e92feb1ddeddc68e29dd241a346f2943bf453ef23f7dc727420ba28a48664d2b

Analysis

max time kernel
1799s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

search.html
Size

58KB
MD5

a68daf44901061bba26270a38cf0434c
SHA1

6efb5801be24f36b5945f52da52fe1e4850b8e30
SHA256

e92feb1ddeddc68e29dd241a346f2943bf453ef23f7dc727420ba28a48664d2b
SHA512

b8446d8019417f6ccc6eb7ad71696b839d6f13b928c78e7a285527055a306d360bbb30c78dc3e4fb8fb39799bc3dbc5a390191d963900ca73e23b81f71fd6baf
SSDEEP

1536:Boc/W/U8QcLTZqbxOjIKWR+WgeLdclAvO:D8QyTZ5Y+WgeLd4B

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8A69D345-D564-463C-AFF1-A69D9E530F96}	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 21 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\move_rl.cur"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Help = "%SystemRoot%\\cursors\\help_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\wait_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\No = "%SystemRoot%\\cursors\\no_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\SizeWE = "%SystemRoot%\\cursors\\size3_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\SizeNESW = "%SystemRoot%\\cursors\\size1_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Person = "%SystemRoot%\\cursors\\person_rl.cur"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\ = "Windows Black (extra large)"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Arrow = "%SystemRoot%\\cursors\\arrow_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Wait = "%SystemRoot%\\cursors\\busy_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\SizeNS = "%SystemRoot%\\cursors\\size4_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\UpArrow = "%SystemRoot%\\cursors\\up_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\NWPen = "%SystemRoot%\\cursors\\pen_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\SizeNWSE = "%SystemRoot%\\cursors\\size2_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Hand	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Crosshair = "%SystemRoot%\\cursors\\cross_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\IBeam = "%SystemRoot%\\cursors\\beam_rl.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Control Panel\Cursors\Pin = "%SystemRoot%\\cursors\\pin_rl.cur"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637838890621477"	chrome.exe

Modifies registry class 58 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000020000000100000000000000ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CHROMEHTML\DEFAULTICON	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a00000040010000904f1e8459ff164d8947e81bbffab36d02000000c0000000904f1e8459ff164d8947e81bbffab36d0b0000005000000030f125b7ef471a10a5f102608c9eebac0c00000050000000537def0c64fad111a2030000f81fedee0800000080000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\PROXYSTUBCLSID32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\WIN32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\NodeSlot = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CHROMEHTML\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\shell	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LOCALSERVER32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TYPELIB	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874433"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\WIN64	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 = 1e007180000000000000000000006abe817b2bce7646a29eeb907a5126c50000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CHROMEHTML\SHELL\OPEN\COMMAND	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 = 0c0001008421de39080000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\FFlags = "18874449"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
5064	explorer.exe
2376	WINWORD.EXE
2376	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
3916	chrome.exe
3916	chrome.exe
2452	setup.exe
2452	setup.exe
2452	setup.exe
2452	setup.exe
2452	setup.exe
2452	setup.exe
1516	msedge.exe
1516	msedge.exe
1600	msedge.exe
1600	msedge.exe
1116	msedge.exe
1116	msedge.exe
4996	msedge.exe
4996	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
5076	msedge.exe
5076	msedge.exe
1696	identity_helper.exe
1696	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5064	explorer.exe
3488	OptionalFeatures.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe
Token: SeShutdownPrivilege	4380	chrome.exe
Token: SeCreatePagefilePrivilege	4380	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
5064	explorer.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
4380	chrome.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
2452	setup.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
1916	firefox.exe
2376	WINWORD.EXE
2376	WINWORD.EXE
2376	WINWORD.EXE
2376	WINWORD.EXE
2376	WINWORD.EXE
2376	WINWORD.EXE
2376	WINWORD.EXE
2376	WINWORD.EXE
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe
2912	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4456	4380	chrome.exe	79
PID 4380 wrote to memory of 4456	4380	chrome.exe	79
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 3744	4380	chrome.exe	81
PID 4380 wrote to memory of 1180	4380	chrome.exe	82
PID 4380 wrote to memory of 1180	4380	chrome.exe	82
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83
PID 4380 wrote to memory of 2036	4380	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\search.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc1c28ab58,0x7ffc1c28ab68,0x7ffc1c28ab78
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1480 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:2
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4540 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=980 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=736 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4656 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2556 --field-trial-handle=1764,i,11386153336716749096,7816728574083487499,131072 /prefetch:1
  2⤵
  PID:1476

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:956

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\RegisterExit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1504

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3584

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4448

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl ,1
1⤵
- Modifies Control Panel
PID:2740

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\517ec651614248f882f59d1cbf40912c /t 3028 /p 3076
1⤵
PID:1420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4916

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1392

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5064
- C:\Windows\system32\OptionalFeatures.exe
  "C:\Windows\system32\OptionalFeatures.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3488

