growtopia | hxxps://www[.]mediafire[.]com/file/fv9veoyx2lf2x66/GX_Image_Logger[.]zip/file

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file

Score

10^/10

growtopia zgrat evasion persistence pyinstaller rat stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/4976-562-0x0000000005170000-0x00000000051DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-570-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-573-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-576-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-580-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-582-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-591-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-610-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-615-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-622-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-653-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-656-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-658-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-660-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-662-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-664-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-666-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-668-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-670-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-672-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-674-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-676-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-678-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-680-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-684-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-686-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-688-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-627-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-690-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-695-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-697-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-699-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-598-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/4976-701-0x0000000005170000-0x00000000051D5000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WinErrorMgr.exe

Executes dropped EXE 14 IoCs

pid	Process
4976	Ilkdt.exe
5148	WinHostMgr.exe
6060	WinErrorMgr.exe
4892	Sahyui1337.exe
848	KeyGeneratorTOP.exe
5528	KeyGeneratorTOP.exe
5408	WinErrorMgr.exe
6920	Ilkdt.exe
2156	WinHostMgr.exe
4440	WinErrorMgr.exe
6204	Sahyui1337.exe
4704	KeyGeneratorTOP.exe
928	KeyGeneratorTOP.exe
6596	bauwrdgwodhv.exe

Loads dropped DLL 8 IoCs

pid	Process
5528	KeyGeneratorTOP.exe
5528	KeyGeneratorTOP.exe
5528	KeyGeneratorTOP.exe
5528	KeyGeneratorTOP.exe
928	KeyGeneratorTOP.exe
928	KeyGeneratorTOP.exe
928	KeyGeneratorTOP.exe
928	KeyGeneratorTOP.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
722	pastebin.com
723	pastebin.com
539	discord.com
540	discord.com
571	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
698	api.ipify.org
700	api.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	bauwrdgwodhv.exe
File opened for modification	C:\Windows\system32\MRT.exe	WinHostMgr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 6596 set thread context of 3812	6596	bauwrdgwodhv.exe	232
PID 6596 set thread context of 7348	6596	bauwrdgwodhv.exe	240

