ab9c6c2d9f301615548d3f3359939e04bfcfa09647

SHA512
cacc8e7aa728772aec23d409d2038b1608af4211f539c1f9cd15167bd768cd97719270e1d75bf3049b221c6cdb2ff1e43ad38fb78acfccb1f1a945a3c70d176c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
720dc0ae16453d45219999d5fc58e304

SHA1
486077b668510bfa306b83aec202771aa304c678

SHA256
b8f5776e479796b19160a3cb30ea3da6cd69e20a582e03c63e79453acad6a10d

SHA512
9bdbe4e9b5fddcb88517541f42e8cd1ab744b4d43d9fb6626bbce1023cb5e4d12aa866128f020be2acff6b9231c4637ce0d86bf2d2d2a6d3b281aba67da7966c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
099c320a0cf7fd3b363b843c1db328fd

SHA1
23b45260fc81acfc9a0d31375ecf2b1a3a773b96

SHA256
bdb9b0718805c68d48cd34b9da460e3f2c513d047cc7445438618264a8b65eb5

SHA512
92f67f8b5255046d68f64bcefc900575f3d6292cc701750013be2aa9c875cc7148b29f4e7dc9ade7f22f061d8a67da41e08f0a684f007d3bb2cb8222c35aa67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
bb79837818615ccd35a921582780d84e

SHA1
c7a9b231a5176eef228e28a1e2574e295814f9b9

SHA256
aabdcaf51272507f8e605e099f34fd24f7c11299b67a39481089a2babf16dda9

SHA512
65a0255f2979ae98169d2ac47746dbd46072fe8909ab001f2f59da53ebba89b3b3855cdc227e13fd4490fb456d8ce8fd751c246850d71efc6b72c4d566a22223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
d762c42875de418b88ed1f105ea3818a

SHA1
5ce6eb253c79385fdf17b99f69501df13d1131d2

SHA256
78045c448b378a8f2ebe4ec729d61966a13d2d0e5ddf6784b9a73e578dffc344

SHA512
91c58cd335c32ac13d722f832f9e93ff3d56de32ac04c48532bb4f74316145d8b0e33e261d8a8a549f31b19b8249a6283e4b58600afed558b438041be7e2816e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
ac7f087d8179255e2623d7024ec99fc3

SHA1
96077a436ec08ee619942c8fe682268409990faa

SHA256
1a635190b99366e61a81bb483116f05fe52d0b1fa8eef025c677fece15975952

SHA512
ab1174ca4138ae8c201b5d80a6a9a63ab9265c6a17ce375b33a5ce61a23b1156902decfa24a7f2a6aef5b4d61ade7ae17ee2b59f3ecff32dfc2d995868fd9d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
05717d9e157fc35e67faa9b19c553627

SHA1
11808bf08ccbcdfcbf75dd1f1b0301a729d2cdea

SHA256
e471c9a9fa2ecafbd5e194055e2fdc6279457aae2103ef04eef91084689ce91a

SHA512
37555d6b398871f18c11cb5ff17a7a804ed88a91692b7dd23f808315dc16915549785e564ad320de8317e04bd87fe515a2eda018211cdd2d7ad0169fe654029b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
520e43818f14d4b816976fa587491870

SHA1
03427196c6c2d70d5de32918fbbaf345df83335f

SHA256
6ccc85dcd675867baaf4ba139a9cd81687ce9822cb5b59bfcb004067f3817df9

SHA512
7231ffd4a96d0b49c7011a285bde75aff270d35b0022dc0b208c9258ed12b32c6d4999d57b8d4de9e0e6a51cbbd0d824fafc26b28edc9e498cdbaeef3cf39a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
63b4ecf650aec9fafa8093ed0afd1f4f

SHA1
1dd1c8cd71984776944035c40705ba273158973c

SHA256
2a68a94e35c4a9fe7f8f61f94245179b8db43a53f3f8c0acd1ea8de9697cd124

SHA512
a2391aa6218226e2074605becab97cf3469b58ea424b34201eef70f28480647d98df8d05b84fd06c9071c7a29ac5bd054d1e180c70eccb210c2762fb33593864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
0e7404625c6216ce1d29f235d35859a3