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
1⤵
PID:4984
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --uninstall --system-level
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2452
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff641b0ae48,0x7ff641b0ae58,0x7ff641b0ae68
    3⤵
    PID:3864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
    3⤵
    - Enumerates system info in registry
    PID:1852
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc1c28ab58,0x7ffc1c28ab68,0x7ffc1c28ab78
      4⤵
      PID:4936
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1740,i,5099192989397533759,10002035787722331151,131072 /prefetch:2
      4⤵
      PID:400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1740,i,5099192989397533759,10002035787722331151,131072 /prefetch:8
      4⤵
      PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://support.google.com/chrome?p=chrome_uninstall_survey&crversion=110.0.5481.104&os=10.0.22000
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc1c2b3cb8,0x7ffc1c2b3cc8,0x7ffc1c2b3cd8
      4⤵
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
      4⤵
      PID:2828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
      4⤵
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:1200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:2560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:2536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,6253172492400429569,12283284097919378497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2408
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.0.85484151\133211066" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1732 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bca6db7d-9a41-496b-89f1-a2230d6749a8} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 1696 1f7b11e5f58 gpu
    3⤵
    PID:2304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.1.151336861\1670859607" -parentBuildID 20230214051806 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d321d02-a721-4e49-bbb1-1c541b92c3a6} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 2356 1f7a5485358 socket
    3⤵
    - Checks processor information in registry
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.2.282946197\1418805511" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 2924 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1396 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48a804e0-2a32-4254-a12f-518010788f1a} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 3192 1f7b1191f58 tab
    3⤵
    PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.3.603637809\2037329889" -childID 2 -isForBrowser -prefsHandle 888 -prefMapHandle 1284 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1396 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aacf207c-48f1-40c9-a25d-11138966d637} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 3736 1f7b79f3d58 tab
    3⤵
    PID:760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.4.1825846978\1470632907" -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1396 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27364001-1224-48ca-9eec-4d369400bbc6} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 5008 1f7b9f62858 tab
    3⤵
    PID:1356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.5.1084415668\1007322603" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4912 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1396 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a3cc8ab-7119-41a5-9a8d-a0c54d7519aa} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 5028 1f7b9f61f58 tab
    3⤵
    PID:1196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1916.6.164695689\1233124802" -childID 5 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1396 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {047aa0c8-95d0-4b22-b611-691f93ae9250} 1916 "\\.\pipe\gecko-crash-server-pipe.1916" 5284 1f7b9914558 tab
    3⤵
    PID:2912

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.0.1242659179\350840198" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22242 -prefMapSize 235168 -appDir "C:\Program Files\Mozilla Firefox\browser" - {402ae393-3feb-4e2a-b15d-f3be009f5e7c} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 1880 2027fd22b58 gpu
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.1.144773908\2007427530" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22278 -prefMapSize 235168 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d03c2ce-b8ce-46a4-954d-c2369a7ee4b4} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 2404 20202c6b158 socket
    3⤵
    - Checks processor information in registry
    PID:3124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.2.2043207714\1200024332" -childID 1 -isForBrowser -prefsHandle 2648 -prefMapHandle 2904 -prefsLen 22316 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb7d560-3102-4d8a-affb-df31ca8f785e} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 2812 202051e6e58 tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.3.1108942713\2025934982" -childID 2 -isForBrowser -prefsHandle 3452 -prefMapHandle 3448 -prefsLen 27690 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {481e70de-a731-4485-85b7-b4a3edc25e7a} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 3444 202080f2058 tab
    3⤵
    PID:1248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.4.898542094\42348784" -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 27690 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46747bb9-47ec-40a8-a4b7-e0e51fcdb038} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 5064 2020a359b58 tab
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.5.2101512029\1756630958" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 27690 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6e5f915-6d4f-40c0-b916-fa82f5661a35} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 5140 20209af4458 tab
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2912.6.476097707\610763869" -childID 5 -isForBrowser -prefsHandle 5344 -prefMapHandle 5352 -prefsLen 27690 -prefMapSize 235168 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b442df5-81e9-4989-8219-00b6c00c02ee} 2912 "\\.\pipe\gecko-crash-server-pipe.2912" 5336 20209af4d58 tab
    3⤵
    PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc1c2b3cb8,0x7ffc1c2b3cc8,0x7ffc1c2b3cd8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,4330843992115121796,15081322696821401111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b0f123a1a23589d7039d6e4f7ee5b768

SHA1
d83ba85f2b1dc79cfba7a4a1eabe636511ee3829

SHA256
06f9a4471f17f36e5dd7d06d38ef8270b1a36f930ab77cfefebd18ac00319037

SHA512
b13b1a337d89cdeb6c797645b05189d62ebe5ad669e9cef569f1aca8ef8a83982b502447d9b28339c0a2e3e12df90b7aa3e42e93f633864d824a2b5dee92be14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c998691d1eff2064e86438edc3b8bf6a

SHA1
c9e9521415f063810467c6750aee82d3db6e903b

SHA256
f6f40d30a81013d7d1ecb95b169b898442b33897aa8f64a550c4e4ba7e1e3a9f

SHA512
0dfb9d084e8b5ffae67adb39580c414b96e5738198c28d63da99d49caff167f6099f541994ea20c6525bed33244f42b4fdb56968a01b6a62248fa60b860a985c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
19316fe5c432b9bc801ea5ed5e76169d

