40e5ea6bba0f9021c4cd069baa2b89185b0e2edd0f4bb2b1ecee7f1527f36473

Analysis

max time kernel
433s
max time network
1528s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chexii..png.webp
Size

36KB
MD5

302b643d5e393ecdf5fa4404f533d627
SHA1

58311913e3791522f036b886912664fafd28f96e
SHA256

40e5ea6bba0f9021c4cd069baa2b89185b0e2edd0f4bb2b1ecee7f1527f36473
SHA512

11eac519f9f4c2016c998d62e042fc31062e62b91cd09632b1aac467bd4fbe0597b14490fa2addb694cb44cbed6f4d6170aaf5166a19636fa9346c2d6fa480b2
SSDEEP

768:EJGYObopzx0cQaECILGE05SqAex6mICEyvKKXJE+VHUAFVhcxL3FiSyIPReM:SGupzyctfILS8qHEmXEyvKCJB0Aj2xZR

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 20 IoCs

pid	Process
4360	AnyDesk.exe
1332	AnyDesk.exe
2668	AnyDesk.exe
2176	AnyDesk.exe
3704	wireguard-installer.exe
732	wireguard.exe
1964	wireguard.exe
4124	wireguard.exe
4624	wireguard.exe
2304	TMAC.exe
4360	AnyDesk.exe
1332	AnyDesk.exe
2668	AnyDesk.exe
2176	AnyDesk.exe
3704	wireguard-installer.exe
732	wireguard.exe
1964	wireguard.exe
4124	wireguard.exe
4624	wireguard.exe
2304	TMAC.exe

Loads dropped DLL 30 IoCs

pid	Process
2668	AnyDesk.exe
1332	AnyDesk.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
5308	MsiExec.exe
5308	MsiExec.exe
5308	MsiExec.exe
5472	regsvr32.exe
5676	regsvr32.exe
5536	regsvr32.exe
6080	regsvr32.exe
2304	TMAC.exe
2304	TMAC.exe
2304	TMAC.exe
2668	AnyDesk.exe
1332	AnyDesk.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
5308	MsiExec.exe
5308	MsiExec.exe
5308	MsiExec.exe
5472	regsvr32.exe
5676	regsvr32.exe
5536	regsvr32.exe
6080	regsvr32.exe
2304	TMAC.exe
2304	TMAC.exe
2304	TMAC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\MSCHRT20.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\TABCTL32.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	TMACv6.0.7_Setup.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Default.tpf	TMACv6.0.7_Setup.exe
File created	C:\Program Files\WireGuard\wg.exe	msiexec.exe
File created	C:\Program Files\WireGuard\wireguard.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\CLIHelp.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\logo.gif	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_back_blue_w800.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_footer_back_h30.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_logo_back.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\oui.db	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files\WireGuard\Data\log.bin	wireguard.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\EULA.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\index.css	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\help.html	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Read Me.txt	TMACv6.0.7_Setup.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{2FDB79CE-5193-4A39-82BB-E00158CC1533}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\wireguard.ico	msiexec.exe
File created	C:\Windows\Installer\e5bade4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0A6.tmp	msiexec.exe
File created	C:\Windows\Installer\e5bade0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5bade0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEDA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{2FDB79CE-5193-4A39-82BB-E00158CC1533}\wireguard.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	wireguard.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000019be7eb961b76eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000019be7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090019be7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d19be7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000019be7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	wireguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	wireguard.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	wireguard.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wireguard.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wireguard.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133603994224623967"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wireguard.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	wireguard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	wireguard.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wireguard.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556C2772-F1AD-4DE1-8456-BD6E8F66113B}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074DE-BA0A-11D1-B137-0000F8753F5D}\ = "IVcFill"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\ = "ISliderEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC5D0DE2-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCHRT20.OCX"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\VersionIndependentProgID\ = "MSComctlLib.SBarCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074CB-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074DA-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\ = "SSTabCtl General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A948063-66C3-4F63-AB46-582EDAA35047}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX, 10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ = "Microsoft StatusBar Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\MiscStatus\1\ = "172433"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074DC-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074FA-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC97BDF2391593A428BB0E1085CC5133\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07511-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.1\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E0751F-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074CF-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07508-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07521-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074FC-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07527-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074D8-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07506-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.SBarCtrl.2"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074CF-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074EE-BA0A-11D1-B137-0000F8753F5D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07511-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	wireguard-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	wireguard-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	wireguard-installer.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2668	AnyDesk.exe
4624	wireguard.exe
2668	AnyDesk.exe
4624	wireguard.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
3380	msedge.exe
3380	msedge.exe
1460	identity_helper.exe
1460	identity_helper.exe
1444	msedge.exe
1444	msedge.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
5468	chrome.exe
5468	chrome.exe
3236	msiexec.exe
3236	msiexec.exe
4124	wireguard.exe
2312	msedge.exe
2312	msedge.exe
3380	msedge.exe
3380	msedge.exe
1460	identity_helper.exe
1460	identity_helper.exe
1444	msedge.exe
1444	msedge.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
1332	AnyDesk.exe
5468	chrome.exe
5468	chrome.exe
3236	msiexec.exe
3236	msiexec.exe
4124	wireguard.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5724	osk.exe
2176	AnyDesk.exe
5724	osk.exe
2176	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: 33	4448	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4448	AUDIODG.EXE
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe
Token: SeShutdownPrivilege	5880	chrome.exe
Token: SeCreatePagefilePrivilege	5880	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5724	osk.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
5880	chrome.exe
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe
4624	wireguard.exe
4624	wireguard.exe
4624	wireguard.exe
4624	wireguard.exe
4624	wireguard.exe
4624	wireguard.exe
5724	osk.exe
5724	osk.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
3696	DllHost.exe
3696	DllHost.exe
5724	osk.exe
5724	osk.exe
4580	DllHost.exe
4580	DllHost.exe
2176	AnyDesk.exe
2176	AnyDesk.exe
5724	osk.exe
5724	osk.exe
1444	DllHost.exe
1444	DllHost.exe
5724	osk.exe
5724	osk.exe
6140	DllHost.exe
6140	DllHost.exe
5724	osk.exe
5724	osk.exe
6140	DllHost.exe
6140	DllHost.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
5724	osk.exe
524	TMACv6.0.7_Setup.exe
524	TMACv6.0.7_Setup.exe
5724	osk.exe
5724	osk.exe
1120	DllHost.exe
1120	DllHost.exe
5724	osk.exe
5724	osk.exe
1120	DllHost.exe
1120	DllHost.exe
5724	osk.exe
5724	osk.exe
1120	DllHost.exe
1120	DllHost.exe
5724	osk.exe
5724	osk.exe
1120	DllHost.exe
1120	DllHost.exe
5724	osk.exe
5724	osk.exe
1120	DllHost.exe
1120	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 3380	1348	cmd.exe	83
PID 1348 wrote to memory of 3380	1348	cmd.exe	83
PID 3380 wrote to memory of 4848	3380	msedge.exe	85
PID 3380 wrote to memory of 4848	3380	msedge.exe	85
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 4640	3380	msedge.exe	86
PID 3380 wrote to memory of 2312	3380	msedge.exe	87
PID 3380 wrote to memory of 2312	3380	msedge.exe	87
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88
PID 3380 wrote to memory of 2880	3380	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chexii..png.webp
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\chexii..png.webp
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b3a46f8,0x7ff92b3a4708,0x7ff92b3a4718
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:2880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:2900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
    3⤵
    PID:3296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16334682438808576964,13355038011115099135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
    3⤵
    PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3afd2adeh21cch4f30h8ebdh554d49fc16d7
1⤵
PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff92b3a46f8,0x7ff92b3a4708,0x7ff92b3a4718
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7095542206752733818,12687710856697937038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7095542206752733818,12687710856697937038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7095542206752733818,12687710856697937038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5156