SHA1
0aeb7c5b5d767e773072dce2b60fdddc2005bad1

SHA256
f5af8e55ebaf25bf941d36b1dd13a2ceb898506c6372aae3e81bc5be0c4323a0

SHA512
626e6ed91716f85e4d1a19e574f1d2968e1a6bc6dc014a84278412f713a109be13bc10bda7ccb5a0d8853c9a30b28a3165d85914402a9533335d75460ce122cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
010a944744571cd67a13c927720a34b3

SHA1
a12d7b20fdf7216f6186ce63f0f76d88333779fb

SHA256
843e992588a2355eca0c39c4d97202211382987546dbee63980eefd808438b60

SHA512
191b54ced44ceb516c42a78abc1dc66e9e4f34a84ed66d53ad0a04b1e996b543ba0c6d94efd4bf12153c63523690a5dd0f630fa9ffea44f3383b986ad05c1449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
b7ba07e3a644b7591a852b3245988b66

SHA1
453cd0550cfa89ed7cf230347e193ac24ac93362

SHA256
2a6903b0a9dc3f69086fdfc512cff36ff610f5a3ec249db2291cb3c2a90c0f9a

SHA512
ce144ee975de89db04b55194e38c8b8180a90be25ec1cbcedc1bdd002db6d6114c736203dee98956f48ebbf42e1d1e90627c4615b552a60f022413fff2e00480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
d1b55b141f9c8b51a1ad34ef59acf2a2

SHA1
0fac9f4d32150ad037aac9200af8b93bfb0b6869

SHA256
3e0732364af911c1345171ac31c0bf3c28648ec1f2a2541a049d11ce34c26646

SHA512
d60a926cc27114383ef926abbd11922673e7fe29e2735e780f8e5102ad0de446631e701ddcd00b1aa3ee9f15796f9225afe7303c770bc3fd6cf74c391858a76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
d6e1d4091faf8e6efa3425b0e8981385

SHA1
39972b1ebf105749754d2297663620cc30cddf7a

SHA256
c6adfd1fe421dad7d3bccf5fa1cb3d68cd46f16b0457e315c4cce9fbb1ba1945

SHA512
88b7f788c08b4e4e7b46e6547aa6002f58c79c4642d994504d9e49968feee304d31147a538024274f237835893671c8c3ae6ccb69c98732d39cae1b1006c4966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
1e39ce1735d8823f56da0187b1eb4b0b

SHA1
ba8f960e4d62c144151dd113d06ac43c7deec7e4

SHA256
15aae5d5b7e355161ab3128229d826ed23c898e98927648319ac8e5662d14c39

SHA512
f9750715cac7308d06f8dd4619e4203ae3e6056552b468a0c1c3a76c63ed02850e2a43b108f28eb4367290075ac5860dcbd4062abfe9751f342ea8c799721646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
de24573fdc12447d803daf56b4c0e047

SHA1
2fb1766b6619a705eb3f040022966c88652eba86

SHA256
0436dc01fb4ec17344e3635c06b5c9277b713bba932232fa24894c3bdfc680af

SHA512
f221e466353f6681fa7c90bba92d9ed923d9c05439bc1e857f33f556c817ef0a31e5e3faa1bc43c3fcd834c73e9daa6a9104d790324f2f20ea0b4d515355b293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b0ba6f0eee8f998b4d78bc4934f5fd17

SHA1
589653d624de363d3e8869c169441b143c1f39ad

SHA256
4b5ee509e727accbd11493dda2c1d512e7dbfaff66c4f5f7ea9c2d2ccd06151f

SHA512
e9a165da246c6b80fc38431538203cf03f95794184ff63f00c9500f8919a2028b803f64b670e685185eed72df0509e3185c9b434fdbf2bc7af36021d46bd08d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt

Filesize
35B

MD5
343859b4ad03856a60d076c8cd8f22c3

SHA1
7954a27de3329b4c5eefd4bdcb8450823881aad6

SHA256
8c79b653c087618aa7395d5e75198da7d3b04c08654c39e56b1027f9ef269c2f

SHA512
58014a4e7f2b4b0d446fae3570196b8fb95d0d1b70bdab0dd34a74d6c62cd8d7ca494a486f19c1a829988a3af83a08d401f18d1769ce1799a02ee09807234254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt~RFe5ad4f5.TMP

Filesize
99B

MD5
c2c036b8b99fff9c9243c3f879e90cc4

SHA1
ebfc2a1c1a39f7fdf3ac916e01d7d3f86b6ac708

SHA256
fcd988d47847fb0aa22beaa461db9b3d84cb8652394d597443580b4fd2baf736

SHA512
940dc9e73fbdcde94b17f43c2a4634ba02f2422aaebbc48edd391374c6b347e2b1a429f356b9cffe11b268d4ed79b4abf2d1f6149cc198ffb668637d63879fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3b1f00eec018c3e217ccbe8a55ad8760

SHA1
a2e0d05127814bf4e4b69865771f8e64450de912

SHA256
07d7e8c360995359e8e933cd3f1f6e096f98e9bacc964970b062514ed082621a

SHA512
fa8beb522b386920651959399eaab371f60dc491f2d9b7aa439ab1cd79b01e14da46c09a2a97876d4cc2d66bed2b57c4a56b260d77ea0f05dce23738eb78e899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
9eae21b4acfe2c5028aa238e7932e769

SHA1
37ca063c2ea14dcaf7a02633b68d20d2d09a3876

SHA256
8a2a24dc419c81e5f36cf5f7648442d9b4aef24039ea64eb683aefa12347d5a0

SHA512
f3459be024ed5bdfadaacf9e104de904dee775cdfbe409073b3bafd70d5c22caf97658fdc9775ee7d192659a2f39d0ba5780fab3043d500bd57444f4a13d0d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
10ced692b4144342884c9c9b53656d1f

SHA1
2325d78683f104b4fa1a4e5c896e8b36a6ddb3ba

SHA256
0fd66b65fc6ca275527d908d5eb50e93fb42f6f66f387f94b84ac7d5e9bee11e

SHA512
19f4a30f9dccfd1094d956c1079e3da8c136c6152668d6c73d6316f3b987c1d96413409e8006b0d742330fd6077159909780ecc694b98d23f08c8b561266e280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
b3add0b84a45d1767a3df8fc259fbac5

SHA1
47e46490dcfdf87aa1a0d6d30ca4a0e48d90b47c

SHA256
458b3b49fd801d545dfc338967643d984db02b0cd7d6aff58b448448b5f5132f

SHA512
0f0721169c8a2c830ab894f89f79bfeb5baf2bd589c9c966eba818fcad1cc727800593831eaadf0dc16279fb6a4ebe2b92ce4c827186a60d903eef10b448e79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
309a5dc00eedee3d4fbb01593de5f7d6

SHA1
b9841c78a5cbad371228d732033a8ea01d845ef5

SHA256
6d444b0043cbe6f5732ebc9a2875f9d35d11c6718c9738e26b17925059863785

SHA512
164997876bcbb2b441db3ec213ff6e87c7883d628cc4d9e26d77f3442cd123b9a2e97fd87cdcc159eee605540e48e2a8692c30a572f97ec4a2da904ec9982e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
fda2149f97bc678b66ea6796d9ced2d7

SHA1
87d94efcf9bde52def97c7df2d34dfda979b87c5

SHA256
0e7e3388d7ef24e953c1af3ba30162901b2bb7f5b8fc2f2e4a67533f7edcfc41

SHA512
2aae4783f2a9aecf72c82f302a74ad369727e62455c5d2950d7c0188df22633dc9c4e3ef4bc28f16d1081a612e076593b42da13bc66da81366724f0b9738cc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
aaab6cc4720469ff1df9ab2aff002b46