SHA1
7db467c7797ddef424ee40d7989b456f65e425f6

SHA256
07d5994900d05137e6b5be8f11d54fbdf498a20bedf833c0868587af4421a5f8

SHA512
b031c6a42f9e9e30ded75a02f7a30ccd5d8597656e047e0df854c2bebb618f6db7ebb60f7a5f5b7af5743fdf9bc9674db2295ded1ff6e45f67e0838004e09d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
284e36ef882b826ff32b0cfd91119146

SHA1
2418987a876132c5fb791b571edcf906aa9a4be4

SHA256
eedefe42132aec49e07975775f7f3a65dbcf5e9bf9bfd5c88689c4dca6b1bd8c

SHA512
4608df8fad52e4f50a40c83bced6be3ceb8079fed11f7784d2b4bf6d2a09352a730c7cae8b8a79bf72104267f74f3f03ff792c6178c33e3f3c97f7825e5b20b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b7653f6b3648f02a1953f78dafdc5868

SHA1
ff6dc71f2e455af4e28a5f3ec80eea33bd91c1bf

SHA256
6695077f4ae525156fd656466a98e48b3ccc5f57db966e4d45e14b2453780ee4

SHA512
eea2ab39ef88d537db9e1b7fbea0d5b8b474d6464f98f0ecc2a202e5d60989c7df6bd7fdeb5877005692e9fe3dd30fac47b92c940d27feb4d8d2a6d770cf879a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
dbdf288efd12fe71c3624297a7224757

SHA1
1fa948f46ffe1f6e8b87516b991a5a41fedc1bf4

SHA256
deaa202dc5758be1c9811e5b4c9f29d85cf625e8482f4a98fcdbfe7b90cf9eaa

SHA512
94dec4d089110c205c8681f28fac463efc676b1b8bd72eb0258e0c8a8d23c790b2582c7de410d3eac2adf693780eae0520b4bb94c229bcc0d44092bdf3586c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
0aef156adc85b2e5f9299ef51cf0caab

SHA1
e3107b589a8ad7d06ef3cfdf3e703a6aabc174eb

SHA256
1b43649c90ac23e0ebea1ab3725cf68e8378adc74dce57a9846574e9b14b22ad

SHA512
e0cd1c9ca71783d0db7623f46f5e4642c5c7b4dfc73052b88e7dd6c80d990c4433cbef69a5fc84360f6a8c9b027ce486587107b8f32e640e1a9739cff356e607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
81c6c9e03a2d2178fda079ff7a5603d3

SHA1
173c1f56b2b33030c29f9d9339be8f1872e21489

SHA256
084ee7ea5f080abe8b87f1f5cb51176efdb2483c30019552200dfbbc8b224425

SHA512
8ddbf97f1e8a545ce4dac6e187d4baeddabe07611d6fc0d2622fb908b197eeaabc54af25d9dc8629a9a52ba1a684ca69869d9f18ad325b0b7532a56517f1b962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000001

Filesize
17KB

MD5
bc6ae4eb07f25e6217aad1d9a8815bab

SHA1
fa94d10a59d8e909c6587bbe3cafe4a7a72bb3b1

SHA256
7ce7df376994445c9e43888aa72b2cd02936ef652eba93b6eefd33b1ab0091ff

SHA512
01ddfdcf6f28b99cf31538786633a92f06b5c8e98071e12002f72c4be9b9b35105927e663392b2bfe822a3c91408f9a667c791340c8e8a5c85d01e5802597187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
15c6108efdd4371630701d141fe9be60

SHA1
67e8164bbe85c4084a751da6992c4f1c4dd6c070

SHA256
4218ffb6732ad04ce54aed2efd2fc8b608bb50c53e0bb157619767d85e7dfbce

SHA512
4ecca629a0baa8b8398ac94148e44e612cfb2a3e292dbc7fa47e9c7aa1e101dd7d2844d08310295f5b314262ba04469b0b3ed4f882134b85b4b638d414985dbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
ef1ed0a62e9420994c5ff00d36f5e720

SHA1
f142f8bc55a6cd175d04b012f99d337b1e3dad33

SHA256
d9e6b7c0410fe3b40a9b73ae2c76ba5607d0096c50ce2ce38387cf81fbb45f79

SHA512
65f4602f989447cd84f0b5abc209309be45d84771352a75f648883f1e10175e1a90d5e78c068470f3bac62bffae89005c44a067871bafd651d860e84a404d434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
602b32a7d3210c2596b9c2b8d1bd6fce

SHA1
d470cbf354ca0fd4702c86b6c8fd980efb668d9d

SHA256
9539536c4fb364ba4e89d4da5b1323397f64dfb56c2899a72c14f1d5186f315f

SHA512
e256dacaefe93c634ac7eef0862c22337acc3247afcad7b02862de8c43b18865ca5f5363893cfa0c23d59dbb8d44c44c89e5a71239701799638ba9205c02c231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
609f095a32298a7842aeb79845faafc3