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5924	sc.exe
6336	sc.exe
6228	sc.exe
6632	sc.exe
1056	sc.exe
7120	sc.exe
4248	sc.exe
2496	sc.exe
2320	sc.exe
784	sc.exe
3056	sc.exe
3572	sc.exe
4848	sc.exe
3344	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0002000000022707-572.dat	pyinstaller
behavioral1/files/0x0002000000022707-568.dat	pyinstaller
behavioral1/files/0x0002000000022707-584.dat	pyinstaller
behavioral1/files/0x0002000000022707-611.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6888	schtasks.exe
7148	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	conhost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{2D4AA1D4-2408-429B-A2A2-9CC1FE18B372}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	msedge.exe
1788	msedge.exe
1932	msedge.exe
1932	msedge.exe
6256	identity_helper.exe
6256	identity_helper.exe
7160	msedge.exe
7160	msedge.exe
4892	Sahyui1337.exe
4892	Sahyui1337.exe
4892	Sahyui1337.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
6204	Sahyui1337.exe
6204	Sahyui1337.exe
6204	Sahyui1337.exe
4256	powershell.exe
4256	powershell.exe
4256	powershell.exe
5148	WinHostMgr.exe
3620	powershell.exe
3620	powershell.exe
3620	powershell.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
5148	WinHostMgr.exe
6596	bauwrdgwodhv.exe
3812	conhost.exe
3812	conhost.exe
3812	conhost.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
6596	bauwrdgwodhv.exe
7452	msedge.exe
7452	msedge.exe
7348	explorer.exe
7348	explorer.exe
7348	explorer.exe
7348	explorer.exe
7348	explorer.exe
7348	explorer.exe
7348	explorer.exe
7348	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 51 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	Sahyui1337.exe
Token: SeDebugPrivilege	4976	Ilkdt.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	6920	Ilkdt.exe
Token: SeDebugPrivilege	6204	Sahyui1337.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeShutdownPrivilege	6636	powercfg.exe
Token: SeCreatePagefilePrivilege	6636	powercfg.exe
Token: SeShutdownPrivilege	4956	powercfg.exe
Token: SeCreatePagefilePrivilege	4956	powercfg.exe
Token: SeShutdownPrivilege	6428	powercfg.exe
Token: SeCreatePagefilePrivilege	6428	powercfg.exe
Token: SeShutdownPrivilege	1228	powercfg.exe
Token: SeCreatePagefilePrivilege	1228	powercfg.exe
Token: SeDebugPrivilege	3812	conhost.exe
Token: SeShutdownPrivilege	6700	powercfg.exe
Token: SeCreatePagefilePrivilege	6700	powercfg.exe
Token: SeShutdownPrivilege	5752	powercfg.exe
Token: SeCreatePagefilePrivilege	5752	powercfg.exe
Token: SeShutdownPrivilege	4336	powercfg.exe
Token: SeCreatePagefilePrivilege	4336	powercfg.exe
Token: SeShutdownPrivilege	4020	powercfg.exe
Token: SeCreatePagefilePrivilege	4020	powercfg.exe
Token: SeLockMemoryPrivilege	7348	explorer.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4164	GX_Builder.exe
2264	GX_Builder.exe
848	KeyGeneratorTOP.exe
5528	KeyGeneratorTOP.exe
4704	KeyGeneratorTOP.exe
928	KeyGeneratorTOP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1212	1932	msedge.exe	26
PID 1932 wrote to memory of 1212	1932	msedge.exe	26
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 5100	1932	msedge.exe	88
PID 1932 wrote to memory of 1788	1932	msedge.exe	89
PID 1932 wrote to memory of 1788	1932	msedge.exe	89
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90
PID 1932 wrote to memory of 2916	1932	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb19a846f8,0x7ffb19a84708,0x7ffb19a84718
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8680 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8664 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=9388 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9368 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9384 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10292 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10504 /prefetch:1
  2⤵
  PID:6864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10820 /prefetch:1
  2⤵
  PID:6932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10624 /prefetch:1
  2⤵
  PID:7004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11152 /prefetch:1
  2⤵
  PID:7012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11440 /prefetch:8
  2⤵
  PID:6272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10636 /prefetch:1
  2⤵
  PID:6308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:6636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11088 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10656 /prefetch:1
  2⤵
  PID:6148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11324 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11212 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9628 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11256 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9888 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9924 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8292 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11300 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=11656 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:7452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9068 /prefetch:8
  2⤵
  PID:7444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10204 /prefetch:1
  2⤵
  PID:6516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11180 /prefetch:1
  2⤵
  PID:7652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=11520 /prefetch:8
  2⤵
  PID:8068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=12256 /prefetch:2
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:7876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9968033316307776183,15246924441901590889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11304 /prefetch:1
  2⤵
  PID:7260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5140

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6608
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4984
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:784
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3056
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:7120
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:4248
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6428
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6636
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3572
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:2496
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4848
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    - Executes dropped EXE
    PID:5408
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7412.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:6888
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb19a846f8,0x7ffb19a84708,0x7ffb19a84718
        5⤵
        
        PID:5240

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6920
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  - Executes dropped EXE
  PID:4440
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D93.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:7148
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6204
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffb19a846f8,0x7ffb19a84708,0x7ffb19a84718
        5⤵
        
        PID:5140

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6596
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:3812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6360
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6612
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6632
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3344
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5924
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
62KB

MD5
bc5aa83ff4e7005d979dbf55782be08a

SHA1
38c08db7411294b13c0de87f91563c7859fdcad8

SHA256
76ca454ce85ed6f025d8a9f4d36f7ca5828ef836d03bd6419bc16f5b393cf9b8

SHA512
7cdbeffcc8ef38b1dd2889ff4ba597aa504b34c8e4816d1da4305f991b57dd0110363264c8973616b99888bb0403ddc507788a12965283952a2325879e7b9716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
31KB

MD5
b2d3987a15a5791f13986a5954417f1c

SHA1
93eddb28468a11f7b6217b6b581d226eca737009

SHA256
33d2e0fd299e2bbe07e2ca0d08f7c3a39858fec663a94079b679c0358047759a

SHA512
a384a4714269389d30aceca2add9b604950a7e0c3494e65d5f75d105a66e85616f0d487fadda485d72031341167fca5b8a48f1b01468173be6607fd3405cd5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9b1006ce7d771fe03f285ce48d0d0b0f