SHA1
234e6afdaa884cca4029801cb62c28d7f274ad9c

SHA256
1c5e0e50617787e40a3115e7117922a026c310eb256bddace08f6931220848e8

SHA512
b683528921a97e5d5bc9884ef0f11c30a4dccc080ddf7dd1412fe66c64e564a170d44780b51d5605ebce90f378dff9bcd9a2966126990ea1614367e7ce95b0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
5f83b348477dc7e0bd4185b7be69ff98

SHA1
d1294f996e3fd7ae48d043a93530a057c6a91f56

SHA256
5da4e47160b7c3a583b65b189a9c8bfa48004569b6eb6980c29105e8e5076a1b

SHA512
3b3c9702983ca510e3cfa58c46891785319fe6ce11475ae3b8f92e4dbd425e039da3135c6284985ce5eeaa272f892e29e0a8ca6d6432ca89032c619bec979f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1dc15fc3f7ecbd5f23ad4de8490ff318

SHA1
a41c88a5dc4abc8c6c4478389db727ca5a408eb3

SHA256
f2a64236fdeb890675d6416b2b071de50415b1181eecdd945b83979eec9bfa31

SHA512
0b00ee8cadd28e05e879c9364459bbfe5dd3ca2530870b51980db1162bc0638a81ef744e2b8b35ceb1cc7721c7f4589ba99829796ea4ebc8f72b221392c6bf81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
27e33a18bf59a9873d3f55d13f18fa82

SHA1
cd086641f8f2abe3b12daca760108513ac32b235

SHA256
5059930e4a006caa638b62eab9e062129894397d23b34fb416c3a95dede15493

SHA512
5d2ab6d3789de2cb5f7579d953d920ce12090efa7df2c409adc3df47786cf8f4bd2d693565a382ca62989d7998fa842a0a4398c828ba351005d3f98a9c259649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
175a2263ab38d9e88a7619e8824863b3

SHA1
d9128307dcf435004cbc8102b0196057b097eb2a

SHA256
82b03b7010843263f8ad66ff3ff309bffc5c6c0605cdeb7aa4c44cd1f1d747b5

SHA512
2f7bdb1b16dda73bd9e9769215dcc95cdc2e3b2f80c01b9962141dcac97a4b192d7d031ea5c7a54315be6094f3d0bec07987f6137bd58318f7ec5d4035d50c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
bd656b01dabd2f01b5aa58a449a6df76

SHA1
57091810d5cac8204507c40277b7c3223ac3fd09

SHA256
7bf0dd18f28660eb33a60ac8cddaf5444238a7b945506a6ee9832ce8e7009130

SHA512
c92afbc26fb2d4897f0b5147007ad6ac3cb19fd917bdb5790eab6c5eba73c4587cb45e16a88ed46f1c2a9de1364e2201774610466e9685266365abfe9b517cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57abc1.TMP

Filesize
2KB

MD5
3e5fd054447653ce6e6bb9ca1963224b

SHA1
bf1257b7ed4e7f044f641940b2968328905e9b93

SHA256
93e7b225d706508aad5e00c77029f44eb42a9a5a73d1cdb21f780d271402a6a8

SHA512
760ed3fa9e4226e8f8e22e6cc1e6f485422dbccd9dbfc046498c015c6f79cfb8b515e900ce3ef7c7799d3ee65dfb76c70a86ee9a4e253debfc542977f949dd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f1a9c9ee-6cca-4686-8923-0a81c9e73e77.tmp

Filesize
8KB

MD5
0a5e6b972758429aa7da234d80747950

SHA1
08ee2d95fbcfa9d663656d926a21cd2a38544003

SHA256
8b07dc0708b9ef88cb71e95050cbd27e8476485ade13c60f02eaada6e3c76b67

SHA512
ec891eb95ce7f9683abe87c600e674523849ba716ac7f8892550892b99755984c62bd359f5da1dac7292d6a968bc3aa91212cbf5f4a619a8b30b5cd90a491c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ea47d62ce9b9eef1894754b3d4ef273