SHA1
9a84e72e726d2dd37c730e9713f77261313be5ed

SHA256
3cbc6c9d16e667de0981a6f4fedd267cfea18c1106987514cd41b679679a9d4e

SHA512
f733acf851879e8671652dbf7f4ab86ebe6b3e7484f6caa144a08073bc9af9698dfc862321ac720683d6bc1a3f898ab1f722cc873aec3f4df93a33fcefe20a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
bd25b251f9e6d4b891171d5e9779a607

SHA1
4ab48ec2a3c2acd389036c1cecf6acd087f6f814

SHA256
91ab91688040b7782708d348e66acee31d7e75c4984aca1adb6f76dc7a141b2b

SHA512
964c05f99004ade4136d4188f52f3fb22d2d2c933d019bcf511d8d20995172d80e67aebbe57ed773f944e9829f2da838aed231ffd0d49204ad8d6dbd1168e7d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
3B

MD5
b06693c054ccd37bb7067a436661c037

SHA1
33c5cc300fe1b8df62dd834784d8880676e3a4e8

SHA256
da12c5db28b539062419677743772a6638f4829fb5f1a07f20c5f42404221166

SHA512
6521974eaeb449a4ec948ee2997a837675b96ab10b5a1dbf76473f8548351632657ef076f620bd95a2381da56a7bde2b1ab685a3642a0ae223c7c815305922b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e48455fa5304fdee04027ad02ae2b23

SHA1
75e4873dc8699c45493986dcb8f234003ae2a6d2

SHA256
988e0cbf7588fa1a57cd75d9bfc7eda0231902a0c03cbc124bd2a79c1d5b9748

SHA512
476411c3ff7258a7cf757992caef69a2e0a1da1073d75308082bf99910a75c73f32149f1c94b3dd48e6225166e292ae6138262d9f0cca1688a8dfdbb1344e8de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\63fba1cd-cf3e-43ff-ab85-e4aeb23770b9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b652ca3951c54383952fe4ab84b98ecf

SHA1
daf1692d02c3cdd19c388c061a8a10bfb0555682

SHA256
238bca1dddbb5f693e41cd3a944fc540312c0ec6f332db2e7f137589e8670491

SHA512
7d769e8f37f02a7fc26b1c9fd963a1e1b2f3092907ef7dbb56a59ee92cf050d83af2ab7579c1fb8efc63200e2e5ca243a2027778c2ca93913631a12af261a873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2454e76fdd5a280802bd59bfa6220770

SHA1
656f5d8d8c4b30d4176f8a74c67aea5dfef0ec68

SHA256
8d92aca87cc8e2699e80410e6b11e117644511babdcf3f66b46056bb5d837f65

SHA512
60036dc15fc3cc8563d194e2ed08eb37ddadd4edd8a1ef3b8de2d9c22bb5ad94e51a4528709aade2481e94ec2a0123cb408c90f63f3ff0636c100e3a77ba7e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0c262b1a235af03e45825bd2e9ceedec

SHA1
8d82cadb39dbda5bef8632ae5ea5f612bac44919

SHA256
8b012479b9c1b40af264c9ab7d33ae1e164d312ec756dfe5273579fb8adfe4e3

SHA512
53f17c9dd6817fd14673f73b78aaa2d47a06122ddc16deb85f256a208bc29fd6ff4591b074ccf9de1a7aaafefe47f3abc65f035bd50318b56929cf79a4615191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
3aa84cd326e1f47a5357d3b6c093fb10

SHA1
90213e776d2e3a1bfddb387f42e0a1dfd67a9549

SHA256
0cbcd18b57140273ee26ac732cb1d1bbdf7607cfd0be77496e277439c5429ce2

SHA512
27087701054ebb62320683bc140d4668f1b74176265d8c712eb8276435c78a4159f27b1778a9bec68ad4f95aa535fd40256e414c0866eb76b50c77c6a8a2bbe9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g2lldp8o.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
efc7d1db27f041fa5db6d1199ff17254

SHA1
fea7b73a979c8148bb820f717611fded1c0f2b36

SHA256
f0f78b3f156afcfcb6f1eb8bebe40a58cbb583ee7073ff76717df0a07065dd1a

SHA512
d8898fe51b69f6084888555c882cf6f9727ec1a1cf90c92909b1ff5bdde72b29189d8e1375a15fd8e4fc802d926d548fb5442858a6c8ff849ae4fde1e20e5ea6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js

Filesize
7KB

MD5
c290532bc19b80205b5f6930c79fffd1

SHA1
6c18925feeb744cbb4f724c7aef8056563356591

SHA256
14016c66ccd55f43542905cc1e9832cd4a0b235ce512ea11056f268260debf14

SHA512
3835eb842edb700cc6bab9babf21fee74fe2e041a8be0d8232990aa106bc272649d0b852676593d2aa733f8f0b4aaed7dee5aa942c2e08fe5bcf12a1161940bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\prefs-1.js

