748415008bed7e4d275e94b2f8c518494f5992ccf6e383d501e46235be1c4891

Analysis

max time kernel
1800s
max time network
1482s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
07-07-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

69ef79397fa0aa72de8c4371012a3525
SHA1

0c9dddb9b6ddefa16cccf7af1168a524b0057913
SHA256

748415008bed7e4d275e94b2f8c518494f5992ccf6e383d501e46235be1c4891
SHA512

92d81ba99f431109d2ac2bdf7abe236bd9e90a1a7a176ec48b5e24e794420af9e321a2a4427495cb04a729c021dfa9e02e5a80134b2981f9278fdc8bf466c5df
SSDEEP

384:ZXkpYdpjGFMBaxT86thiBhcyDGE0nrKABM48Oa2avENSaUxOoILA3zcFdKtM0jH:ZV4TvJKAO48f2XRLC

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
3616	AltServer.exe
2220	iTunes64Setup.exe
1956	SetupAdmin.exe
4592	mDNSResponder.exe
2584	Process not Found

Loads dropped DLL 32 IoCs

pid	Process
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3616	AltServer.exe
3612	MsiExec.exe
3612	MsiExec.exe
3612	MsiExec.exe
3612	MsiExec.exe
3612	MsiExec.exe
1500	MsiExec.exe
1500	MsiExec.exe
1500	MsiExec.exe
1244	MsiExec.exe
1244	MsiExec.exe
3132	MsiExec.exe
1420	MsiExec.exe
3944	MsiExec.exe
4532	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Windows\CurrentVersion\Run\AltServer = "C:\\Program Files (x86)\\AltServer\\AltServer.exe"	AltServer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\About Bonjour.lnk	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nb.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\AltServer\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\AltServer.exe	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\da.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\en_GB.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\it.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\AltServer\brotlidec.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\concrt140.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ko.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_TW.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\AltServer\MenuBarIcon.png	msiexec.exe
File created	C:\Program Files (x86)\AltServer\boost_date_time-vc142-mt-x32-1_70.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\brotlicommon.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\libeay32.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\AltServer\WinSparkle.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\usbmuxd.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\AltServer\ssleay32.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\zh_CN.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\mdnsNSP.dll	msiexec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\dns_sd.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar	msiexec.exe
File created	C:\Program Files (x86)\AltServer\zlib1.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\ldid.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\libssl-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\de.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File created	C:\Program Files (x86)\AltServer\imobiledevice.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fi.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\AltServer\regex2.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\cpprest_2_10.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\nl.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ru.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\ja.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\pt_PT.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\sv.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\AltServer\plist.dll	msiexec.exe
File created	C:\Program Files (x86)\AltServer\MenuBarIcon.ico	msiexec.exe
File created	C:\Program Files (x86)\AltServer\brotlienc.dll	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\fr.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\Bonjour\mdnsNSP.dll	msiexec.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF0DAC64EC936E81CA.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\Installer\SourceHash{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEDFE3168D6A0C6A6.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9A3.tmp	msiexec.exe
File created	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\Installer\e5d2149.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF892D69089F5590CC.TMP	msiexec.exe
File created	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico	msiexec.exe
File created	C:\Windows\Installer\e5d2146.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7B5C097DC0996800.TMP	msiexec.exe
File created	C:\Windows\Installer\e5d214e.msi	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\e5d2149.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d2146.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF415604FA6B6E1831.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI258C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID925.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF35922A753DF142CC.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{619A4470-A1F7-4782-8C44-523980FAE4C2}	msiexec.exe
File created	C:\Windows\Installer\e5d2148.msi	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSIDA60.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF28D9C21133C0512A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD8F.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9B4040541BC5BCCB.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002eb3b4784cc238f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002eb3b4780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002eb3b478000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2eb3b478000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002eb3b47800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648487359087131"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ = "DNSSDRecord Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\PackageName = "Bonjour64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\ = "DNSSDService Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService\CurVer\ = "Bonjour.DNSSDService.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.TXTRecord\ = "TXTRecord Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\HELPDIR\ = "C:\\Program Files\\Bonjour\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ = "ITXTRecord"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP768.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDRecord.1\CLSID\ = "{5E93C5A9-7516-4259-A67B-41A656F6E01C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ = "IDNSSDRecord"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8BFDDD6597F70844985D521E5FA22BF8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\NumMethods\ = "19"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDService.1\ = "DNSSDService Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1523EA646D34FC14C8FD9E203C58611D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID\ = "Bonjour.TXTRecord"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{29DE265F-8402-474F-833A-D4653B23458F}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32\ = "{7FD72324-63E1-45AD-B337-4D525BD98DAD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\altinstaller.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 481305.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\iTunes64Setup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
2444	chrome.exe
2444	chrome.exe
3788	msiexec.exe
3788	msiexec.exe
2276	msedge.exe
2276	msedge.exe
3740	msedge.exe
3740	msedge.exe
3436	msedge.exe
3436	msedge.exe
4916	identity_helper.exe
4916	identity_helper.exe
3344	msedge.exe
3344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe
Token: SeShutdownPrivilege	668	chrome.exe
Token: SeCreatePagefilePrivilege	668	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
1424	msiexec.exe
1424	msiexec.exe
3904	msiexec.exe
3904	msiexec.exe
668	chrome.exe
3616	AltServer.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
668	chrome.exe
3616	AltServer.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1572	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1484	668	chrome.exe	80
PID 668 wrote to memory of 1484	668	chrome.exe	80
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1808	668	chrome.exe	82
PID 668 wrote to memory of 1428	668	chrome.exe	83
PID 668 wrote to memory of 1428	668	chrome.exe	83
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84
PID 668 wrote to memory of 2324	668	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbfebfab58,0x7ffbfebfab68,0x7ffbfebfab78
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:2
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4540 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4012 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1552 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2996 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3096 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3108 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4712 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4844 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1788,i,11469917201849668423,2420949924216263518,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\Temp1_altinstaller.zip\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_altinstaller.zip\setup.exe"
1⤵
PID:624
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\Temp1_altinstaller.zip\AltInstaller.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3788
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4964
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding AEEDD286CA1A9C0D2F52E3447336203D C
  2⤵
  - Loads dropped DLL
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\IXP768.TMP\SetupAdmin.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP768.TMP\SetupAdmin.exe" /evt EAEC /pid 3612 /mon 776 788
    3⤵
    - Executes dropped EXE
    PID:1956
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4829890C52213BA8FBA8583CC507FA1E
  2⤵
  - Loads dropped DLL
  PID:1500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F06C304262B366AE12C1591A064BD5F
  2⤵
  - Loads dropped DLL
  PID:1244
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E38D2623496EB6CFB07686F3593B9354 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3132
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:1420
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  - Loads dropped DLL
  PID:3944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4692