SHA1
138b4da4d83777c2fc798d4cb4a1b5f0629839bf

SHA256
85b6a7f5ce36a6c755e5b143b4fa6dfd1cf963c00b6220556e9699a6427a7a0e

SHA512
8230c2bb5e323b509d620cffc7ee6ab8d3d0558c80384f3c538e9b99dabfcf0ff9fa869692f6379abf1b44af2518cee998a57a5c847e7c3fae2c5ff0a70b382a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e18b08d08d9f3f8c24a7c17ee13ec09f

SHA1
3098f619570bc276980c7e586e6e8fc702c35bdb

SHA256
bdc2073eb359af3c8a943abaa965651a4b84519e2960220394f712f3a674540d

SHA512
5e7db47d6540f17e374bcb0ede631175acf4512ae81270a4558e5b1f66f58f8b0f7ef2f2ba2762773cf1076b18729ecf1e2405318431f2d71f0b5ecbd9a1ceea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ce728eb2c72a7e526f9fa4b099f6e4fb

SHA1
9abc8b136432c61527676d0be45a4c5cee7abee5

SHA256
5e35237363e42b888dd94154bfd098185ae93d860edeefe0748cdff756be2976

SHA512
8960619b16149c4cebac0a726151ac1fdf16732c63ac7359bd87ab555ac37148a473315fcfd256561dbd5190c22bf9983032e64f5601d7125d08ce2db81ea6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
04d69f59b4fda4547c9c70e0083e8eb7

SHA1
c6b0aa51c71535af97719f6e351bd6e6f179eaba

SHA256
ee9b41049c86637a69ab5aeee056217b2a4e9b2e6ad82ec2cd79fe8834d8eda1

SHA512
5ac8d8db79e667a122564ce82b2e59de622ea8bd498eb3117cacf565fa09b8c797cba06665616146b047569def585d39c74b61f1ddbe71d96b3b37873f771fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
84f7240b3d24dc9d21ef4c32716b5009

SHA1
0ae7cc335de0b559b199490498bae7c0653e21d9

SHA256
09298808dba9b508baadd57026944fd45052f878fc460f232589f10d54121728

SHA512
ee159b718bc2fb988780f170c6a2c55b6a3231300872701abeced9594a41d455629d1da38270da5d6baafa1d3c3b7b81e10bc5637b1f5eb8b420cb70ed23ea5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8a500563592dc3a4cfd771eab795650a

SHA1
fe34e79186493820630a2aa067d85bba8ba5dfb3

SHA256
51c37dc3b7959656f79806d81b1ce2a3fbe400c96f61aca18fd963675818f543

SHA512
a6f5e63c822db2d6b711f269c61581d32ab32851f15238bf4fe7230bffa5748b3a833f0d14f228bc7ccfed97547bcc7f35e4584cb826ebcf588467f9f4e43da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
29f076d08fbf9feca7ddce978cf340b1

SHA1
b7eda71cd3a6763b6d5408d5fa1e3c20a0d4c0bf

SHA256
75b8fb74352bd75612aa4b9ccdbe2893692f58e5867aa4f6e375d0ac8292571d

SHA512
220ecaa8da441de1b889ef29f39cebc01a930f94366cc3232b5d5fe09703101c5ab4f32c543fda577999444ad18efeedb1e4d4aa66472e262b96c2e9fc69b274

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
1.3MB

MD5
5d219a4b86bc9075c1b661bf442acf5e

SHA1
411e11d162afd6e76dd7fec24f0b7fdd97db8891

SHA256
e088086248ecfd26515ade7da7d6128031a3ded60591a21bf06469f0f8cd47ee

SHA512
175316d34ca561ad341a579fcc05da27490bf9ab776dab3797f6b8a91ab8302318aff4305cd54ea83b972f3137d9d5762fb3eaa97dd454348a872c74c100c351

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
3.2MB

MD5
2c4f1612c53e23142808fa5eb35ba61b

SHA1
24bf74276cfb877dc682b7f7944e3d824d242aa1

SHA256
9fa6ad07bfa9f99a707b999e34c69c609cfb66f52fcfa7d22b0918756c36a403

SHA512
25fa60fbdc758aabb063fe921c3c1c3e9c04fdb3649f39b7c4ca247e8b18e46286d964b1f1f111273ac7dd3fd803853531dc82212424307caf19f500e9285f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
192KB