Filesize
7KB

MD5
a71b7e68ca2b514cafbb9c97abd965f3

SHA1
6fc1a7beae6831d1ed381b9887a145f9a3b3f718

SHA256
37ebf44856f12cb026ed33f694b0b4b80f908dc5c13676a0738f18898ac73971

SHA512
19c7afeb833d48a1cfe87451e156044d0b794277cec4f67635119eff20ad10cdce3ade12e13a5cd3de97d08f77f10168f75758525a9111e6edcaa690fb5d602b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmp

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f5d02706f70c1231418f5a183b420468

SHA1
47afc6f85bf2752a38418fbdd679375af0fcd318

SHA256
84a536b7964efb967cc1c828fad2d43419fe0299a089e251576e8453e2484700

SHA512
0da9fc41cdfab6a33365326f0bf6dbceb6b8ca7660ed7b7ede93ea980b9eea79c3755d96e012081375a58b009d679cceea82d5c48a678a78724cb0962070fdee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore.jsonlz4

Filesize
935B

MD5
21c1ccad67147798e6708f565bb647ae

SHA1
f20813a283cc7d92cfc30c5d35998d9a40a12fe8

SHA256
53442e6d3af70eeb6eb4077eb8d94f7a86ff5429db7014080872fad41c1a2228

SHA512
1b168e097d79e93626e77b7f37c358a93696203e60d55800e1ebe33a9215060914ae444dad9eb8d042214beae8880d9d5cc9e5cca53fa6d2b1400a921a040cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2lldp8o.default-release\sessionstore.jsonlz4

Filesize
915B

MD5
076e15967040dc1776725e014f5cc2fd

SHA1
20f407da68f3884ec8700f93b968147b27f01caf

SHA256
05dac5a1966d285ed0cdea84e440a15bd43c9002a66cde406135bf697ed2f489

SHA512
dff534aaf459a3e57f123ca9aef547b487e74afb744c2d7788866a148d7f7d20b4c97e920b95b2ef92d1ede9e8f1214152881d3abf8f7666400dcfd6e2a2a14f

Download Submit
C:\Users\Admin\Desktop\ApproveEdit.vsw

Filesize
487KB

MD5
d8c6988839513cede2dd00919e2c2d4e

SHA1
b3c2a67392148d5b139ff67c588d99cabdd3cbb8

SHA256
66fd235dc60bcff98e89955f858840716fb3285a3f36e4d93d6c38c77c89e094

SHA512
95a32a710a31dedaacb56656238f2c21d96482f515eff05e1c5049e2b43c2d66a2036090f3071ad59483d3c4691bddbb7a4c81ac193ae83657f068c725a1ce60

Download Submit
C:\Users\Admin\Desktop\CheckpointEnter.eprtx

Filesize
678KB

MD5
fe7bc5574601ff77db81c332c050849c

SHA1
57fa1c3746e56a47b141fa9f594ffd9c2a22e3bc

SHA256
f12daf34019868fade1d20ce57d851f15beeb1eb7ade3cad0f8e616ae2cd880e

SHA512
0df42637be9fd2cbef59a9a331ebe8a2164a4a7e6cd05c0df44d691a4a6b5bcbd44990061398c504cb2fae271c80d945c59a5243d8d30cf0fb9ed0adeab4e7e2

Download Submit
C:\Users\Admin\Desktop\CloseExit.css

Filesize
530KB

MD5
348c1070e02242f9d4ef243331d5c0f8

SHA1
279901f9b6396f0f41a8038b8f664d849b11939b

SHA256
6228a5a35d95b62ab80fe496e6871722099bb063a666e2caf48c4db6d63b09c1

SHA512
cf3272f424fef50bdbca2bcd2e099ea15f1fba5a4bb71dc363e8ac78b15df9cee93e62f937b6fc8eb52381ecfd1c6f0e388fe73fbb41fcf638bd926887caca80

Download Submit
C:\Users\Admin\Desktop\CompressStep.vdx

Filesize
381KB

MD5
e166b6391ac4aed319d1f7aa0d7918a8

SHA1
feded5332d7c4057fd4c2c1c95644ce278cbcb62

SHA256
280447cc7d3edf4d5292f487e30e2cca03f70cd044e48161f9fbaf733987423c

SHA512
b21593416308b26d01a753e23ad7e0034a11fec0091f859d087228a62dd8c8ca6c48019b9d6d30cb7c03d3ba3b27793cb7b2fc1a3f6f7e38b7eb8a9f0bac837d

Download Submit
C:\Users\Admin\Desktop\DenyComplete.dot

Filesize
318KB

MD5
374a00108b231dd559dc835eba909918

SHA1
e915d9eae6c19f802b476c45997b4784a1bbb46a

SHA256
57bf8ab0eb89df154e310010219f359d1366d0a67f575a526537470c707bf08c

SHA512
a2eee4dc014b59316c13e83976f32ea9e98e400d175d9a1b35f9a6f4a624ef0ac47ebf53e0a3ada23ac6dab3b2de6efa327d0298c6748579c75571957c2c72a4