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:5288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5360

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:5692
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff91c05ab58,0x7ff91c05ab68,0x7ff91c05ab78
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:2
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2308 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4188 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5092 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3992 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3236 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4684 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5084 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5268 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5888 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1088
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:4360
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1332
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2176
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SendNotifyMessage
    PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5140 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5392 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5352 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5904 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6212 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5872 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=2956 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6408 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6544 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6784 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6120 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=5092 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6072 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=5880 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=5540 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5576 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Users\Admin\Downloads\wireguard-installer.exe
  "C:\Users\Admin\Downloads\wireguard-installer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6852 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6784 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7040 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6684 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=4740 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6748 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=6584 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=6320 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3044 --field-trial-handle=1996,i,9458733479945353607,9361682979890285584,131072 /prefetch:8
  2⤵
  PID:4864

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x4cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3236
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1360
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 15355C104CAFA45A89445D7FDE2C88D0
  2⤵
  - Loads dropped DLL
  PID:1824
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C5A01B10056F861202E0288169C73BDD E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5308
- C:\Program Files\WireGuard\wireguard.exe
  "C:\Program Files\WireGuard\wireguard.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:732
- - C:\Program Files\WireGuard\wireguard.exe
    "C:\Program Files\WireGuard\wireguard.exe" /installmanagerservice
    3⤵
    - Executes dropped EXE
    PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4184

C:\Program Files\WireGuard\wireguard.exe
"C:\Program Files\WireGuard\wireguard.exe" /managerservice
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4124
- C:\Program Files\WireGuard\wireguard.exe
  "C:\Program Files\WireGuard\wireguard.exe" /ui 984 980 992 1000
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SendNotifyMessage
  PID:4624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\Temp1_TMACv6.0.7_Setup.zip\TMACv6.0.7_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_TMACv6.0.7_Setup.zip\TMACv6.0.7_Setup.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:524
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\MSCOMCTL.OCX"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:5472
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\COMDLG32.OCX"
  2⤵
  - Loads dropped DLL
  PID:5676
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\MSCHRT20.OCX"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5536
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\system32\TABCTL32.OCX"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:6080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe
"C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5bade3.rbs

Filesize
8KB

MD5
af6f10d23bf01930a5075f116733fe34

SHA1
13da963a9cb099ef7a960555a05eacf099d0164d

SHA256
ec6a4ccecbbc442726876713efebc63cf39e03f7c732cbbbfbe78fb8dfcc4b76

SHA512
48c12e067f33b99141344370770c92850e1fb66c414084f08b7cb5dff0685e096cc4815e04c13ebdedaeb9f07e020f3e2a1e067e970e5d556c763a008122771d

Download Submit
C:\Config.Msi\e5bade5.rbs

Filesize
456B

MD5
a3ce6993e51c09f240ad78f36258c0ca

SHA1
ff7a2bea860c6dfc39d5caef78f6651c8a63c1e2

SHA256
2f769d43863f6f41da41fc4f46331a5f639c80244c62322d0b632ba79f9bce55

SHA512
53f50e0d4427a1c96030a835c3772a6c90d9550b0f7213cb0642877b94828d37420bd61fdff91cb1e9459f2a0796c9e79c886d8eb2869dcf0e1c4e360b71cacf

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe

Filesize
189KB

MD5
9473840ec1c2981e805da17c0b700c49

SHA1
fdd826931c215717861254b099dba057b740e242

SHA256
00cb5fee0ba2ac509195187df7d97d9ff08ffcb7df2a3af076a739e0c29781f4

SHA512
8ba9ef5cc94e75d48aaa1440ae45841a4b002c5a64584b6a6dd7e4bc2f0ede8d576537d8f14dfd2d76f6e2f6de847102ec4f6755d4a1314b4dd891919ee8cce9

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe

Filesize
712KB

MD5
230b4c45774e95dd75241068c68aeb0d

SHA1
ef46dd76a8c6d4a7d6882469015a07a9bf660a50

SHA256
6c3d76c9a4d1652ce25ae8c2ba1907167cfaa0054b8e1325f370c52eafa74c97

SHA512
fc08d219e1023d7929250ecab81f640e4114f51b184d9004da0887c93b24a6026931a71da4ef0e95caa2a416d858496b5e174bcd0dd3bd3a76bca6582283e90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
59KB

MD5
4fcb5d51c31760c835a1d4fe56d2bc9d

SHA1
2feed203e6e3fc7b95bcca811406447ee130615e

SHA256
d43dfd1393d972d0a3e8857b325281f8af76107ccbe1131efcd5afed0b0f98d3

SHA512
1948104832d86ac4f9bd5a773ee10f682600e8c2634c3128d68058bd99060c95a78a3833aac4118698bdc69ec6cc18c197e6d7b16b6a504e87affe5ea094660b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
325KB

MD5
90041918dd0b774734064105489a3c93

SHA1
127e40a8d8e4f675aed1cb7544402bb6d9c17ec6

SHA256
8ecd8216108f826bb3ed15b25e96a644b8b0907320c1296e48a95143901ab343

SHA512
c4e79a8c10db6222aa995f5ce5524d9baed348d95261820b7c462355c2395791f28b47a7d12a615419effb7f81e81ca1ebe6efc7d1643d96e5f6493d504f4a5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
141KB

MD5
78f7bfe9c3c0d4cce9dd1aa58154da3d

SHA1
f28e946cc252a720cac9c08feda1743dc02be112

SHA256
b166d3bdb0a745a14c4430ad1cb963833f42e4d4bf62d2aedfc79dd3dd4f2d9b

SHA512
df045049bd5e9f5b4187ed4ab5fa00dd196225990548bcd3e5acff68ce85d5fb7669f67f13e05cf4761421d96d6100935a1e32edce4e73c7fc28b0fede9e8923

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
73KB

MD5
1680fb63c97c01ffe4e0459020d59812

SHA1
d963e0b6f0b182565efe1b892abeeb92bb862c86

SHA256
77b97e442af5a910d6c8c7ab7605afdb821e88e43db5723783bcce4c7ef771bf

SHA512
1e0b8979950dd24e5c6ce8a36638a82275ee8720733e8b256dfc6caf2faff3fb2599e08f13ab6d409870ecaa96551bba6b4d30f8f75e01dbacd90f0a52e41a9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
40KB

MD5
5ce7bdeeea547dc5e395554f1de0b179

SHA1
3dba53fa4da7c828a468d17abc09b265b664078a

SHA256
675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9

SHA512
0bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
248KB

MD5
a56c1c8733ee9b7c579c5796f99c019b

SHA1
2acc8c596793acc9ce6575e157b3d93fdc0407b3

SHA256
0b042674b5d2b36e1d6fc0222d868af93e8cdb98e2a807bc363ba98142e763f2

SHA512
0fe4934a1322265d7457d704b806fa887bb43ed4a7e59a4a7098a8d9b2a862fc2fd453ebe9dde6e61be83879e2b26858ae4df0d08bdc38debb21a36db9dd93d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
160KB