SHA1
9e328ad29447ae1c40eab1f3bb0aeef426a0178c

SHA256
9d12977e4bed6c3fc90f6c555db340b23de122c27db84f86c54f7cee044da769

SHA512
5af906bc856c6f2224322dd5b51c26bd39eebce33deffc9db729170f0b5128b989759a9d8927a43765b354f606cb51eda8825732662ce722d6af363624a5f1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5b80a27a5f1469f699560c900957cdf0

SHA1
bfbd933f52332369bfef614d290d34b40b91a156

SHA256
8c85a56b710cf72a9e2adfc317824393f27cb70ce0e7a5c715d4265faa60b9c2

SHA512
7498d04d08349662e9c2f51b8573811a6230488855da9789502851b8646b538c7f93754e30b0d6f680e2cff6311339ae2db738a160f5517d91afc0d30071b9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
726a6cad46e6a2bf4f5fd0814d3dc4ee

SHA1
bd89fae2aa0004c3c5183aae28052e1bf60857bb

SHA256
467b7b8e277c179a1ed2789627bbcc84cc0af0bdd229ede82be6c6ee65afcc9f

SHA512
5db8fd69602cf652dc85584f0048e77e399f4abaa953449f3f2276fcbc164f1b07cdf0620c939f7a603e38e2542b2aa6184cf8a654acc4a748b330208eb1dabf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
6310a2b100384835f9ef900870099bd3

SHA1
27b6ec70e8e24396f3917c4003162711445374b6

SHA256
c08961f82d0c6d80d93be6d206dd213030732d255f5b16e2ad9f90f28c0fda73

SHA512
fdf0bb160ac6143e2de80ccb889c9221b6be877cc7c8ed6f6ae13fc3006543ff9c9464974f82d7b32bf4ae2c09ec029f4f5e4e3597383aeb78cea7de242a8222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33d778deb7541a6a00c6ca2fb61e04f0

SHA1
9fa5b574f0f5a73a225bb4db5083adc115e4ff09

SHA256
43b9978f100daa7b3002a28a7c51df869c67690b6b36db55f38a2a5587ed91d7

SHA512
1e81027fe93277db73e7a664fd6aa0bbfb8aaf034513a397c9e93212512a9aa6c7b3c0839d9964da16f187d307a6fa7c1eab9a40942331dad751c5812e838a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
35ad49391ca988e7aca180372149772f

SHA1
ea4b9207153ae98b5bd40245ec3b5da078f62da4

SHA256
b59b187399aec6adb4519acaff78086a8a4d90ec9d5ed68bfec936b0d2378247

SHA512
f835d38726118308db1806a2b78c26bbc802d862aa921f2503d09c3c4a8fcc1079923975401bf6a930fc7e3c8ab79bea2278346395d184b026dbec75ab544ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
432c39f7e04049b9d4fd59f687cdd1ae

SHA1
deeef22df387aaa362139139ee55bb3094ad8b33

SHA256
0da529773a12871317232e2df74eeec2931b7eff737c0a1c94942cd984fc2e12

SHA512
b625aac5f03707e116d6318dd7775e544657be560db49c3c634db0cc70c85ba5604d692d448a958f23c77682de335df7b722dd9190a568c38095422dd287a616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
2fb7f083f07bf28baa95cf12320e9241

SHA1
966481c742ccbb791faef4eab891f9c204d0e4a4

SHA256
fc9d1d4b8a1fd9ad6cf9577439a8013bba5312f198b714eb63f31e2d3652fe5a

SHA512
ec09b8cf14d5fbff8fc5f9f578fa09d1cd9def4f5462e5d2266c80fed7c94ccdb97d3b839462a639d031f28a67c9be8de6799f106cf2a27a01f8e680152fc991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
a98d9c872310a59ef1788536c599e2b3

SHA1
4700fc5222955fa3a2af740fc7deb0f17506689d

SHA256
c03860483af1e0a4d11b3b742183f190e61d3534a43c57fb7a03037eb2c57153

SHA512
4ee074f904156b489f8aaef4a96b1dcf163d130be2a864b1d1afdad4c50c3728859e6b61bb3e3382afb2177a6418be3325d5f823c192854609e2e5484fe35564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
5fee3b5b235e8e77b47c31d9e3f1cb75