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1028

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1572

C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i {619A4470-A1F7-4782-8C44-523980FAE4C2}
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3904

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Program Files (x86)\AltServer\AltServer.exe
"C:\Program Files (x86)\AltServer\AltServer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.apple.com/itunes/download/win64
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbff073cb8,0x7ffbff073cc8,0x7ffbff073cd8
    3⤵
    PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
    3⤵
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
    3⤵
    PID:1224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5844 /prefetch:8
    3⤵
    PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3436
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:1
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1360 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Users\Admin\Downloads\iTunes64Setup.exe
    "C:\Users\Admin\Downloads\iTunes64Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2220
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\IXP768.TMP\iTunes64.msi" INSTALL_SUPPORT_PACKAGES=1
      4⤵
      Enumerates connected drives
      PID:688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10721406140547988387,3099887197742353493,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
    3⤵
    PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4012

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5d2147.rbs

Filesize
11KB

MD5
ead2f09360606d838dc89b18591a281f

SHA1
92c11ad648ff8d736c6ea8da55d48d4b1f9d1e7b

SHA256
fe73eeb290fc805265b5e05d071c4a82398408a7c5b819d1ad6c6bd9a785a126

SHA512
0a6c73e2974864cfd93a681c7af5a800494a911e3ae80525267df30ae5f63e65f0647b6019e22bd1cf4736643fa3c38a7d9b64667e0ab788a69f4a48285dcafd

Download Submit
C:\Config.Msi\e5d214c.rbs

Filesize
126KB

MD5
c1efd34898fad963c8c03a067d2148f8

SHA1
57511324badf3cc6a9330e0d88a5b9ec78a78d09

SHA256
b0e452464d0388440b697b42de1286e12555bdea3a62e6292dafb1c0cd688b19

SHA512
8bd8193ec788848dd4561ee11478c95bf1afe93c208160055a0e692577eae0fc198105432ce589c7b2b9f304bf302f7b8dd95a7b94a7509f6f36c7032cffd466

Download Submit
C:\Program Files (x86)\AltServer\AltServer.exe

Filesize
2.1MB

MD5
0db5ad2cd60c9dd142bef768045bd35d

SHA1
3b2e8f904fd8edfdfab619374e5452ecde7c2580

SHA256
8c0625e8a583aadf95e604a53480eaf11d717647cfb1457eefafcebb226d7c82

SHA512
4274daab85c9064548150a48d55667a3a216ef031751ce3c553f5d6849bc360bab6a67ea9d164aa2ed4373aef115c89d41a1f36633b00e86f60f848e4eed03db

Download Submit
C:\Program Files (x86)\AltServer\LIBEAY32.dll

Filesize
1.3MB

MD5
de484d5dafe3c1208da6e24af40e0a97

SHA1
3e27b636863fefd991c57e8f4657aded333292e1

SHA256
007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

SHA512
e871ba131965331dcd6e7ae0ef02734e157676c7d2bba791dae274395eaac90df3e0851bd67f1e12461287860281d488e7e82c9c11cbf4657052eec78f678c3d