MD5
d20b2f2c91929babf6c41356866e79b3

SHA1
9516dbf3cbc6214fb180906b6e3283d22026615c

SHA256
01fa70728a9bd67b9d6b0a1db8f15ccbacdcd7fc0167eeb0388dcea98a504e72

SHA512
78675bf9db6a23c797a5d96fa79f417e117c993b557c1f681d1a834887aef538a715e0dbd39f6427ff1776396bf6ae80aa7502775418c05fa887c5423c809249

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
2.9MB

MD5
20e8268550eb62fbc0833d0bd1608c7f

SHA1
8e32b7e3c5f394df1c3454ea6c86b0b29fbe9879

SHA256
07393de85500159b2b211da857a50eebee99262391d5e382fd6831c70bf78d1f

SHA512
e82fa9756795d820b182829d19189b3477d1dd226344475aae2c9f341978e182707d7308838ccae4afb6e43c734c2e824fdebc0bec92c8badbf6ebf28830af58

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.5MB

MD5
338b7058bcffd1b0545f1742dabcfc88

SHA1
c9cd1c0e05f185ffca46526f1b9e861c2bad0268

SHA256
333468429fadc449b7576194f7cbb45d9bd10c3efe805c61ce49ee7cf828c962

SHA512
b506f3be696c1bf1275f494810bad09ec702bb9184bde26ade366ecda17ea20cf46566e6725254ddc9e2d0af8de060d1fb31aaa86c7a8d25e571e83d7ea57dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
2.6MB

MD5
a6c444a3f743ab46213fa60542593cf3

SHA1
64f70fb1eaa0eb971ec110ada277d17a202e3dfe

SHA256
b37c8099b6d467aadf111eb16a9294f73ab5bf99d6bc6809778b5c5124166fab

SHA512
b8d847184142d727f6284a1b75af489aa27ac19a56acd8bfda8424d5c90a54e6daaa529752ffe4eea078b579d279e67fb4cee6208a7c10f694a11ccbe145af04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI72362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI72362\base_library.zip

Filesize
1.3MB

MD5
631209e5ad1d4662c77fbfcf4ec82213

SHA1
5ac47f662a45bb618f9074dd2880cf757c4299bd

SHA256
9bb474ebf92ae7d6725874e6ac52daf58dd7ddd28d05664b12c7ebb3ea4ddca8

SHA512
b9a9269e9d9b24d2486978346b867cb692fdb9d28ddb8e4541b643078806f7d0af5bb1dd9fde917bdfce4bfdfbd4f088ccaf4c3b46a3d094957d2e933c847b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI72362\libcrypto-3.dll

Filesize
1.0MB

MD5
7b0fea2c59d613822dffc31110d68791

SHA1
dc58c2005c8473c58c7736e6b0db8c3bfe32305d

SHA256
94a22223b668c10a1003e8b90c7a6c19d21322e8507d1fdff55e383f0708166c

SHA512
182704906870ffccd75d4f916b9be1659d18d7ad9f93962cf05f30e5dc9576fbbac28e9cef5f7643dd41a91feb22b0bfb7acb492d33facf96898f57bb0d69a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI72362\python312.dll

Filesize
2.2MB

MD5
2fa682ed7d148f84bc886a557869ea89

SHA1
6de5db99a9ee18dd348b2f36f0325207c624ec29

SHA256
c225bf6a7973b5ca27ba987495563499b5cafc5b8cfb230d1d280267f4aea860

SHA512
8bba85ee0d5a84e13d0c2c587900afc3744e12d65765ed4bd192e3cd9fd066b6ecb17358b89bd1d4f0522fbc3e3a5500397c0b9784276a350f60af5c4fa4c78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI72362\python312.dll