MD5
60d33c32ce7ed08303cf9eacb22ac646

SHA1
2abc8aa7fc62e82e9a9aa40d052f2ba29f217520

SHA256
36a413b120479a8319a660dcd7e3d724fc07f01c02e09a84820cd7eeab5237a3

SHA512
a5009b4f1de5d55042415b4c66b91d14f0dc38fe5d2ed084109713d0ce56e8e240a62141bcf5b0361e081f717c2895dea1742bc493f40385edd9211f8dbaa2f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
218KB

MD5
c35b010c7e7de9f9de294efb469d8be0

SHA1
915019146ec0edaa67db1baf5701f797af9772db

SHA256
6864d9a03cab25bf3a7e6011bfe091ddba0bf46589bb40ea6b47085d754832e6

SHA512
25d8b62be12a4da106ca28120ffe2a939cee85324c9dcb6e75dfe5c3513d3c11effc8ff01ee1dc0774ca3acc6e3406b81ee6ae7c948a4f74d52cd7ef65709180

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
41KB

MD5
cf9c71a40bb3a14d9992a908526448a1

SHA1
a0519465d7111186bfde7bd7e095339501e02ee3

SHA256
0ff8549301c40a943ff892d2c74a9081c5f4b01284e95ea572b6580354527800

SHA512
5e5d2e7884dbabad2e60658a8200e230c9aeec74d8dd999ba24317c014b281f4c9c4d2f30069e2f7a0acc116119db22b765f19e9ba4f03045b2922d2ec17a73c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000057

Filesize
204KB

MD5
41785febb3bce5997812ab812909e7db

SHA1
c2dae6cfbf5e28bb34562db75601fadd1f67eacb

SHA256
696a298fa617f26115168d70442c29f2d854f595497ea2034124a7e27b036483

SHA512
b82cfd843b13487c79dc5c7f07c84a236cf2065d69c9e0a79d36ac1afc78fa04fba30c31903f48d1d2d44f17fb951002e90fb4e92b9eae7677dbb6f023e68919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c0648ca7ffe80d13518ed283cb4c12ff

SHA1
461b218872165d82c0d15fd09c4091737f9ebf31

SHA256
072d5d8b73724bbb1714080ee722b86da611cc42fe40715879967e3768321254

SHA512
c7127b49c98c69776e4b26810b441b7327c1a18f739fa49fd6347e77ba0d6a187d1768b6a8b0b36bf66f7dea8782e3b03153b00f28a8e8bf67a71e9d579f0728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d3c070172ce32b0c7ed044bc255469a1

SHA1
d7001b3e5398df37536d9b19ae246a07656e83cf

SHA256
dd9ba6c473941a9a7fc5193a2038935eab1ca9e5f8ab0856d1cd1e2c20e29dad

SHA512
bdbae2fed00811f848097c7db43ddd3b9e5e6b1cc6fea404207f7cc33a9121df3b595f9e391c1d7286b5796f840509fa7d98273f8d94c1aabbe12d49d5f1ff48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c12943a81e2735ec89ab837e19c2a493

SHA1
b1b33a52fb31586b5a83eeb57591a2d2780a8b5a

SHA256
59348f7451a82bf3d83ea0f9bacd8e30ecd9dfad63f311e4c8505c02ce912e7e

SHA512
667142584fb7ea8fbf5b6c4d960218bb2330dcd83b6d459cc9d8cf4eaad0bdc9f4550aa16dc775ce66913ec2680d588a51d0baca57f94503aebe7b11f76ce5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0bbe971f5dd37c4b0c696f70c06a257c

SHA1
fb995820d634c06a6744595cb9a34541912d3008

SHA256
7b79aab9fe6ccb2f70fb4123acce2ae5ea2fb401b37f5110930af68575db31b4

SHA512
67429b69cc085e885580ae5dc76d2950fba0daed28a3c89bc5939cac33edb0474bcf21ea66c2a001ac9e915cbe9956d6b21fdc65c7e546c5f000cdd4b5ca6e3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\46d46e8b-c2a9-413f-a71a-e69ad3b8d961.tmp

Filesize
3KB

MD5
44d8875109d3d04f1920e13701439ef0

SHA1
98c788943e687dab0328ffcb452c92dda32d509c

SHA256
31adcb14393845fc61c5ad9844fb52650710ca485382963f7c13f46610bb6f5c

SHA512
19c11058cd2668c6d12fb34765a902b188396a113280ca6ab1dbf5b844b63f90d0bf2774aaa4552058d2d030196b8e06ade3deeded193b4c02ad96dc1b24a048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
310a8c4c7a0e92258ee13a625bb17119

SHA1
0fb6059d229681bee9f52a4b65b6dc7cca76eab8

SHA256
5253ac939083bdba0dca0a82acb87e27717c97d76b5423211a4443883cd3253f

SHA512
69287936e804923e935e2e93010a05dc87b4c410236457ce9ffcdebdf47e443cdf007ba8b067d5ba9ddf9aa14f6b06f08b024b835782f4dd1c8357ce2b6943e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c3ddabe333e6cc43987cc8febe24ad4c

SHA1
5e3d5dab42b7a0b644805b710f7914dfff172473

SHA256
aa0f8008bb19dede25ed11d2e5f5a08f07d90f61af9bb63ef9ea18e1fd0653e5

SHA512
96740a9c6c14aeb44838dfe71b2e3d0668d6b34367c363931acbf5101e15213681ddee192ae5febc98a6a4b2ac0bfbb8c3e3d17f8e406e29cfe6d215138a79c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
3c8568e84cf6ee2559bfa22f6221fc8f

SHA1
60979b28ffacdf2af607f84da7295bb75ed8fc27

SHA256
c836fe11b3a4775d3308680f38d2ff6eca76841eb8e744e3e6bfd716e8442e0f

SHA512
7d677972553d5b45a98f7a1b34efdc1b1d7f2209a0cf225c0c1052a36d179091e8fc5dba182c4125e33b1b00b1c0909658777be406b45974950ea812a5a7bf02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
11KB

MD5
47efd4b7060676763f15adaf8a614b7b

SHA1
6dec61523a137774dc95099d0bfb7580af739b87

SHA256
99c18385660324b6983b4d6eec5c58e4586c95f2796a0f2116ac1a8fe8e85b72

SHA512
b166247fe63848525433239b317a65c3c2cd4966df8e7a1088030e12caf5131d932961890d26b44893b9e126dcb94c1e699bacf32a4339ad37d50d361ab233cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
272a1cca7522ef458f0505731fa87fd6

SHA1
d9e2e64e85600726870be3aceda0b4a10cae0191

SHA256
44b0c4c7b7e1f5bcf85bedb4acb35a1e718c0885aaa7713929cb5ded663434c8

SHA512
3799542812bc95a437ac6b7e70b70ed0fe6845cdccf2f01c32886d5184265c0ccb950e1decc63d564dbe7035ecdce43b54234e741461ab14804e7ffc869e9261