Download Submit
C:\Program Files (x86)\AltServer\VCRUNTIME140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Program Files (x86)\AltServer\WinSparkle.dll

Filesize
1.8MB

MD5
1e1f8765992bfc5b7326a03fbe7ee9ad

SHA1
af44a147f18ddf073414d22a550379f5233e414b

SHA256
14d9ada9fd17ad089d7dea3a4b6e7117f132b23cd150323c60df5ffda5c72b6f

SHA512
4ecadc62edc1525b4d3f4183b14b79cc7959e4b6134da8e359686003f963ea1a0b993c24a944f2e703ba1db8e73c366b0351e0f3953b0d82131237953eff7cba

Download Submit
C:\Program Files (x86)\AltServer\boost_date_time-vc142-mt-x32-1_70.dll

Filesize
41KB

MD5
08a6e762f1f334c267a22fee50b21800

SHA1
9a86a272df68840374437436511b48a0c49c4c77

SHA256
daf2db7f4e973e181ffb0a7625f813863a2561e08c1350571d4a498499a3cd82

SHA512
6572889143d68c130f383d335044475d549a2ae2cb2d2b3e326d613e4db7aab17eb4ee34300bd520da18436acc43baf553a2c9fdcddab73b8a9ded556c1dd33a

Download Submit
C:\Program Files (x86)\AltServer\brotlicommon.dll

Filesize
129KB

MD5
94bea13bcca18f53853e676015963d7c

SHA1
c1825db94118576f7f932c3a33163d24bb1128d5

SHA256
1df8e66ef439e57d9eba688abb4b463d7c0b627265bdc633405e223f76e04884

SHA512
2f6a9a33f4cd207c03089a8c5c6f7ccd40f7e2b6f331476986f55f08da4cd559ee703afcaf49d58256022177b865beddd434ce5a2b601d8585c16041732e3bed

Download Submit
C:\Program Files (x86)\AltServer\brotlidec.dll

Filesize
43KB

MD5
25a9a1077d3c46fc2c6cb399efc04783

SHA1
f4f7060b77419eb97a9888a09fb102cfab93d37f

SHA256
cba318b29eb0c7854f9a6dd7eb3f86d22fa4d833395a1e631b9115ebd796cff5

SHA512
d0398e86bd0abd0f5f2426387196409c6dd93834b5ffade2413eb596f62cf5587b24e4c8eef85aa82af7be060678b5fb3c112bef218939fdc30f294c99bda61e

Download Submit
C:\Program Files (x86)\AltServer\brotlienc.dll

Filesize
2.7MB

MD5
faa8afec0d4ab40ab01525a8aa730b86

SHA1
69ee9dcf5cb40b7acdf70927185c24f031ad6adf

SHA256
c213826bf0a1727bf0fc7a30af2a30a68474a4a4906df6c84c733598b682341b

SHA512
d1941157c56f51608f6b5ba52a7ab0e3cfa194dc0ec8399482fd4a160f8ac1328d802cb77277ad601d303b3e3346e0c4cf3fc516180ed0a105627fc00a7fbe2e

Download Submit
C:\Program Files (x86)\AltServer\concrt140.dll

Filesize
237KB

MD5
9ad549c121108b3b1408a30bee325d08

SHA1
898ffc728087861e619dababd8e65cc902276d06

SHA256
263975e4f5afc90e91f9f601080b92c9fbc5e471132f63ad01c6c4f99b33b83a

SHA512
9a9005acf2af86d6a0a95773e968d98e90b7e71e8e71d58949ff51aad49050dca57d94a19671b1b5026bd74e7b627f31d0c8a50bb66ab740d629022c3a95d579

Download Submit
C:\Program Files (x86)\AltServer\cpprest_2_10.dll

Filesize
1.4MB

MD5
de26497dc1f01a049e3838e28cf4a5a6

SHA1
0565c72d10c96568fa1094462c9da9e49a3c5678

SHA256
ccc50608446d380eea652fbc0069fee19a890c3b6f33ccce94ffb34d04c1beec

SHA512
546e8aff0ccdec6bda91832ab33ef87f751f9b8a1df26468b7439a4c7726300843a7630551c9f6221a0e07b792f86faa33344418f60b5c94ac1e3f7ef2e8811d

Download Submit
C:\Program Files (x86)\AltServer\imobiledevice.dll

Filesize
150KB

MD5
fc4ccdbf0f573ab6d682a638ea49a868

SHA1
78d5d05879207ef2e1ad0a4c7769de58529fadbd

SHA256
81a4913ee2b5fabd598833223c7bfbb7e4a27030e104407318c35c8ae898ab64

SHA512
2e91241e55ce841d6116af3d3234258c2d4b4dedfdcfbd0b37b35c1ab981e56d081693a5e55217d6099225c929438420ffea50f94d388cd6006d88e508fb4015