Filesize
1.8MB

MD5
7254e11c53aa25084cd8e5cac67bae0b

SHA1
bd6c2b1e5199b8a24349627a26bead3d2e7af293

SHA256
364bda21abc899c542ecbd290363720ecc520b758b850474d838f980cc8a1db9

SHA512
2d4bf020f01fbef7aef378ffbd332b689a7501fccd8e0cbbfdbfcfce1415d85469b316e1c163501397440e964cb1ed4c1edddb7dfa9c500ea630b3508b7d531d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1bejt15.pju.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\GX_Image_Logger.zip

Filesize
11.6MB

MD5
0320cabde39fe61ef6e6aa1a30aa9304

SHA1
f8683922467ed12c978216a480646da2736b43d1

SHA256
aa094222e49bcf065d68a71ae3ee75b23d6117b991b48a6dc26e38187fc43e76

SHA512
b6892e282a7687019b4a52c467c6d94c18bfefd84aa296c3b478443e0a6773112cdba0a59e78ea935da16df2a82228f5495dcc5ca47179ace275fac976373141

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 790597.crdownload

Filesize
13KB

MD5
d66fc56f8dfc8556dbe16f8dd6d2ee7b

SHA1
1887a1014315341931b035d6a365cf98b411900b

SHA256
87bdf27c2a88cd98fd20e0cd895022656caf56683f8a31ec3fab198cad7ef6d5

SHA512
0d177af3bd629ca60cc4d79da562c5e12b6e0e31a08dd4a3dd483f9510c84c4311de29fd4f31a7a74caf1ac685027729ae972f531b2e30c894117b1d544324de

Download Submit
\??\pipe\LOCAL\crashpad_4868_EHSGPGAUOZLCJQKG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2792-622-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/2792-758-0x00000000071E0000-0x00000000071E8000-memory.dmp

Filesize
32KB

Download
memory/2792-611-0x0000000073D90000-0x0000000073DDC000-memory.dmp

Filesize
304KB

Download
memory/2792-624-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2792-609-0x0000000006BF0000-0x0000000006C22000-memory.dmp

Filesize
200KB

Download
memory/2792-629-0x0000000006E30000-0x0000000006ED3000-memory.dmp

Filesize
652KB

Download
memory/2792-627-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2792-639-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/2792-640-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/2792-650-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/2792-669-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/2792-684-0x0000000007160000-0x0000000007171000-memory.dmp

Filesize
68KB

Download
memory/2792-726-0x00000000071A0000-0x00000000071AE000-memory.dmp

Filesize
56KB

Download
memory/2792-738-0x00000000071B0000-0x00000000071C4000-memory.dmp

Filesize
80KB

Download
memory/2792-753-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/2792-476-0x0000000002320000-0x0000000002356000-memory.dmp

Filesize
216KB

Download
memory/2792-801-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-563-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/2792-481-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/2792-483-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-491-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2792-508-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2792-525-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/2792-523-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/2792-532-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/2792-608-0x000000007F5C0000-0x000000007F5D0000-memory.dmp

Filesize
64KB

Download
memory/2792-546-0x0000000005650000-0x00000000059A4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-562-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/2848-2221-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/2848-468-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2848-520-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4564-2232-0x00000259306A0000-0x00000259306B0000-memory.dmp