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b892e267869ecd01389fd299a739fefa

SHA1
d387112631410aae6c1c2c2d4b1e4d8f2e757514

SHA256
ed564c09994d075d223aac5023a8978adc08189bc806c0ae976f638f268f22ab

SHA512
19e536baebd84a319dd3fc93422b8356e6165e222058bd47ee8fa6d89aa542f9c7d5ad7a716b72187f5ff3e08b6009b83c7c9d7dc453c00cf2019c6ea92ba4df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6b601f67dc0199f7955174352a25f76f

SHA1
07389c93f4253efe0690a7b4ef9c8a996705b392

SHA256
ec673a146ef943a921ee73b4ea1f03b008035fd07dc47af5468274f014ed89f2

SHA512
838ad29d60fe983b9ed063d62ec840436637fda0d1a6c14910d1cc428df827fa2a578ee2d163472915bc6fa08478d0ed47275b5885b6ef2c174e5b91b7def3be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8b937de4bb01a91ec9fad8f90c4a211b

SHA1
b07aaa1882f0771967f29b0fed250059dc360563

SHA256
6742533177920460aae690283e179432f61729d34895110b7d6525da0ae395d7

SHA512
628b4c895d952823d95f877d41f951e8d791dc56338eb97c26d98aab3c284a21d5493d0b56e7e9c9b79c51c7a217a27e7bc9cb71dee56a17eeea343539d42c73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
00352db0942667c52ad7b74e42b1a3d9

SHA1
abd3f48f3dfa5e309cdcbecb341938186ffcfd67

SHA256
96ffecc239541ae5b7fb5a117a5eab534b20d5f9f793ccac1e285e4d38602cdd

SHA512
005a15c48e10a34c8f56773aa85d802c31b56f21a71acbb6abbaf65eac7853bf1bb3537e34b7014ade347d28bfb9275a1b03a0227a94bef2c4eab2b7ce287d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f23cd957b93782a9375318b3eb7006c8

SHA1
ec4ca5c666b2e071f2acba4d8a1e171fe0e5df1f

SHA256
19155b56597159a7cc3e9a09e1375f9eaae84a5d73a66427b0de11c569ef2324

SHA512
fc28b6affd68a4b38d4d4aefdee3e5444f94b61d4589efc7aa02a589c2411fddae203d420b0fc4c2740580ec23a0b718644e18864a9d473d7c592f57edf2c140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
9551d1242b7174a149ebfcd68c1cd5da

SHA1
9df51ee1432615167a4c9f610023751aaedc54f7

SHA256
293abec893cee2b185886b7929fd0fe40f20c51a576417158d3922472c356f52

SHA512
f14c675d00028bfc61bc216e6f4a463815726f84f130b2902430dbf77dfd67f7214fe578c076f97d9aa43df725be8378d8c88f58ceeed41a445ad7b7a1598832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
fe993a53b53cbc589346f719764e7d22

SHA1
4740815c570a0f914e0e0dff41a39ec0a41d526e

SHA256
9e4afa6edc7800267e5aaa6a37f579fb93438ad56702003c972fdfb6384b5395

SHA512
727818bb12fa79575847a4e1330f3e0f35661f4f605bbd44cfb0092a0e13093518ebbc3ff5eab2782f1741244caca922ee7a91516559bb5dad939539d3d44210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
25a5a448415db7959fd46d396e534aa7

SHA1
2748544e778f59382adeec4c67fd90eecad2f629

SHA256
b276ef3fe303625ccafed6d30c1fa921673127b28c09475541ae796ca84c478b

SHA512
ab7bfb74cbeca83b83749c0f1227b6145dbda32c4b20fda1e36d83c1afc63eaea56173927838dbbf08b37540c40d60eead20d0fd9e02e6bdc33ece3bd98afc4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
9a032973cd40ab12beada128b0c5cff5

SHA1
f1ee4f714aa77354f3fa1deded1f303906d9af53

SHA256
4776248df289276c5055adf1d7bc3c96157c6b13b3f8b5b363c4a8cdb5044aec

SHA512
8fce119fd5e0c3f2e49fd8548c9807600a25c75c28a7c26763bf4d4264853be6cdd59356db7d457284883ac6b00835e526d9f93d6e03d8afa42dbe1a11a2a5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
7d4f0efd85cdf3677647d6f6ae8fc285

SHA1
66322f3b0f49b002f55c058d78856d7da18c796a

SHA256
38ebf1055ab5527937c7c4adeb9760f8a9ca5cce7fa27fd9910e96f8f47488fc

SHA512
f8b1b75fef46a1daf4ba93a1b68c5c26ce9bd35f5402e91d64f0620ed0a5c289cb1c32ebc369e91e0bc03d84a8899658cde543ac44c4db883644061b8312cbc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
87d5a26fb95cf649884276c0a8c2248c

SHA1
748e0a4740984e299c6eecb0711649b4d819d4be

SHA256
3d762496844056edfc9f695924e439c54488e242b9f698f9e27758c6e16dc2e9

SHA512
7c2055aeb692b8d8335ff188dc0d25dce4f19c25167782db87c548b84b2b68704e4beb01f846fd1fd53233664cad9a4fd2a8ce12caf4fb471d55fe435ca7d9ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2382ad63d9620f0a81a202cd74382019

SHA1
d480b4db99ed38d0555de28897a1803ae962af99

SHA256
6d042dd81b157c0516e7f457126191b4213b5289b2293723dcf3b470ebff7bd0

SHA512
969ad76044b76cd373840fa485a09913c7bf2daeacd51fe3995e739354f4703b49bfdb74b4381fa6318b0f8d85438f526defca2a28a97baea02967e7698b0dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1e31bf6b55210ff550a77d26fb7b2d29

SHA1
2f5278f64cac5a6c4ae323d20c8df014923c0bb3

SHA256
041e1a3878bba2fdca84c10a456cb51ef9abea1755bfba27b99599e27681befe

SHA512
3b6ae0cf2e6d50da57fe2ad941efef4bb5926d00f01dcbf2de8a8288a6132d711892a01d319c4e1077dd30b1b00c5efd6933107b18acbc84b8bad25ae5338f9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f112ffc9c52fb8a2b7c39fd96ca022d1

SHA1
2e65bffa30ce0caaf1c9f54ca4aba8d36059a3c4

SHA256
bd2028e5dc74a949ed36a5a00a0eb93897dba434b4ef5c6c1c56d88462b706a3

SHA512
6d51b47e51bb322fa0bd9fc40b43b40c35c96f77c89be76cd6fb2573f50ad7f3217baceff2de5bf55a01054f698baeb904ca18dc285f8be13194ab4ba6169da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cd00128b3fd2858a73b153727dd7cda4

SHA1
084f08f36a114bea6d451d9e1171d7fa030d739c

SHA256
4f267e33c48d3f8f739d4fd25f37a6219ae634b917a8a34dce0b13c134d3b4a7

SHA512
6a952ce5c48c2478e0cd010f5234f5bb0ad9d9bb4ec5918da5d321c9f978e9b0fd5e91c4fc82f6fd79063d3c2544b1c1cb518b71058fa218bf243d8f8a9b2182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b0d51bbc6307a08b9d787284a6ddc4c2