Download Submit
C:\Program Files (x86)\AltServer\ldid.dll

Filesize
210KB

MD5
22fd47b58d6648d3a62618ccce0557a7

SHA1
e5ea28bb126e286f681221c7b0f80d5551aa77d1

SHA256
13ccbdee289958526f19c93f872d121c8bb8a86103b3dbc6e725e6ab3ca17ea4

SHA512
44bca68bcad0395a90eede7dec157ae079b70f4145f4304f612ff3d02b566334eb1eb8466e81c64120be91f00a6bbe5cac34ee296e075df0119ac11380230fc9

Download Submit
C:\Program Files (x86)\AltServer\libcrypto-1_1.dll

Filesize
2.4MB

MD5
d5a5e2b8e937e31c881dafd4179f5536

SHA1
8e2fa5c30b71da58196c2033be847937b3d0ff0a

SHA256
2e7c6aa4daea6e14d3d74e01a021a33e063cf60d34632e51b4730a2c3f0d46b3

SHA512
1bae7d1ccac0ed246539bbd99fa8912100170b0d928405abacc5332d55c027ca830c04772d5786535cf5aa9b5abe9723647d563e417c00ad1143b123cfeca268

Download Submit
C:\Program Files (x86)\AltServer\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Program Files (x86)\AltServer\plist.dll

Filesize
55KB

MD5
3c6548478f160c23caa5bbc7da08894b

SHA1
6537259f8e647efb5d18ce537602ff02854f6a7b

SHA256
8eb28214b9b115eafb4af5ec90179121e81541ad912b95ab4467c723a217d99b

SHA512
3235d560ef0556e51f902d94a163630a4871e2f3e2812f5f7fd04d97ef7d777f3a72780bf8369b6e5b20514dac1d4703e51cec7fd0c5104c2993e28cec9857b3

Download Submit
C:\Program Files (x86)\AltServer\regex2.dll

Filesize
77KB

MD5
547c43567ab8c08eb30f6c6bacb479a3

SHA1
e532e5a3e74926f6a750b3a80d3ea232dd251e4a

SHA256
3a71bf90e8bddfb813b44f9cbcecf431311a7979c1debc976767b3e5e59031af

SHA512
bff4b9a92ab9954da46b0730c42da52342a2c4d0db0d052031299cac0cbe5001cffb976b84a44d06b2105de0957c3fdc2408fd640eac8230dd3341be286639db

Download Submit
C:\Program Files (x86)\AltServer\ssleay32.dll

Filesize
330KB

MD5
284e004b654306f8db1a63cff0e73d91

SHA1
7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

SHA256
2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

SHA512
9c95824a081a2c822421c4b7eb57d68999e3c6f214483e0f177e1066fe3c915b800b67d2008181c954ad0403af0fa1ade3e4ea11d53ab7e13f4a3def9f89cf4f

Download Submit
C:\Program Files (x86)\AltServer\usbmuxd.dll

Filesize
31KB

MD5
c11340d2a0c982df06ab9cc6ee95539d

SHA1
27e232d3e4f5aa0e955382fde78ccfe746992d4a

SHA256
c09be1a59267207e2c0ccf384739f1cc88d1d95fcca694cd2ee5699228ed5eb6

SHA512
fe0795412aef5cab4d1fdac8a1adc7815a1f9da9aee94672f8107e4d6db7bcaba2ee7c1759d5984f055734d5d93f68d7237692b99dd8660a9f2e5fc81e73aa32

Download Submit
C:\Program Files (x86)\AltServer\zlib1.dll

Filesize
71KB

MD5
b3f72b6cce47efefa9f5224aa668401c

SHA1
18ff2b82b11a7d6afbe772a575281ff9f7d2b895

SHA256
08e31facdf08916482372da2d4a7ddcec40edf8e1fab985773ed99d4c109248a

SHA512
97459b40d352f2b8bc5a88c6972c23e54e1350df0752f7969cad7dd444c12662d753fe9dff3b09afbbdc506efabf310a81347423b93c6df9361e5bd5c142fc74

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\dns_sd.jar

Filesize
17KB

MD5
ce9a2f5a7fcfff341d6d901ad919a2ab

SHA1
341f9d9a0b3fd8cfbefe0169b148dcc55688ee93

SHA256
cc36a44467f41cf2dc91c126e368e357b28a0d57101472d2dfd1c06a4091cdf7

SHA512
1f53e652b042ee27fe05b11ccda2ed9ae9a8f44b948b8658aa7a2d7ad2f5bd94ea16f3d9a92e65a8c65b7480517f1d05a066a4fb8d961b927d0d305399ca4e8f

Download Submit
C:\ProgramData\Apple\Installer Cache\Bonjour 3.1.0.1\Bonjour64.msi