Download Submit
C:\Users\Admin\Desktop\EnableSave.jfif

Filesize
275KB

MD5
bbcc3f4de2cfa09efbdd691866c5e775

SHA1
af9205eab70ba06c32b486de761f657d1e53847f

SHA256
ae235fc5d319475c2ac8842e238905fbe148db4640456837e915c8b5863fb6a7

SHA512
3ed3d4f53e3abe780b4d83fdcca828913e94e69781ae9ca9fbccbc84716a94450b2d94fdad7327e277537741eb3392824889d51864cf17c54859b49135206f5e

Download Submit
C:\Users\Admin\Desktop\ExpandConvert.mpg

Filesize
763KB

MD5
daaadf8b08312a0a062b2ebfe70363e7

SHA1
b2e65de256798bf81abcda9defef253ca4ecde79

SHA256
a686330db0c8260d6a90faa6914f2a073f26b4398f4481eb14a3266a3e8a288c

SHA512
5ec5f17a2286d023975a30a423dbcb333fa26cde6ba1f72770aa63ffb34278b1ce4197e063391b4ea71f8b1b6d8766124bd25833050b4924222fb5e139c44fdf

Download Submit
C:\Users\Admin\Desktop\ExportEdit.mpeg3

Filesize
784KB

MD5
97a2c48cf14a2e6b29163fa8887df63c

SHA1
060e8af5090e903679eaab52eda8a999f77dbb6d

SHA256
d3e6c36515effe5e84e41c531c7395080e976d7cdeb7973556f9df208b6f7b64

SHA512
16a4b0439f390da5b6cb175b99774858a1b339ee888607656899411c0c82ab48de8d330c27664f6d5efda68152fd66f50b953701e186deb5ccdb90c4b5560288

Download Submit
C:\Users\Admin\Desktop\GetLimit.ogg

Filesize
1.1MB

MD5
704d7dd1f4f3a4743b3556d881fd8f9c

SHA1
bcc9391975fff16e9c7f3fbc842296c29da4fe4c

SHA256
9b30d12ba72f158cc0d75c9878ef9b35fdd9e1467efd58d04459cd1c7bbde674

SHA512
8b31bf17c3ba8457021df1071ebbd897246b9e96bfd1c5f4cc7a74adb6552df9a1ac8362ad74283cf161e992a2ca2f2eaf8e7ff59dbbc4fd4b7a1bfb08a99b74

Download Submit
C:\Users\Admin\Desktop\GetRegister.bat

Filesize
445KB

MD5
f660af4ffc1a04f107e86bbfb9480fc5

SHA1
298c0947e284e8f2ffee6326bb876529df5c60e6

SHA256
32a5f6a39dd57ac6bde9fbe7ed97bd9bea118fddb4e111c81ac8e97f59147120

SHA512
03b57d1b004a80ff3ecaa4e80fcd8a40d8bf1dfec2794944a5967c8876ffb212c387a0d6035ca85409ef455fb4e4e2524413945e4e0d71f676ccd64d5fd51c63

Download Submit
C:\Users\Admin\Desktop\ImportSplit.aiff

Filesize
402KB

MD5
c233df280ffda0033ac0a3cef2a60175

SHA1
3d1f7ac68169515fb66b4b8cb11cc6cfe21032f5

SHA256
ae151bde4535a41e28920888454e5416e5184bbb576029c62e8e17f9d3361b16

SHA512
f7e65d6c3bc5dc26473fdd608a237675bc555a61b9db077c816a81928e4125ec03c8fc4f4052c58a1030c0d325c176b41975ac840bac1593003544dc7ad28f53

Download Submit
C:\Users\Admin\Desktop\InvokeShow.cr2

Filesize
424KB

MD5
ae66cc10179445d356ce057b07f10cc3

SHA1
9b90841924242309d7be6a14b1310ead4b70494d

SHA256
9be2a28317e75152cc2e400e625f304c239124dc62dd6219e3e41a4d930b4089

SHA512
2ff8290c504f88eac76674bab210dcaf18e95b39c5b350d920c41ed03c16fa868154b0edca6d4e88dbbea44f5806d9d260b7aaf20734bf6a89b50f4c2a304c46

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
a08b2759231a6831588bd926d29d0df7

SHA1
4034a8e50e31254da5a96e53167157ca8ecf4499

SHA256
f5144e344624b875a2c50cc57c35e7e9e9ef279aaf6b01bca0af5cccaa6314e4

SHA512
95a1a56ece14a54f017f4b1f628f63460ed5a8fc7780b522b70afd3b227ce87bcd171fc43aad61b2e8367355d82d26a35126a359cb137a21873f3b5db9c14bcc

Download Submit
C:\Users\Admin\Desktop\OpenDeny.ini

Filesize
721KB

MD5
aa19d324f536901ab8e7b6aaf9ae5ec5

SHA1
93ffe6853961adc441cd49b26e66c8d66a24b5b5

SHA256
8afcd420b6f2a4e2e5680c44780d3f32f3570fcc27668ac75108ad4548395d5e

SHA512
ed7a9ab25fba6859389946b007251366408b56c49bb65a74e832f9d7185b304c2be244a9ad44f76f60ff937d616ce38834ca7d4a86cc8635ac7032a7dc5326d4