SHA1
e8cfb66cf43ff4aa91ecfac9e9f29bf66811bd6e

SHA256
5f54a3a8d415b66f11410bbab8408c1100e6a3c7d7ff34e4278f1d71a0834943

SHA512
662f5f44cef0df7851070f0b2a74c5daacc1b380423b2cb87603b4b70a11fdc6c4f83483d2efbaebd3ff85e9fa8084845e4b346928b99745ba82b205528e7aca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a88157ffef6972424043bbcefc9be80a

SHA1
e1f4b0266368e92ff38905e93589723c552a1607

SHA256
166ad8ea51df996fbbad4d305dc75449f4f764cbfb2e58bbf778af266d7a4299

SHA512
9f8de4251ee891c146879fcc4882e51bb86734e39ae6d888a4ba52a1a3dc99d8e786fe9c86a779719eb13202ef773a7f9e3fec237ee781696f7b082f06351f65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f70cabde64f81245234116b9eba1d5bb

SHA1
7a1f13e4d648042cf394b6dcded354405cbfca67

SHA256
415ccc614e2ff5f52fe3f27d862b3a8b7e6ea6d7af06cbb4b0417fb487386b65

SHA512
ec83b370da6d2b42fb496bc2007119d492c17c56a5e980772a77d623b6966d573512d9c099bb9a6cebfc0786d3e6483d7e39e138645078b84f45175be217add5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9f3ef74fa1d4f30d6b02ade86c69755e

SHA1
5cc99a1776347b0a9666b71a70c2f0679bdb1e8c

SHA256
cf53d630bd41ff496c0f78e94483a67471341f6faa9a44b45e980f01e252d596

SHA512
045d941cb78e326ebf4acccc2f0361fcdca25f98ae843f1211eaece9edf9b1a7bd6f0ba823a63c9b14389668153ff894fe7dce91605c61d05df83f1e0037fb6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a5e78e5cde09df425602e15e57f78e9e

SHA1
989822f6c4c5cbb44fbbab55d295a7abb0fddf5f

SHA256
3f8854b53ada97708406e8ac2fda32d4882c27bfe096062331a18bf8b1a8d10f

SHA512
a0c38a79d46472c6ccbb29054dbbb0884cb39f1f9b55ca5d27f2c86c434bf0e32579ace554104811fdffd532a26fc86131318f05234dfc7fee74787fade38560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
843d4f4798ca76fd9da9e8ec09dd2b1e

SHA1
ddf82b5833d2dc5f388744cd863c9514801ce2da

SHA256
393af1472c326b6c574971cb29cf3ded863da2515a1947d868785945a07743d9

SHA512
d7e4e80e22ec2b25557df071d032ee21b04e51af6b903052992ed8db9b8339fece1b8239ac18db1a11e219d2bb62f5d55d44cc519ee6d6284901450ef0b773e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
b6f48def1ad0dc727f479ce8ffec8a6b

SHA1
488a3d7c23f20d7c90d9cd3010d31836d67b4028

SHA256
88b9c140ca5cdbc682401e0cd009ef606ef17510c596d69c12b629f720543aec

SHA512
ff657c31fa12c36894ac6002bbc33c3263739b9727aa255687ff9299087d47b2a6b390cd0bb6ce588b992c245e497f5e9178de97bec3c72a2d696160dd9f3a9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
118a0f40d4d807d7e6ac64e3f248f69c

SHA1
294157424550d9346d618db97dc71ad5dd9bd370

SHA256
a5365cdc5a86f99b9d5aed094881a5dacbacb25dcfec2615beed6dc39dfb8bcd

SHA512
efdd47d8c5789461b684545523e481e0a515d98f2e2c45f37e82ff379605875e9d93cd01a3b549b95190111f6e781371319b9f2ce0b46ca2be37db8025381d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5b48dd.TMP

Filesize
120B

MD5
ce0a4700a2d32ba333f802bbbfad2280

SHA1
d4da6653ef79b93b6ce6c34de7ee8d9fc2c11461

SHA256
99b6edb350acf888bb34cf96834aa92aa97102d02bc22b78edf36dd92c67d45d

SHA512
47c9565ab5c399348af99517c18252c020abbbda989f81d3a96437b2cf19f2d4bc1590284fc6c90ccdab4ee670340122e96c4465df696d5c8f06e6aa410e196e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
105B

MD5
fa5c6b239a5878511b70deb5c83dfd4c

SHA1
531895af326f2d6a25aa01afababf533f14f95d6

SHA256
b7df1ff245cae5dc8856ff95bc4b11854a9fbb4b08f2a52374f5c6c5c50601f8

SHA512
61c319e36245e9b6c157b4f72c341c200f6d36ca3757918b3a0b6e3c46006fe13148fb7f95513c6186c7d24ec2cca76f8db3079e041aa4fa73c6f115c959ca1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt~RFe59df2b.TMP

Filesize
112B

MD5
ec8123746023af38babc02c7d04daa8d

SHA1
6a2cacc3b97c6fb53d293f6aebd19e3a1cdfa695

SHA256
b1dee6412961255371fa83572d9262aaae517eb7da434fcf7d843becb292f6d4

SHA512
ae03ab3c20365493dbb51494f8c173b346edcffcef708a24d75507f4ecbc49a5af9fa2b1fa240eb6d391c70fb79e57f6f66cf72cbe275d1911e3ef717d58bc72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b3d03395-6234-4682-ab58-43b9dbb6748c.tmp

Filesize
8KB

MD5
0d6d4cce4239cd33984a26335a8bda77

SHA1
de2ff93ace027847ea075212e3b39417ffcb9129

SHA256
a9419cd936b0920b4de9246d44843ab5501246f6fb016654f52e13f464220cff

SHA512
4c26e368666438038df6ec676c527f6aa5a43b507ae8f341c22ee73e4f3bbe3bc9a2dae55249417170f75278fc9e0c255bae091ca520b879760b77020c6491fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dfd8646a-81c2-4aae-93af-f394ec3f3571.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
b78794bef03592ec927360d0b529e427

SHA1
f5073dfc9530e4a08a1c93f5ccb19154282d22c9

SHA256
8ed40614208683e849e47fe67bdd96047a09afa288169ffd94475181ea3fda73

SHA512
4fbb751280d5ff520902862e349c2df7ea5ade08b4008535c024b63ca9d2696e839a222ec317d25db3d3502f87b48a86065ec8d9146b3bdf21ba8eeb2625d1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
a0e5f24a4d69892f1c61f6d047c884c7

SHA1
e4320757167981ddc252688eedf5be3726090c1f

SHA256
8d992b1840d47780d6b9f212d38295b7e0073e215cca4bf337c86ab92414b94b

SHA512
081adf142c3393b1391e15b32bb4b03ea49a22a14b450af3138a15b86d0af6666a456b2ff5c7b6f2a8150c19c18aad2ec5265623d4880fa1517e35afea5dd882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
b5dab59774ef611a4be5060845230a4a

SHA1
53431e05a4cceee071e3243cda07a5b77866bc54

SHA256
7a8440dd570555e65b6c1d89f5732bd901191162fe72ed632162b35c80141dc3

SHA512
88ff80dd734041e7f46ebae677fa8a54d7c04e736bd81ec1c546d3841f36f67798dce03648b9e7da6ca80a705415ad6e45d7b9281b7604d568c21d6bfff315ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
4504104f3c1460c860d5d25de80e25ee