Filesize
2.6MB

MD5
86e2b390629665fbc20e06dfbf01a48f

SHA1
d9f4697a6f4eceea24735822cb1df501268ca0b0

SHA256
46e31e284da64d6c2d366352b8a8abcf7db28d3e2a870d8fcf15c4a6fe0a6dd1

SHA512
05ecd3be5779f39db09329dda4dce0e3c49ac5d3950e92833031622b53542dadbe9e2948df35faeb4c41dbc8e01992935087c4a2975c797bd008ae177f7c3fea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d5f66969d21d87cf45d91d263b82f5d0

SHA1
d5570a8778bd1f98992b5b1f839b51215592faed

SHA256
6224901008c96104cc7d68b1a1746cfbd0502b3eb281e128e4a378a04e5509b3

SHA512
5174767f30d8d07aa192b27c5535e7985bb567ea7dec95b059a0efd4894951f66168b36f8d3ad35a717cc2a796907abd0eef1c0378d3d73d42d7bb701f4d1870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7502d65ed29f9f67d69462d964fab2ba

SHA1
a375b797f5175631ecdfbdff8451e591d6e4fbd8

SHA256
6fa1f9594115446c46f56fb2083accf88f4df9df8ccf8d411c1b9820124732e3

SHA512
293e34ae40946152a8ad2f87bed58f9c042f562d762d8399e44724de653aa64d09921dee22d96df0440c09e814349be7495e716a668d7c014841d7aeaaa97e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4cf373634f7e00c4d701753ecf5a1739

SHA1
9c0097d8cb00976c12be9dd1f2a715de7506cc88

SHA256
c352b34bfe34ed372d0f13202ca7a135b7040f6168745cde5233ad8ef501b64d

SHA512
eafac1cd59b0cb9b6e3b061d760ab42316fa8f5cd5596a0a6d5991f110b38942a4db95002386f63505dce174c713462c619ed1ef04e338394a24407bb0d7964f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
924f9e5b376457bd1fa1b7f1cbba787f

SHA1
28090740b73213a3f6bdc3e0bbc497d16bb2fadd

SHA256
45da4ec7b38a13a1c7fe252f0955bedaef8978ce1bde3bd02c88fd30ab2ccbac

SHA512
0ffd3be21c029c8fd389abb2dc3533cb3579ca5f2fc128441a79813026ee2e1e8914b804e899beb294b825f7c0c57dee61ac453e0101f7467c47b98397c9ca82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
924c3ab8a8774b1014132c053f692422

SHA1
ccec904b424cadf85ee0c9a418bc09031c8e31dc

SHA256
bbb44fec5d02c4580ac62db3a3301f3287b931e1d0bbab0b0ae25c5e77ea5b7e

SHA512
fbea090615dbba04fb4a5487fd0a0100596c386b5e5d252ad4320f65fbcc3996257541bc323aac7a32f1eae33b04610538ff92ce0540b760e694ee92c483314a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
10b4fb5f950bf75d210c757f0cd48057

SHA1
dac216eefaed4f4bdd9c2560b802b8ff6be512a9

SHA256
78b4686e874365261bbd52340e842081927a3a6f7e073a15c3262d9c0ed45794

SHA512
07f1cefb28d9037b361653f1f9c7c0272328fdcb7bfd171bd424267c7b2f26224c338a46aa7e3d6db248d72427a59912f72307133a7ca0e0de2e1e37a90355ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2ef114af649cd5cd9e5a9cd17c4d3430

SHA1
c1aadf01a0eb07240b188bf7744f6db4422591a5

SHA256
681066222beb8926aba44b2ca3da68b3f354912c5c6a12da526500bacd7d1900

SHA512
a5cebece147134a3456f2401d3bfaa0bbf1e8f1cb9359744012009fab23fbfcfdc95e316408c2bf71370f6e85c37176c0be062ecfb7de752c6f9bec2398ba8e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9da09fa4ccd59da3954e7f4a53185744

SHA1
fb8483f5e664e9dcecc550ac08b540890d4ec34a

SHA256
35b4cd6d9aa5eb16451a2bea6fa3df532f1c79007633bff592d5523ea2b1081e

SHA512
97fdc83b6374f8e3fe4df48f232622a08ef91c364d702e80ac1438231c2e5367c0123068ddf1a1e28452e67d9e79e6f02a0aed37558bfa0ec30a7858c1f5c3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4e9e7d835a81c96a22d1adc4e203987c

SHA1
f8e19f5fab1881ee4ba71f503ead8025de366d54

SHA256
f1fce488b9e988e13d5a84965349f707837e27629db6c6aea1fb5ca0255a8e02

SHA512
6bae671a59ab020ac37c001b7d8d791cd5417274e5f1090e26c6a72ae39c8de883126efa45c051ebc1aea6908ff8ad23c9948a9309d31d58ca7de8de0945d6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
2ffb72b9dabd4f6aeab789e485a9a1f0

SHA1
8f2bbacce57467d23c2e01fc4281644db3be64d1

SHA256
4fb4bfed0aa5606eeb5e13e438cd91e2b56f4556c11f2b0ff74ef5b848498b83

SHA512
0bd6f10b60cf51570eb167d2908da3c4da6e3f290bebda634a6e751d9d5cca0f47dbfcd53da0599596056530bf5c6a6d330e98cea354ceb4516b22e28b4a735d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
8844512165f3d7bf93039d16626683e0