SHA1
329f3cecb812229879e97bdabe7d27657a9bba8a

SHA256
7534d6b6e4cb341cecfd691d67645c8c26857baaeff7a96496e9c2b9814c3847

SHA512
3c2a6691266b661a0cf265b024d9f7fa3476964cc570a05a04395c4e576fb15b40e3b00a9ed486b558d11381fbd25a317571b6d6301d72a9a0f16c2a023878fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9cdb40d565ba55363cf459e7fb467ccf

SHA1
c1fbd148fa670395ccd3ca21f22ed94ea81751bc

SHA256
2d4bcad432e0000153b714e9bd958c7c9155cbcfa678e777d29d154b677a4c18

SHA512
9347d82e07159ae977d8b116c5b884737c58398dba004ccc0362c2e5ea71b9b300c70f43bf42dded1a3488b3adad2025ec4a799dbbe8009c0fd5296bdd403853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591d04.TMP

Filesize
48B

MD5
72de72df8906a131c957b495de82bf8b

SHA1
25c0b9eb8ebb9f62b296f6499be77df1fd26ca09

SHA256
e1a7bfd0dbd291ca4ca8cf167aa58b05cb5effc0558c16b60a36c20682f4d892

SHA512
f8cb74fea51b6521836b186fe1cfb95c7a85dac14ed91b81d9094fdc3bea2f8b02807eb67765104beaa5bfda7bd56e0fdffb53a39182126c783f189d0052cb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a6473644855177d7656198ddcce427f3

SHA1
20e3c54cc3f782fd44de75adfbc6133c8a8d7d85

SHA256
ed976c246209511ead12609f81db2fb16bd5d9d300f40b4f45d673f134818ad8

SHA512
aed04e8803d912840c9f3a41c06cf4d5a91bb32eaa9ac025a88d2ae6d5a7e3e4cebba488fff0aba6fccd62dbcbf1e7b5c5e6101694d81b365b8637d9c701ce13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c6eb9388a59c44b932204a970e08b257

SHA1
241bdd89bc5c86e65ce4331f3f77f31b27aa3f46

SHA256
7685f729d1d3e36c4c40cb68fc52748c6f1e89e533e5625970af4740cedc7894

SHA512
1ad952d3fb842de475fba1e48933cee9882c4a2caedfb7f7bdeaea48feb96226c417934cc2a8141421ef868079a324b7007b86cc0e50804ec60f51b6320a2c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
4d533a431740f52f82da899874755270

SHA1
4777c4936889638ce127e6a2e65aee8e140b233f

SHA256
b4033eb959407efc2ee05e4a286e0bedcead7f229dc9201cd35a9b8338c774f3

SHA512
b4e252b92eeaadde7a06e097c6bc621eb4ac3724090d4c0edd3206a44feab02f99b70f61746fe476fa5adf0c122ff6031495cbf07ea31a07d8b886c09c65d1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
1055569df2d80cf7d77c49fecb24f068

SHA1
64351a4c40e5dbe11f50e5fb18a5ec5fc33500cc

SHA256
96c2d2241e89b97182ce962fb41e246b2c0e44862dcfe51579b3f7d38e8f07f3

SHA512
34bc1afd0a72fc9efd3a96a471540928f1e402ee407d813f9bdca438fe336bda130bd708de7d1e7f4b9128c084c0597b62da88eca5afcc9dc0b2f34bdd5c7e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
b42c00233079349f87b0893ad91284ff

SHA1
8fcadcfb615ee00015316c6a60774b82949ae2f9

SHA256
94ca0c05a749ade329bb2d1f7e6d0b3c6c86d4e8a942bff97fbff1b7f73e226f

SHA512
f34e00d600f1f344d43a0145e2cb903b92bc4ff9833f8933730eaf2465ce35d581e625965c79529e516cb85df8a269e6b40c8dc93282150614094d0c99b3c2de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
402e1d01d29be29162fbfa05e7b3f4af