Download Submit
C:\Users\Admin\Desktop\OptimizeRedo.potm

Filesize
296KB

MD5
265761d3616f6f5bb83cea27f6170266

SHA1
4807bf234e7abbb964bde87f81bc47c82ea8752d

SHA256
8b6988db865aae8d76ad97b82659efbfd0708d8827f29a100389f4452c2c8604

SHA512
5a5a8f76e29292eb7d00961554cfe28fe81fce3eb4cd2b4419cd5389a40e88602accecc68cd9477d8aead9f37bdffa2abdeea3d283eed08b7e5c67ef780df4bd

Download Submit
C:\Users\Admin\Desktop\OutBackup.lock

Filesize
551KB

MD5
a35b3ffbd89dd5724e537d38db03fbe6

SHA1
f2b117e909124e3d11898d3686cf23b23ef5db39

SHA256
b4aa76d69f6d8aa2dc5163aeee31dbca50d0cef845323e88c24d932afdf3cd73

SHA512
e37181a18d593d28020da241698ae8662c52323693ad1b31f68e96b9749635e8db6770267382895d84c4b5c795fd8d0d2d088778d39639716502a793e455a9e2

Download Submit
C:\Users\Admin\Desktop\PopRestart.ppt

Filesize
466KB

MD5
d111a75b794dc42de5548c9f0de68b1d

SHA1
1b396db9660a588bb600af15cbc12fed9c78c649

SHA256
70b11b4ab85aefc071cc92ffa4f81a356aeb2e6caa57a288af526a74edbaeb6f

SHA512
4089db661e02e187374257b0809e7ee623d246f6cb134d6646e84215e8c2c10640096cbf13110b0358aab07ce8fc7145e741c5e55ed38dcff0a872b7169a3a12

Download Submit
C:\Users\Admin\Desktop\RegisterExit.hta

Filesize
615KB

MD5
8b36fd04d7f9dcc7bbad34886bcce348

SHA1
78e95922080b4451d7f49669a3a856b7535fc39e

SHA256
e36b3f939481ac6b297eb97e974800789c1b1d55f710ef804f4eb4990f16075b

SHA512
fd09e8f9c16db37a0b05d99237ba98bb4676656dfae8bc12a6ba995714ec356ac9783b66f7cf7b2e505360e2b282fec1fd7a01fd6d398a05db4a946dfc256d3e

Download Submit
C:\Users\Admin\Desktop\ResizeDisconnect.vst

Filesize
593KB

MD5
578a15811878592e79e9da26da596f5d

SHA1
5701d53cef3dbeadfc928fa60c2b2b4e8ac1b8ad

SHA256
96ae8d5aba05268b9a1997bc1b53401fa7f2bf980a6c8f338f558da4dd5f48c9

SHA512
b58411845464643fdf7776a320e71fb19773dd647adf4cc86e02fd67478b994ca798b983f00fb7e667861318d4a441fa336c7f00810f53eeb4bc2b5027497938

Download Submit
C:\Users\Admin\Desktop\SearchUninstall.zip

Filesize
360KB

MD5
774d5c640b7d1deb951521ab3c76935f

SHA1
21be3797caa04570c53a75f7be7a6716d06cbdf2

SHA256
2533a573b7cfc6b2e23fa774327d6d639b6a2fd66641cd55f7995aa2fb573271

SHA512
518cac99e61ed3246d976a9ab29efb976ffd0f5064ed8211fc41bbedac5b15ea7049f73229631dea9994dfa8ada94b61d90a4d1f29c0e14a221054135cf10189

Download Submit
C:\Users\Admin\Desktop\SetAssert.midi

Filesize
742KB

MD5
f18dc3af0090d16ee16f49a4257fcf3e

SHA1
3ee7bb255907ee88a6dcc2405553b7c6da8da84a

SHA256
8636f2ce8bba09ef7046f55164c53cfbfec83bae4860db4e1db1c2bd59214070

SHA512
b484c787f0c3c4a70c4fccfc3a33d5b93533548df918e099f54e8f7f05fa177730a275cedf6ccfe35a3f8b1dab24a3889a7ec0dfa078442be868f49025fd3d8a

Download Submit
C:\Users\Admin\Desktop\SkipBlock.vb

Filesize
699KB

MD5
2158a7cb800ba0651102d502272b35ca

SHA1
84de63929b91bb452afefdf8617d996437be68ad

SHA256
20a808d604219bc2a6433f2164b62b26f2a2d2459627072fefce0a09f125dc38

SHA512
ce64f2b4a404b9363d708c17964b81f1a3b1f7b8fc8276c8b107081e828a484cbf0ab465f0d95f3f90250485404068e026484740de6a5ab763e60732fb92cefa