SHA1
6d8a4d44d24207a2292c2e204bd2093ff73a56fc

SHA256
63264775553fad6136dfb671e3df8661c04dfcaaccb218bf037d10b225cc8bc1

SHA512
42ca5d4fce47cd4c99ebdf8ac0169dff13a0aca5f900251a49cc98dbfb5eb1be008ef049365a76a41c042debbfa4734de915db669cd28729613872b6777e1909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5f33699a52297cd8c65fdd0b898b3dca

SHA1
dccf1eecbd63603e6b9c2540f581015a85ba6f31

SHA256
023a3d7705251f8345c741ddf4d350fe6fa6e54be154a33ad79c0892b3e28818

SHA512
0371bcac2da484e349e0f6efb3c205306cd62784c9c7b522c20964a34039d49ddaf2caa6baf5fcc3992024775397be9248915bb64a9f9634da482360fef971c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
66e9ff17bc331c52eb1ee34eae17c695

SHA1
c8a49ad39994ced3dd23d9b65b4831ef83330eda

SHA256
c632fc3f4b2fb7d6fcd4e03d1b57c7c0a2ba2989ffd664178c414dc7fc556283

SHA512
ff49da788822db6e10933686a9a28c0d6d7eac097b60d1f17c1b7fad2f3cbe65f62de9859146c1938d99e4a34790d8a06d849dc00317e9b7c7cc7957a3560f16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4df4df2b1a5e79feaf5e1631b0494d38

SHA1
a47df5011c902ca5018d6211b918538329aae95c

SHA256
8732ac67ef4755c7b27920785c759ae460f46cc120152331873202165eca09a5

SHA512
1a49b1545e50b0951f31b811104816c88d6067f6c69b61d384aaef36df48f45bbd8b9225028583d13b4453772950cd272e82e4ba6047d223c66f9ffe199f78bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
483c060540b44c40b251f463bf513b05

SHA1
4314da800dd94a9ea7178ef77a96d19ca73e4160

SHA256
1f586522b9ef0c333733d08b683f22cc08b368d453ac972f26d5c58539aff22c

SHA512
cc7e8284986d7ad91001d592d82fb0a278630546d4b4bf250988b8780f8c50031f030496ae2639e6e2248de654fa98e739920bedca908b3db130364afdaba97e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\cc4d0059-d5e3-4899-843c-4c4eb2b0bb77.tmp

Filesize
1KB

MD5
1e17437703bf20d811c9ff595fc5437c

SHA1
dfa36e9dbbae376ba79de984087bdce49050053f

SHA256
904d5fa579bb642e889177897fb08efb125b24f99667a6d8a8cd31f9002f4380

SHA512
9a9c27142ccf01bd454509ae02c3de2f8d331473f118eb38dbd5a524f372bebe480e6ca8b6c0d59a565d8dfc5062b95220782c0160388bcc67f5a675d06f1ac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
00dd993762f4c470df0d78b284ac8f1a

SHA1
c5fba6a8e01bc5149fc6be63c445ad549c791295

SHA256
6b902ae61458804c3cedbe22168b5d6132c24f0ae62492e3d9b3b15ddf846cba

SHA512
2440c1c930f5faf4a945ac8abf775dc0035d4feb70342b5fd7cc9b1de72fc7f8579525dc9f44b9c0f2ffabcd4e74a0017312fd97904fc7fd50ceb302ee2ef214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1ff2455bc7be282de15e68fc4101bcee

SHA1
16dd671f06d8850b5d2ae7af784c4e63625e4b8b

SHA256
ea8e0f7f92ff7c4f5effd353bf42245911b592c1de2c54ca2bacf0a431486d78

SHA512
008e230bf0246eb40fef8a6eaaa32dd00ea03720131f81891f89c81830057c5fa96221c3233adaa57f3b41e8df82c91088fe29526871b015c2230e2717ee02c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c17c8a96612d06b0cd71fc79bcf9dde1

SHA1
6f02f770c34f0675c9551cb5f6553bb6fd84f857

SHA256
7264dd2b75a5b662f4eb7928de6d051b4035d7d4334cd294caacca2d36a12ae9

SHA512
aa2b9a7ddbfeb49ea8335fb008f2bad646323011b661123deff362cdbbcfb0472fe75424860f6113865bcdd85cb4a57e229018754cbdfe28785c5fc704bb599c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1ebc49d22a93d24a0d638e397f08d97a

SHA1
aadcce8279ea2bff15d5f23002ff90409816424b

SHA256
cee9a291d5e8afea4eb22e67c2888fa2b2c0331c10b0772e2d1104a3f4e5eead

SHA512
6db2fa83789773d3af6341932e9adc256cc83a1d1e9e17c04d33c56d24d257f6acbea2fc8817e48a4f437197f982fddb0990668b1359cf4f20a13c355847537d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8be669ef5a3cd4da3e99c6de94422454