SHA1
4fd256b2bef9b60203ccf79f9616d756a4b5c280

SHA256
2434efd192c11e3d845a1c11ab6f0bcd06c7885b22b404d9f23e70ea9b8f2d93

SHA512
a958931fee28ac954632e9d2e679c96a127d6f4f39a8075ef1b28b782217b608dd3e9a1009a8067d4cdd33e0209d8d02065d882bc8e3bd5eea14dde50dac26b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
0e4309715818148b7c0f3169f49a07c7

SHA1
f5790719d2a3ddfd99148ee209ef35f9d168a127

SHA256
b6979ea9567328beb43edbc57947ecc0b46ac73a0a17fa329a34636ab64cfcaf

SHA512
5098dfbf432b0cdc34beb606fe63e5b9fe2ea72797d49020158d0655717556b5d645b64b647b65ee838e822a0f0590602e9a6194f012903d8bed8076e9f84a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5783d6.TMP

Filesize
4KB

MD5
30c2049342fd9806b176281b7a0d53be

SHA1
723968859af762b5bd3fd4739dd56bcfae4cf568

SHA256
1b2d2abe96b2d3bf012f2f1135e8ee9de198be7a9618dcb8175e75c8a415532a

SHA512
5b68cf6f0e3c833858d305c21d5a2e89d7146696c921e20de65581196881af43cebd4dac36c1b6fb77c1ec05886b3d996c60140cb680a7eb20386223b974b893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db62fca5f79281e499c1cba73ca1736f

SHA1
6501c02e752cbf34784fbab1220826061d1f4680

SHA256
2d54d45ef6a24920846a920f3fb6eaf990383c142f1869198e173f686434fbf5

SHA512
024ef5296fe9b533e9441d295b73959f61c6c2e6a3599b1ed49123801ea7f3835e03f3985ba93dc100421b880eddbab70d73f5a44c39806862c77baa3af8c70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
43fcf434c6b2a729838ae821cb9f49ca

SHA1
d7ac1411c9e6adb86e83c4f88e5bae73387bbfe6

SHA256
d854bd4fa70eb286130fafbddbecacfd398d165d08f9ccb2a7a8171e00cb48ec

SHA512
4bbb1bda4a4644d1a5cd4f8b8b506252e10de3880b422a8970238df27117b8a955505c21e8e0ab2b9a2b7549070d28a66f7698f8d0c6397763fb075f6d6664fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
382KB

MD5
1af665059578971c62a6798df18206af

SHA1
4366386501d22265a1ebd187200cc0454100ae23

SHA256
bafe62e4d43f642d65f9ceb91a1c67b9c6bb2de1ca107e9bd8290915e699a34a

SHA512
1720941044d4c503dde10ca752c6f2403a435f8c4fe3436312e767ac29b0ab7f6e7ccb2e6f32ac8c9853e87385e1bdf78c6b4d2f400d82fedb8ba6c1e73e6ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
768KB

MD5
79242336126347b3f63a7bb902218e32

SHA1
768949e1a1a4075f8753e0525d22524e4c866c35

SHA256
5ab3c758f8a2fcdc691e06f4049f81a4bae1e8f1b2a27554988c2afedb1f7c84

SHA512
b481868b8fe141def0f2c0f6632656c77930c2aff29115a85d014e68d06f5bd073557fc4a478cc9477291f4c8650f3ac1a38924c53d8f0d6b69d90c0a5a19d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
1.9MB

MD5
699460792b311ae272aab6fef9332fe8

SHA1
5d449e950aa1c34b73bd403a6207c253f6716682

SHA256
241524cc3817b2b0da7c2074efa7194c108c2e1ff6fe26bc4b6fc8907db78bf8

SHA512
ff3793db38c9e903785f6ba3552140c4bc7d570e8450b27ad501ba7b86330ebbaa9845546ce29ba1e70b2457b8fe84ac8a12f32bcd4ccc831fea44123cc11703

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
4.4MB

MD5
88216297b3af932004bc1232384aa687

SHA1
413462301a0d227606456f3dbba47b1faff3d9d8

SHA256
5007fcf600b2bd948f2ed26728e3d51dfb92ce77a562a523b868564a32f389c9

SHA512
47ca1b8adf038383504be981f73d8f88a16be18a9afa90addad48df33942b574acaedd3e91a46a3cc7b6b14d2e779be5f8e744845565784791722257c3d73e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.3MB