SHA1
eeffb898c0caf7c6a4a8afc51ff2e014ef8e8106

SHA256
f6726cb2f1e9e02eef4b92f846e0e6dff8dbdf49a94e63e58eba0f5173773b1a

SHA512
b10d3b70db2f8ce37a4c5a47c44b097ae8f99f56acaf9b653d2cee86340755c3f0a101461d26a49e497dbc7a787614d63cc3293ce622144e59d06b40c21e0102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
bd7788405aaf945e502415467648acca

SHA1
8ec26e2735fd05da83b904f8e03639a5acefc79c

SHA256
61fa5b18fc2431af0dc54b5a03d13ebe75631ca614c56d524f571a97f6fd033b

SHA512
1c3e63c4fb6c5d83aa6ae91759797f04a15d42b288ace7d74dea0f8c2177dd2fd531ec222a3afc9e2f8c612d4a6830643d1361f941bd48d3d132f8aed4f0cd7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
772e99ad29d57866747969e648f39d1d

SHA1
f8f6e99dd8e689b581ee554f1853c88511599af1

SHA256
0b055955eab1057f912ac81f5ae71fea35dce7662731ee25d2233e156ad7e91c

SHA512
32edfd18270287704e47cbc7f94d33c609d45d0c4fcd708762a952aa479ef2e93682fa67a30cfeefd81e61d9133ce3380cf881d35b41a2ddc04adc2e8964207a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
2a50f11168125cc8eb5d0b1b85e96493

SHA1
6679d7a94454edf5aed8b7ceef2716fa57bb3577

SHA256
d724fd598ab2ff7a21181ffe0b0f3eb7887074edc4cbd113d325594c37d9aecc

SHA512
c0611bb6ff092415dcfb3b2b6d6025a9516240420ab361da177290fa48c2cf15429c64f5a1e85c206a79c1a4416576945c4b4db483784d902efdeb74c78c30d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
7e5d18774fe2682fe2e96f56efb010f3

SHA1
0735fc39b7f574f67683545def68a452e2f8bf2e

SHA256
77b2ec6fa5f5e3b74c70cf61bbb443c3adaba453b6a43ce23160303c2a87eb40

SHA512
06ef75db3252c8827358ac7a06ce125e1f44dca2b5ab71330abd0283113d9d555a8993c59643ebb766105450571b8c0f29794ecc86003c5476d74b4fb1e28761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
313KB

MD5
fe744fa368a6590cbd6410488882e894

SHA1
af09dc5db37d1cc096f61fde8cf33bba21b23288

SHA256
3c31fd356c6d38906648f826e0e198ddb54f1dd68b8066c66ed6d3e03478a93f

SHA512
3dc50acd9388cc4c65e43a2b9b7fd3c4a7a184b1cb2f33f8deb9e82b43398079526f60f29cae1a4f52845a9f6ccd91c1269729b666544e29abec79c306e7bc02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
97e9c6cb2bd76c96134a131a345b052c

SHA1
b6d71be8eac1c44cf1a0f37bce5ec690c28b089a

SHA256
711b5cdeed53663361ee48f1f0e6f36f87641f971a822700d860d10268c9193c

SHA512
de3702bf34197ec823a70de7f50a8f4fd84df9cb3f3708404c93d5a4436ce8bf89c116c7b911a62bc6d40f5179da1b22c51b628369a427b44791146d848dba63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
b2a6f879566402b074a72bffcd80eb95

SHA1
925149b76ff29a38de4df228bb748da6716455c1

SHA256
0cd9ca231c9bc1cd496f854d835ed77a2f29984081ad957ab0ae90ece996fea0

SHA512
4f0d6d2f261866abe20130fce5e63f2a8b694e7caf5b9b7b90bc20189896245766b77c56501b5f87636d7369b9718ed80847a9ca36a50b6ea206de8dd8054641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
9398a4835d7e03f272df5ae7f93ae087

SHA1
75e9378104c19730084e667658a4b775b0eb2df5

SHA256
ea73e271e1c618ef3fa08034a421a6edfbd2b993b82241b52d0632d89323136d

SHA512
feaf49813896915f3085d18ec3ac30f99a5445198e2340a63bc9302f70fe2cbd7527190a4064036d35d1eb4aea0ab276d363086e384c34087618e2560e800231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
a66814c8af60e54a634dd50806086ed0

SHA1
cc8cde880583a39b72e992bb0f11ff8464da06ff

SHA256
fe07f3bed6de0c3cd34e11178dfc46d40c3b80a859fec88525f461379fb4c0cf

SHA512
ca3927d37fbcecf7200526b55b7624bd234565d14d8e01a515a33d79a1787935192ea3e9002aa149549d35f3771c3bf941c3bee1d95d33d63e1078c0fa2c4bdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
75ec3bc66d838c502d1f486022a6344c

SHA1
c85d3df304e6d3ccd9e8c3d458d88bfd2c5bd9cf

SHA256
be63e227634d45ef82b60a05d1ddb17e799f1460ce24b3770cbee1ea71a86289

SHA512
3546b80ab103ef5a4a0a3eb6bb00ddda75eaf26e8f15e0c7e7ddb0f0bead75197422c642064ea715e0600cab4b30991937ff62d5314ad5bf32d1f7966fc8ffa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
815e864db7662c5d0017f0c4d1c773a1

SHA1
2be4506e6c9ba82bc01432228c03df1a2b1a1418

SHA256
94d95cfaaefb3f3a36c096c6d02b6da744e09f8b21edaba3cbcce511d4f6be04

SHA512
16921ac4ab2c4325e29218d980bf987f3d68bfa983d950408105515bdc04a8fda5073c9bd7efba7f91ce3967a0d5542dc3dc4fde7c0657760a202b4ec4692255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
f7b4d04c304dcd7cd9ccbaafe5aa7dfb

SHA1
b1f6b137aafcd5afbf655a6ceda075bf3cfe3e24

SHA256
b72b415d54fa438bd675c878b1c37c44110dc08c1666b1592520786ab37c7ab6

SHA512
f44b017314e27b4eff57faa87f77184bb7eef2fb142709600618e41ad68ddbba0e2b207a5a05f4999f2a52679d2062b90f1f823575bd533a9201736cddef3b17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591b9c.TMP

Filesize
89KB

MD5
a2dbbff442285b8e97f98be8c4912e91

SHA1
fac144f08c968db9c94afb238069399ff47b8573

SHA256
2ab00ef9a243b86c2e965b9ad1d6b3e1a37b64ad57a6ec20d756adabde3cf411

SHA512
a856dec4278602b784f907ae8122a83e077253e5ef68963a786c5040fe79b7789d6fa4d5d1792938ebcb91cf77aef49e00d7e051517e7b77044f67b57425c7f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
627d1cef9b0c0be277b50d93c6a6fc59

SHA1
7c36284a46b7b279b80aa57baa5139789e2a1a0b

SHA256
c134980da269f503ed2644b9b4c21a71a703941641148496b06ec2ca1e085693

SHA512
cba61a20c3ea1085992c5a98dbfebf9fdc7cf6e406cbca9dc6ad997c210e136ec918385d07396d9f7ed732b61ee18e070f828a25b9f846c7c2fb240a6e792db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
6cb93ed792812ad6ef41a69bccb808b2