SHA1
3ec7efb4f5adfab92b355e139c5fe48554c20601

SHA256
e0772a9b211f8f6b66b4078bff9b5d2b59521272ec888e69925f2dadcde0e569

SHA512
adbd7c5a2420da1ba39545c1f7f0c77831c7e4aa9299eb7e65511922c9d6796c5cd1a16d4edcccd747181d84c3fee265f51c64df8c388ff3ee3212073992703e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
484fbd33fc71af432979393006e84a13

SHA1
4e302cda3877dcb00644867546f4c9febe9f5583

SHA256
ab793f4471ba792c53b540fb3da9f08f8b8ce3e78f8ab867c36a93db91629855

SHA512
9078631853487e52bb3b123d8d74f4d3bd10bcab2c1f4111862c155235723fdbef6a7baa5c98e8b98a69b2b0bb182f5d3331129753dfb2f4b01e64fe1b7eab49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5c2b6d.TMP

Filesize
120B

MD5
70ff2b76d781520d68403107d167fc45

SHA1
1c5792d60151d877a8abf052fb0c6911a47ac949

SHA256
2597fde336346d947234217e0bb77083152908dbb7eead3012faa97678749a48

SHA512
eba61eaa40c536ddee685ffaba3efab9da9d8b3b3c4f103e92461b8c3994056ea94989e824c50eb778c24d18cf96acf48959c536e9fca7ee0b73193c4686abdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
75735cb277f5020821e0248b078223ee

SHA1
605753561c7a64b658d7e7748fa0a166d53e078a

SHA256
580ea89105f71fac87a8036eee0834adec9ac0ab6c682aeb24a94e5401816b26

SHA512
a477580604377991dbfe8c6b43a1b6721942465af86b7b4621b651108e6cb5b2ec9c712c7cfa985ab07b23be7cb36afa290203a2464f03bbb7f73a5514a93e58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
13eaf5ea797703605137cdd9dfe81120

SHA1
5407266722584e59f91d055876caa90ffbfc9224

SHA256
f9031490076b2d501adfc75b202f16d8126d0b364eaf4df2bb818e367e7067d6

SHA512
d8c62ed15d53a8b9f03355ab7a1911e3cc1dbffcbe6707a2a177a637cd7e0f382d2474f8ccae08b3b2e858cf85b2eee6dea41575d3c942f7a082d40500a9e3a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
af82ec9d4898aa0fb12d9086202ef8e3

SHA1
e86e2a6abfc475dcbde151c72c841c10d9ce060e

SHA256
2ea9f82f0df1c1f9c55d21cec1b5194eb3c3db530be09dcca5f4001b9f8b1a13

SHA512
25aeeb5049d8f524ea001a1cd5665d5fd59bf4b6eac31f10e011f28136415bbda16939e9cd0dcfbb5902736e2bde3d6fe4bcecb0a50f95c01cfc934b3a028bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5c7cc9.TMP

Filesize
83KB

MD5
fd52698314b81a24a9715fe7e324e42b

SHA1
5faba83ca1c08722d72c99b313d926f7e0dcbf5b

SHA256
090671169cfc3c6192b7e1d61ec4712a5fdc57a179602ed47496750af6074c07

SHA512
200dbed8af3ad939a27fe66243a6c1cd2f8884084750387c4074ff9f025cc6783437645d5d7a0b2c2cab6dc8783df7196c2920542a63e4a84546a566d90fdc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
640b9bae54d22b45b4d52a96e2f81f13

SHA1
b1c7304e9abbe1759f8df7f88ca2c6354b42fdf3

SHA256
834c17e205445d197a64177b76ae0bb718bfe2eb8ffe492f008946603edf80d4

SHA512
8baaa3339cddca01a018e9a0900426a7590f7107c55372d65fe932dd570bb4289238977396037c9bf73157d6bfd7f1f5795842df39c354200c2af1a84014e6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b45c28d31ee31580e85d12f5ce5b6a46

SHA1
8bd9a23f3141aa877711fc7835446b8783b51974

SHA256
d944d6021a2fdf016911aa4d9e8b437431fa4f92b0229b9e3322b4354a4b19c7

SHA512
3628da551c52367a4b54ca0cb7c401f7d3a8dd37375b3b57d82adb06c96657ac55d593ffa7a9f000f74ecd7e6d35562a96013d0c70b04123f055a4d2af72aa3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
3b03abaea6dd4a5a351a17177c03ba80

SHA1
10fe2370b742e00fc8b7238a1a5f6de288b1ed39

SHA256
1c483bc0c2a059f726cb66b665fabcb86e54111e3e24dd7cfd6af52d01635458

SHA512
937bfa17fe626cad95e37733c25ba981a7739ccc66399354bb90b3df196f23d7dbf8bc603aaa570d881099c35ee5a4285f411d83006e4fb18785bd8892426717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c2b0bda55634fa830df6bb42e52ed2e