MD5
8b1ea2f1a5c15133040fb4ba2042418d

SHA1
2d3877644be31c8b656ae6ebaf055dac92e55c1d

SHA256
dc765d9320319b32dbd81eb117b3f1e00cf506179a0ac3ae519d0d93da3ff1dc

SHA512
0cef02a420f911ae978025d8cee61174edc8703c511f56b5149bccf0921ab8d0b37ebe6156e7e13e0bcdc961f5efbf01a3ac9031ea60cf492f3f9ee54e3e0720

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
768KB

MD5
b406839d888c247e4f8b9838ac22fcbd

SHA1
49aea10d056fbb05ac6f3fab1b9500ca7715005c

SHA256
916d590445b483b670005367cfa7170bda99455dbe4fa77f6eef7c600ae3c0ae

SHA512
2c4d890236cc19c26f437e17157a4e8145e33e46849f61798985e1d131be9699a2065af90fc4ea60776a8fb05008ac1066a93d3ad4373b5decd86bad66c86c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\base_library.zip

Filesize
1.3MB

MD5
44db87e9a433afe94098d3073d1c86d7

SHA1
24cc76d6553563f4d739c9e91a541482f4f83e05

SHA256
2b8b36bd4b1b0ee0599e5d519a91d35d70f03cc09270921630168a386b60ac71

SHA512
55bc2961c0bca42ef6fb4732ec25ef7d7d2ec47c7fb96d8819dd2daa32d990000b326808ae4a03143d6ff2144416e218395cccf8edaa774783234ec7501db611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\libcrypto-3.dll

Filesize
2.9MB

MD5
836b97faaab169a1bc6960d902a92c4f

SHA1
69550477b3b5e90c407168140ddd2b6d967569b9

SHA256
5439db27d2b77443ae0a8c3312504eed4a1905dd7932e4d8dd4b17e913e6a61d

SHA512
9d48ab77ec5619e5e318efb75a7d8604ffd82d9ef3edc387197cae77a738766fe1ac905af7103487df33a4a8af7988ad24a26f1e479cdcdc4dcc601579c5e3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\python312.dll

Filesize
640KB

MD5
1b1a90b40ca2436a8e12df2ced12a85a

SHA1
b7ca1ff8b28fa5885efa61b51bd63c3ef8c4b716

SHA256
a445ac3fea2f01fd95b2a219e85dfa8610cfd1849eb79f5c827a9b2bf5a0f671

SHA512
dd92a09637dbe7af313c4000b5ac6893f2a08ec681885d9e87603bbc2e7ba713f42db6b91de4c0b94384fec40585f988b670d9047a4fc24b73bce84e4be79346

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\python312.dll

Filesize
3.8MB

MD5
a4a9bc29e7a5ec8f5ff0ba42f2d0bffe

SHA1
fc967b5575a534f7018f85b953ee6a5ff9514c60

SHA256
83a77416e0b2b16175c705dd6ac1fbbf9e4726a89e4d3276b987f2a04f01fa2d

SHA512
8f4912f132421514291186b52930bd6ebfc924cdedf597f71caceeb8b50cd07fcd0fd39b3d375cd147b2aa52362b84fa4afb487dad5fceee2ffc665b0f9a8f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8482\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3uwojnl.f0f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\GX_Image_Logger.zip

Filesize
11.6MB

MD5
0320cabde39fe61ef6e6aa1a30aa9304

SHA1
f8683922467ed12c978216a480646da2736b43d1

SHA256
aa094222e49bcf065d68a71ae3ee75b23d6117b991b48a6dc26e38187fc43e76

SHA512
b6892e282a7687019b4a52c467c6d94c18bfefd84aa296c3b478443e0a6773112cdba0a59e78ea935da16df2a82228f5495dcc5ca47179ace275fac976373141

Download Submit
memory/3620-2262-0x00007FFB051E0000-0x00007FFB05CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3620-2265-0x00000240B2770000-0x00000240B2780000-memory.dmp