SHA1
03887fdf4127e85b3f76208e07f88d3fddbc8f92

SHA256
3dce1c7bb9b5dbe7a32c63135a713e328a34d64200f106f39d4d955ced873a60

SHA512
64f54ba1a46e4935a57205d69c599424bd1e787cb4caa36b8ce402a051ae46dba80623aa60b86b808e23a3237b33128c105f33676eab5d91c7ebe292abebc14b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16a12a37c19d4ee08d0e8893cda8669c

SHA1
dad134d0706c356b5f90c9ee1b377328ae911592

SHA256
189e3d790b7004a140e34af35833f73ce2cbbbde5715b38cd801cb92c14b6cdc

SHA512
4ed41fb897512422ecdb5fa50d4749e3f6fc079a757d7b55a00234bf6244e0a9686c51bf459068990a542154fdba382603d297e971b92883c52a29a889fd9f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c6f001803e2bed633f0f40f4e38b0ee

SHA1
d0e825ee0716a133f598d0420987585a0f004fd8

SHA256
05767184c83b3b405974f8546fb24b759d81af88f131c5c7cc8991c1645a63ca

SHA512
1c8863ba2ef123a65c703157ac2e1c308b0266b30b2b8e50e9bc943326f14a6c0d87003d87038b16ceedc43e0d156ad78571c3538217e56dab8374a6d54ad051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be67f44ce246217c6dfaafc719ff92d7

SHA1
01fb9abc6a24d8d0d7feac091553176379fee159

SHA256
5df6ee74efd6255b70e312a5babf227ec51c5282c8609158bbfd01be9a224484

SHA512
108b463133c55e28b8e4bb5dfdd42d536efb8ac270dc4650a4ad6886c5a8df0f4daa949f96e724628ab7d584c17b9d38fdb1bbe814552a65c26c5ebe612e49ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
04dade0d3405578f32f3419536bc00e6

SHA1
e94f24d4534563317daeafa9817916bcf9be54ca

SHA256
e27a83cf532e2de9e78a03eab163e8e42424bafb7163be7e5f3c6edca4891022

SHA512
1bf5f0ad03a160146d8e87f08f038706849908c15c646d7b446abaa83d1d86ba55c0ecf21f1f957e50e56b6716b0bb4917260af0a0c9ea375f365cf6617d9edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
e33702191fa7f867100da868adf9ff64

SHA1
bdc6380c1b1ad8ac8c31b2b15017c58bceee832f

SHA256
b7c1284bd32c606bfa9507982c8e9b3bb14a58219b6e2de2f73ba3aa2fa2cd94

SHA512
8d4ae86626b86d91727fb3decafcf529f5e18dfa13b91c720243705ca22ea0803f4d0977511342db66ec815437d74856b31e6c02fe2f5dd2e90a21d3027b4fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
08563f6d80632952005d3ac64fa6a053

SHA1
075e9ba56cbdecea7cc8cb3352e79dd29aedc8d8

SHA256
854d14009dd71487c0328e823e10a9c8bd0b1ec8015147d9dc39aa20e2626a6c

SHA512
d5eed2a15fd75d86472d019019a4e9a881d35133aa0c383b7f1c329fad5fc19d7eea98e1d1d435aa3c85d54de52a8eda81e0ca3af5fbb51b7e6d01d41dfe57dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8b63c3d4f243223c55b205d2751631d2

SHA1
7aef870c557b0b014c0b692576bfcd392b21ee32

SHA256
8cf5e2d9fe9a8a6d258f1c68c0acaf9b03db024532292119e60584f2aae2b2a0

SHA512
311c04cc6fb3b9f329fb55f637b43f47e24ddc93987297691ccc39ad9350f9dd64170ebac46f29091900d4e4623de4bb613ee94f63f4d247b1ad5cf92f5a8501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47d9fc1a4574721a4cf6aa13c8c426fa

SHA1
b06453783affa1226b53f948b67886db5ced74ad

SHA256
0e9ee4246767cd52b85348c5f24d4291ec5a6be2515668f37f4da5bffd657f82

SHA512
9af520d478798687d0f32df5d258f7a8217ac666739f410d6462e7853f53207d11a377da3731fce2e015ec12211450f936bcce790f5da7ea9065b9102e91e50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
14cb576040e984c700c9922ae3a22e07

SHA1
84594234cc7c01b0dc42116ac6c665ce4ad9b12e

SHA256
2ce96a83ae20e147940c1a6b2d105e07c6241fdcfc0ffa8bef141aabac94bd5a

SHA512
ad1a7619deda5099a21ccd999a461a9fbc2ff020834b396c979b2faec651a26d6b5ca7b0f751d157f75cb3e7d2493462c00a19bff97db5910cc27a47c867f4e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
901bbb6bfa9f8ef52064d75f8e2949ab

SHA1
b2391b0d0d66c465a7fa165853d2b8af023a35ac

SHA256
9d1cbe3791c4cb05514b49eb0fed6ab6d87e425b0178bfbe9a17148ccaf39a8b

SHA512
f103450d60ed2141a082ffdb599ecc4b68194d2bca6df1910cb5708cf70e98dc05010c30908f9d369a909ddd43ff377d87a9b624850c3682a4acbd55916ee6f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
c167bfbe813e01cb364cc268ef6e0b4c

SHA1
1b169018a4ebf88c13e2e5e7b975e0ca9cd046fe

SHA256
406e42bafa73e75efe8335373c1feec1dd7b4ebfcf2acc37abaea26a274d050c

SHA512
450ac4d59fea5f4b1bab2ebbd669d77db180fdd7730dd9314845d0e0635e3a56d7f73fba4e3503141467986378beeccf13768f1015cb3dc289e7c63146ecf952

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2610b93fbd019ed155913a73c0d8b862

SHA1
fa1602c4e6843da0d4560b7f38b7f941d896a8a4

SHA256
2f17f768a8fc0aed53bb9c1334ff1664be5ca84aac1332d1ab18ad517f8e7087

SHA512
5f3478519a920cafb645d91f0e66c98e2da7ccb2c7cea601e21a146048bfce98a6574be2cfe6e067dadd8397ec2d97d390f89d102eb8ee55bb4b36b6258a26e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c84a09eabd607c94ccefa6b302f65056

SHA1
25e6c9b9cfa35cf9b275e715ef2f174c79a1496f

SHA256
0fbd4fe1d734fee931d17d48a658e442f7f641bdf065dcdcf798071f5de294cf

SHA512
551ac8fc836b1d42d0cd5307ea241df63622a54ce55b76277a963671a24fe7cb690d38fd8e26513c3d624869e9901bd905978a8dd4430f31338d2f16fb6c4074

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d64f490f4bc70ff6323338d148139fb

SHA1
37d8ffd83d5dd5e8857357407c5138d593767a07

SHA256
d91ab83a97358842cf55a21c368625b2ab388680284e3d31e8e3ea5def3160ba

SHA512
84278c0c77a4c748ee5cc2479a995c43ea5b26b4653d16714df2148f788f583bc860ddfd4b3168567d751dbbce890528d44d4a0a3963b67dc8d6abf90183000d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
6307e1ff86265bd570310818e1d3d78c