Filesize
64KB

Download
memory/4564-2248-0x0000025930B70000-0x0000025930B7A000-memory.dmp

Filesize
40KB

Download
memory/4564-2249-0x0000025930CE0000-0x0000025930CFC000-memory.dmp

Filesize
112KB

Download
memory/4564-2250-0x0000025930CC0000-0x0000025930CCA000-memory.dmp

Filesize
40KB

Download
memory/4564-2251-0x0000025930D20000-0x0000025930D3A000-memory.dmp

Filesize
104KB

Download
memory/4564-2253-0x0000025930D00000-0x0000025930D06000-memory.dmp

Filesize
24KB

Download
memory/4564-2252-0x0000025930CD0000-0x0000025930CD8000-memory.dmp

Filesize
32KB

Download
memory/4564-2254-0x0000025930D10000-0x0000025930D1A000-memory.dmp

Filesize
40KB

Download
memory/4564-2243-0x0000025930680000-0x000002593069C000-memory.dmp

Filesize
112KB

Download
memory/4564-2258-0x00007FFB66250000-0x00007FFB66D11000-memory.dmp

Filesize
10.8MB

Download
memory/4564-2247-0x00000259306A0000-0x00000259306B0000-memory.dmp

Filesize
64KB

Download
memory/4564-2233-0x00000259306A0000-0x00000259306B0000-memory.dmp

Filesize
64KB

Download
memory/4564-2246-0x0000025930AB0000-0x0000025930B65000-memory.dmp

Filesize
724KB

Download
memory/4564-2231-0x00007FFB66250000-0x00007FFB66D11000-memory.dmp

Filesize
10.8MB

Download
memory/4564-2245-0x00007FF4B54F0000-0x00007FF4B5500000-memory.dmp

Filesize
64KB

Download
memory/4632-2255-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4632-2244-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4632-536-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4632-533-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/5116-487-0x00007FFB66250000-0x00007FFB66D11000-memory.dmp

Filesize
10.8MB

Download
memory/5116-467-0x000002104A500000-0x000002104A554000-memory.dmp

Filesize
336KB

Download
memory/5116-554-0x00007FFB66250000-0x00007FFB66D11000-memory.dmp

Filesize
10.8MB

Download
memory/5116-489-0x000002104C1F0000-0x000002104C200000-memory.dmp

Filesize
64KB

Download
memory/5856-364-0x000002B2A5090000-0x000002B2A5091000-memory.dmp

Filesize
4KB

Download
memory/5856-368-0x000002B2A5120000-0x000002B2A5121000-memory.dmp

Filesize
4KB

Download
memory/5856-366-0x000002B2A5090000-0x000002B2A5091000-memory.dmp

Filesize
4KB

Download
memory/5856-370-0x000002B2A5130000-0x000002B2A5131000-memory.dmp

Filesize
4KB

Download
memory/5856-362-0x000002B2A5010000-0x000002B2A5011000-memory.dmp

Filesize
4KB

Download
memory/5856-355-0x000002B29C3C0000-0x000002B29C3D0000-memory.dmp

Filesize
64KB

Download
memory/5856-351-0x000002B29C380000-0x000002B29C390000-memory.dmp

Filesize
64KB

Download
memory/5856-369-0x000002B2A5130000-0x000002B2A5131000-memory.dmp

Filesize
4KB

Download
memory/5856-367-0x000002B2A5120000-0x000002B2A5121000-memory.dmp

Filesize
4KB

Download
memory/6472-2440-0x0000000001DB0000-0x0000000001DD0000-memory.dmp

Filesize
128KB

Download
memory/6472-2533-0x0000000001DB0000-0x0000000001DD0000-memory.dmp

Filesize
128KB

Download
memory/6472-2280-0x0000000001C90000-0x0000000001CB0000-memory.dmp

Filesize
128KB

Download
memory/6884-569-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-589-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-565-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-538-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-567-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-513-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-486-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-551-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-555-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-524-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-490-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-583-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-509-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-571-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-561-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-581-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-534-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-480-0x0000000005140000-0x00000000051AC000-memory.dmp

Filesize
432KB

Download
memory/6884-484-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-482-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-2194-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/6884-587-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-549-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-469-0x0000000000950000-0x0000000000986000-memory.dmp

Filesize
216KB

Download
memory/6884-470-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/6884-573-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-575-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-577-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/6884-579-0x0000000005140000-0x00000000051A5000-memory.dmp

Filesize
404KB

Download
memory/7756-2211-0x0000029A40710000-0x0000029A40732000-memory.dmp

Filesize
136KB

Download
memory/7756-2216-0x00007FFB66250000-0x00007FFB66D11000-memory.dmp

Filesize
10.8MB

Download
memory/7756-2219-0x00007FFB66250000-0x00007FFB66D11000-memory.dmp

Filesize
10.8MB

Download