Download Submit
C:\Users\Admin\Desktop\SplitAssert.dotx

Filesize
636KB

MD5
d004d2c93ad62c22e9f197928907562b

SHA1
7449fc1f5bf8314942070ce46a54fc05d7828d85

SHA256
4a380b6538948a27b2359c288f0fc7f863ce0484e48f81f037918d11d87eecd1

SHA512
d254b4e7b8d7bd2d0347a4fe9623ecdb411bda9416b795109dcc9c96599d12bd4c915e0dd67045315948fdbd97ffd2cf4787f3493456fbc5bfe00caa160e178f

Download Submit
C:\Users\Admin\Desktop\TestRead.xlsx

Filesize
339KB

MD5
78a3fa71a750d86b1add8ff7037f100c

SHA1
4506c0d8733d5340c7832804080da92c68565cd5

SHA256
e6c3485da25e330f688eb6596282494148d5ba52ab245234adf69195266c5232

SHA512
bce6e493ffbb68195514af76c5247ffda0fa9f725206d669bc351e786d9d724ef121ab752f4f165a611a618ed3a1d501cef804a525bfceeed1051e0153808660

Download Submit
C:\Users\Admin\Desktop\UnpublishLimit.mp2v

Filesize
508KB

MD5
08eee75c5be07f243cae62b5badd8efb

SHA1
215b3b309d7552213bbe0c27ab03e43428f0b707

SHA256
ab1dea2ec1e0d2a3cf6c0f84551ced44db895ab5f133bffd5d2413567a54d39c

SHA512
c8b3f014c59cc7139a5101c3ac54d9e11adc49c36e3ce78069d22490026c0ce1d0634119c0f5416b0307a8699d4f010693c2b20bb779353e95a9901e859cc4c3

Download Submit
C:\Users\Admin\Desktop\UseConfirm.mp4v

Filesize
572KB

MD5
23e423f4f68c86af8e7302f5c6170633

SHA1
a60c63cd7074b632ce22b07105d77c574d1f882a

SHA256
ed76b91569ae42bb66950e08802a9c585bda254b1c3337f8e453f0be8bc23dbf

SHA512
78728a588770eb10657041aa092b7eccf39c38301636f73dba0d0767487d61721792b99a6ec30705d8ceb0f78f678bc1658a5efb7a9df05d91bb9108e77b5861

Download Submit
C:\Users\Admin\Desktop\UseDebug.docx

Filesize
657KB

MD5
355246a576000b82b8197a539e06ac6f

SHA1
83c13d4f828e6409279f02c0c150708a2ffa613e

SHA256
ca8a2a2599d2b2fec97b45d03e8670110d257fe745c901ba9b88335e8f25ab4e

SHA512
53cf9e06365fc436537c74bed0e8c624e1e71ceed97965484f76dd8faf46a4bce381d40dc16eba49f16058d97801a40c189b546c1349b65bad764ceafbd6f015

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
2e393cc414c06d33e4893b74255b6248

SHA1
3836db3e01411a233b9daf6f36d96feb4c833cab

SHA256
4914c7587c8e57c50a4736d9c96260a2ac78703e48f4c5005d7f240fb6f137c1

SHA512
6d620005e7469861e2f00a630ff19236bdbb682ddc5b897a4e92ef703bbd6099b470810ebf6d28bb19ac20d139021f87a273ec76d12170c187319c22001aacdd

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
8686a6724865ab084af03c9376701eca

SHA1
7f1ddadc1f2b2b48e4a09f28fa77f1be23af9b50

SHA256
846a9a31da263ae174f6f49c5bde7f9049f7e51efde61ef91405a6dfa77a6a67

SHA512
a3c28b0e0558bf49729376f49eb1aecff494b49895d5affd15f316b2724b0767e5775fa348d6e3b6a2fb90c1e18d9eafa0f8132d8de3507b0cc179ef20be92c1

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
9d9fc288c110ec6cf26c9c0d071dd90b

SHA1
04ffee0b4fb38c0a400f8492ceb0d09bdbfb3dc3

SHA256
97b493c519883890c712b406a2194a42f876c5ff64eccab18bce183975089215

SHA512
43ea846d8f2595c88032db0e489a33f5b05cb1d0cc754003376e6a2dd2b5728e448480b5f71f2cc75e4f414a8a8087736c87f65c9293998e810e29abc9d9acc5

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
15f566323a9d9d10228fc0e6a7c0ded9

SHA1
9ee592f4e96c16caf109bf1a98b145ea61de76bf

SHA256
ba708397873abbc02dd564bf983ab79307b27fcbfc47d6d804d5e6c0e05a1657

SHA512
40e09781bbfe6364eef26a37ebc88caf44cc571042f7f2d47af7c420e88fcb1147f63ab4de2f988da914fdb56fcfea0278fe371f78fb2300d58302c83885eebd

Download Submit
memory/2376-497-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-519-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-520-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-521-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-518-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-500-0x00007FFBED0F0000-0x00007FFBED100000-memory.dmp

Filesize
64KB

Download
memory/2376-499-0x00007FFBED0F0000-0x00007FFBED100000-memory.dmp

Filesize
64KB

Download
memory/2376-498-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-495-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-496-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download
memory/2376-494-0x00007FFBEF910000-0x00007FFBEF920000-memory.dmp

Filesize
64KB

Download