SHA1
343efaa1ba0226d9a6ad33e304dc34754df4c57c

SHA256
52cc14f8ddd631cae5396f4e817b31b7a8fd54368dd4df45cece3d009cad08b8

SHA512
07e888ed6330ad332e76522a6d0807daa43ba3cff2fe9d023263af8b0b93f2948a46857b1d3974947936d4a919adcb8d5d88c283ffa6adc1d5885fecde920897

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d6cbfc5ef5b7dafce2c2c5c9de439fe4

SHA1
60592bb4e81eaec50ed8dbe319aef4673b230609

SHA256
ba1440bc4842f3f30f86a9905d293da0a642a112d84df3ae15f3bd4c7286c6f1

SHA512
364e7d3aa056d7438b4f79e501266b538f5c683f4b3ad7c12e583880652149dc7a11ee5b5a183e3a9e9b308bf5a4f1600b27c1747770ac7b2da9a2bd3a8c239e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
199f38f0bc323d6e0b560c3062205132

SHA1
ded70205e738946d73c46cbb62ca42673abe4d79

SHA256
376693d108b76d1bc037610e8c4d3b9a57cea82ab8e2fcf053c97ac8ee31ad92

SHA512
07300e2fd5e41ccb054dad7fa1025eafdc9c3b922882d29bac8e687b4ac7f567d7e9a312f70191d918a14197310cb7abbcb271396a5fcd2e0ee5f13031f5a04f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
6a9a3f7ecd16f7f39c29f81814fba308

SHA1
391965e889ca28b194bc1e1c5ca37c8198885c04

SHA256
033edcd7246b8527b3d85979b9781e26fbdf92ee86114735adca587bc7ec7367

SHA512
e269408391abd5ad069a3b8b746e7a528ef2851f81c8a4879913c4d1a975911de7fac03c4790c1546031ef45fac216d1d06f7624046193300afef8b777296955

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
991993c9c062acfbea20bc704efb4597

SHA1
714c0a363bce6efabbd9ca6f3e3e8bd2566dc059

SHA256
1770d2de79423f085f91f42cd4ce7bfe6863e385b7dacc3bcebf6a1de5f89a1a

SHA512
1f8addd52718c746a26781d23b886106572148420a8896aacbd92b5aa8245271ee6a47367b44f9f79d7f9adf62bb84e234692121bed52b2f90f2c4906882c96f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1eabeb5859d155877cb0e9232ced50d0

SHA1
331ff0b214535adf664a090e84239979d8fb16a6

SHA256
213d8be749fd83db62f9428a13d36f67eb4e78598c4abb9abd8231e1294cc605

SHA512
0244cb56cd18f8dd6090931115c30c7bbb693839867533b00722150e0b39084a8c94991eb8e810ef58b1ad560c741a19de6309993dc9faa0b96c76666556d01f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
aeaccf64bf7e79639668a3e674f0e36e

SHA1
d348d2badbbb871b31caf0dc60a807935579084b

SHA256
7a4d7f6713c55cf1f53c971331f9a244d1dadb93699cd6c0c941c4ff08f4c4b4

SHA512
9538d7d8f5cf9c3597e5a54b89a60a7af5dbe2b6dcc9a8e0ce35998c952ed53ebea54c2ede602f360f6a58c7a1c70ffd1e269e80098ee33c20184ba99843bc1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
9KB

MD5
601d5be98c90786ad729ece6414e0465

SHA1
183d036165d6427ee50bcbf1b6d977300277449f

SHA256
98f3a3c2cf5e71401b4211fc1d6c55d5c0f4dd432b3a384284e00083e789da63

SHA512
e80db7fee5d527adccc3db793765508880cfbe0bca4704272c00defb41c334f58fea2e873ef221be2d0850d83cb7f21e008a29e7d80cc5a116db6b5f6c6cd8e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
13KB

MD5
92ca75de0175f5a733b71739d9227f62

SHA1
c437ee782162150613db9bc553a70e6208e19c31

SHA256
8c2765b6afad7f9068490ccb23357841f1a57d1659ff1d7eea2304f4cb8792c7

SHA512
eb02ae91dd50dcd3adbb7111dbc1432bcfcf9f158ef4b160f1d712e4dd613c7e3edd43c0b3debb58e626c4a8527562761248c449a53d08f86e31d88e573bdad8

Download Submit
C:\Users\Admin\Downloads\TMACv6.0.7_Setup.zip.crdownload

Filesize
2.1MB

MD5
aadb7f07999510a53480c9e36468f633

SHA1
7585c61b7f2557f85fcaf82d1fb1080fa947bce0

SHA256
6e63becaf5c5e17a9d3afb6e2104eee3dbe473c8930ae8783eba0fedadb4a152

SHA512
c10ce85ffa05d31257b2807762a35b7b18797384a8c7ebf41cb3d4357be0c5333a389cf76f38f49eabe1af13ff3a984958102854225c66b50dd7a0d514ee05e6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 452923.crdownload

Filesize
85KB

MD5
1cf9257c07936d7fbf508dc113e9b6d5

SHA1
324f8a1f0779fe42baabc544bc7f6814a3d150ca

SHA256
eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48

SHA512
081fa75e73138fb403aa01cb09f3051b7ee6954ab0a15366016cabe873d7a64f8374c85d9bcdf068fa019930419c818d102063983a5547ae5107773fe25e5c12

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 977689.crdownload

Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
C:\Users\Admin\Downloads\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Windows\Installer\MSIAF6A.tmp

Filesize
34KB

MD5
457659d4d9c2058d1fca89dbc40c999b

SHA1
0c50d8e9127916409c150046a5ade7421d9b4c70

SHA256
f98350383a6a65079f742a03d38d04227ef7f045fc8d6844c3b1d087734c1da6

SHA512
98554de9a26b3fd358af3379c067c3e9ed275f9b79492b25fb318919ecd205f4d21f23de84651c2a5576a27a38ce2b6f5b77c306b537b11430fd257f7709df2e

Download Submit
C:\Windows\Temp\a05942c3a7b4f8209cb94c64118c46a5a56361527ac8ec41d09f64377f87ee66

Filesize
2.7MB

MD5
7b284c4a07504facad872fbc4348b663

SHA1
1c88b528f51bfdff964580567860de85bbb7363d

SHA256
76fcec042c5989c5b816cd32eaed1e5b1c3b998a4b1c9eca55f299e3314ef7e4

SHA512
fdb8a2fbe22f80331114db09b297fcb19d870bfbed2d49cc567b3df8d179d5b47774cc915bed7cf78d8b5a716645ca11ecd019126f35e10839da631c6af0ec77

Download Submit
memory/1332-1065-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1073-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1546-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1031-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1056-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1372-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1258-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1073-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1095-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1077-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1077-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1065-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1095-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1056-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1031-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-791-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1258-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1546-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-1372-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/1332-791-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1075-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1058-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1263-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1079-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1112-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1112-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1097-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1097-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1079-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1075-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1058-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2176-1263-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-793-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-1096-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-1032-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-1096-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-1057-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-1057-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-793-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/2668-1032-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/4360-1043-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/4360-1043-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/4360-781-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/4360-896-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/4360-896-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download
memory/4360-781-0x0000000000390000-0x0000000001AD9000-memory.dmp

Filesize
23.3MB

Download