Filesize
64KB

Download
memory/3620-2268-0x00000240B2770000-0x00000240B2780000-memory.dmp

Filesize
64KB

Download
memory/3620-2311-0x00000240CC720000-0x00000240CC742000-memory.dmp

Filesize
136KB

Download
memory/3664-790-0x00000000077B0000-0x00000000077B8000-memory.dmp

Filesize
32KB

Download
memory/3664-633-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/3664-561-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/3664-557-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/3664-571-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/3664-823-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/3664-785-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/3664-776-0x00000000076E0000-0x00000000076F4000-memory.dmp

Filesize
80KB

Download
memory/3664-769-0x00000000076D0000-0x00000000076DE000-memory.dmp

Filesize
56KB

Download
memory/3664-738-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3664-739-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/3664-734-0x0000000007710000-0x00000000077A6000-memory.dmp

Filesize
600KB

Download
memory/3664-655-0x0000000005CD0000-0x0000000006024000-memory.dmp

Filesize
3.3MB

Download
memory/3664-733-0x0000000007510000-0x000000000751A000-memory.dmp

Filesize
40KB

Download
memory/3664-652-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3664-732-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/3664-731-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/3664-708-0x000000007F2A0000-0x000000007F2B0000-memory.dmp

Filesize
64KB

Download
memory/3664-681-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/3664-682-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/3664-730-0x0000000007360000-0x0000000007403000-memory.dmp

Filesize
652KB

Download
memory/3664-729-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3664-718-0x0000000074A20000-0x0000000074A6C000-memory.dmp

Filesize
304KB

Download
memory/3664-616-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/3664-706-0x0000000006770000-0x00000000067A2000-memory.dmp

Filesize
200KB

Download
memory/3664-604-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3664-613-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4256-2216-0x0000000006AD0000-0x0000000006B1C000-memory.dmp

Filesize
304KB

Download
memory/4256-2286-0x00000000077B0000-0x0000000007853000-memory.dmp

Filesize
652KB

Download
memory/4256-2085-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4256-2082-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/4256-2393-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

Filesize
80KB

Download
memory/4256-2341-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/4256-2281-0x000000007FB80000-0x000000007FB90000-memory.dmp

Filesize
64KB

Download
memory/4256-2088-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4256-2272-0x0000000074BF0000-0x0000000074C3C000-memory.dmp

Filesize
304KB

Download
memory/4256-2141-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/4440-2071-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/4892-608-0x000002953E200000-0x000002953E210000-memory.dmp

Filesize
64KB

Download
memory/4892-594-0x00007FFB051E0000-0x00007FFB05CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-634-0x00007FFB051E0000-0x00007FFB05CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-560-0x0000029523BF0000-0x0000029523C44000-memory.dmp

Filesize
336KB

Download
memory/4976-684-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-690-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-610-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-662-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-653-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-680-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-678-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-676-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-674-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-672-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-686-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-656-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-670-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-668-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-591-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-666-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-562-0x0000000005170000-0x00000000051DC000-memory.dmp

Filesize
432KB

Download
memory/4976-627-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-615-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-2079-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4976-2076-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/4976-701-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-598-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-664-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-541-0x0000000000990000-0x00000000009C6000-memory.dmp

Filesize
216KB

Download
memory/4976-658-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-574-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/4976-688-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-660-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-582-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-580-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-579-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4976-570-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-699-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-573-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-697-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-695-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-576-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/4976-622-0x0000000005170000-0x00000000051D5000-memory.dmp

Filesize
404KB

Download
memory/5408-625-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/5408-2289-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/5408-2274-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/5408-640-0x0000000004770000-0x0000000004780000-memory.dmp

Filesize
64KB

Download
memory/6060-577-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/6060-626-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download
memory/6060-556-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/6204-2125-0x00007FFB051E0000-0x00007FFB05CA1000-memory.dmp

Filesize
10.8MB

Download
memory/6204-2093-0x00007FFB051E0000-0x00007FFB05CA1000-memory.dmp

Filesize
10.8MB

Download
memory/6204-2096-0x000001DE73940000-0x000001DE73950000-memory.dmp

Filesize
64KB

Download
memory/6920-2050-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/6920-2047-0x0000000072EA0000-0x0000000073650000-memory.dmp

Filesize
7.7MB

Download