SHA1
92e6bae2ec6fc0d63b6c9c1a550a33c255fec323

SHA256
0dfa6f1c3a7f5b143ce9a5d4cf60c0d98012d854ba4891d6ff0ab8b99931ccaa

SHA512
dbaad4a2bb5f8b718db56815d82c6ec6f0847c089ef1d523617965d78e660f8cfdfc2d78bbf7fde9043e2c4d314b639ff503e4b930605f71089a7b516cc3a291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d27d498c39dffeed92fdc959163aca70

SHA1
e00d2c5c40e6f56d63d54eebc9af8972730698ba

SHA256
0c32d9f0831944045fb104c86698e6e4f4a691540ec36e8a292705084f5fa880

SHA512
c9b77da792a1174e09b41e56195972549092fb246262597cc6b4b5c5b8e92c20a55257de24539bff249890cfda1644901e49794c25e02c58538988d1a500a1fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8e3498605b9ea49bbd4dde110fab76e

SHA1
7e98b63ffd48d2e6212dea0ef147cb2f4dad5d60

SHA256
7d3a5273c1b995518aabed5022b400f26dbc83e843ef0e2d93bcacaf60010f62

SHA512
5b928cbec61b37441533ff762e4b55c5a5e315b3edd9f99a7ff859c9eae69cc46abd98e02a59d87d04f351bcdc2e7678c3afd222f3b1e408de96f7cf5e4e6cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a1efdaae25f7448c8169fe702b79d51

SHA1
f5a3a5d2ef24d9d35471b976714277bf39dded0b

SHA256
43b60679b66812ac0b0e5d4abc3392a05274cd0b04414713edc13ed2063e0419

SHA512
b0db28288be7556073f0c4f10611eda010257021e601fef28744dc0ade411c826b57659ae35e24dd85f8a97a86bec5f011680789e92163655e45b09d938e6b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
079b655d232bc2a8b9fc7868ea61b549

SHA1
965067ec085ba963b468a4454f21bc08146d8a9b

SHA256
03db4fcc33df480235f0646af9cae82942e37092130aa41bf0dfa19169ad04d4

SHA512
40cdd63ed7ca870a83b3bc96adcc46cdcf18e52b8ebe834461412b957491a3b8c1b3a838217df83fd9511ac422e64fb28a2a7cf67e0433fcdf31f323138be987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0dfdbf43ab9ba21da894e565735b3504

SHA1
4e1cfafdf7eaf0f29889c24d2c20e1bc3e92fae6

SHA256
980c2529ed4fd42102af8d635952b0d176eb27520ecf392e24a368591d485638

SHA512
5cdd896f4c832c2f6b952ee974d0864de9b77223250276e877ee546cf1d283a59f9e26aa18adf9cfc5821eb977d21991ada5a4c3d2ec2d20e37e75d2a4081bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9daf2705f15f3be5a47fd3d8f8e638ab

SHA1
e5c7bbf24b4b865bedfabd136f985c529ed829d6

SHA256
cc6e7a169dd5ec91f7817ddf9e43e5d0c10534711fa23c2e343e1a6f76917056

SHA512
9bf1cc41cb197a57234ef26468284339d9458fc95f517f992419da0296d76309d6954f81a342c8b32258b614040cc8a5c9fd4422ed876001c2743a2d6fa96c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9f26929f3f004c5754a6e0a1db2328b4

SHA1
0bd2019c843d7d19adea5910001d85aae230479e

SHA256
896db2ca6a787a5e45a046228f04b675f14b894c856e6ade0668bf7f2a3f9749

SHA512
a3988ec1b1d8f15ed3ab2765315b9fe57d27a36375f7ad51b68b43d60a0c5544a399ac781f0d462d5fca377853584c86fd35b4f6b201f16c791fea048546331d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12ab54292368fed1f12f12d45456d078

SHA1
e0be360ac5a9c6f05bc2a067801ee7ff702555ed

SHA256
ce38fcf90ffead17813fcdf118c475a40b12094ca2ec569e4f6e17efa9ba11fc

SHA512
d771833355d522fdad8502b9de480d547812fd2326135b7e313cbe7ab09187a5b548229d971466c855249858641c3836b0f0d5a56caa7a130346d868c048b731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6807b59e05e6e885e7f5fccd337fdbed

SHA1
00ddc66c22433c2c935c1776d3984b601a37c968

SHA256
4f64de35c77a0076e31f1776d46f9ecca213b7b86af2d512cab2e4b4ffe3c676

SHA512
8b3de124165c212a851a4403c8ed8660bcc9bca059635a5fc1f49ca01ed2575d6adf679daad3f8bcaed2cec671f4b87a8d05479b10bc171f950dfc4b4733f69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAFB5.tmp

Filesize
203KB

MD5
c55d520c7233d73b05eb6b3a13bfdc1b

SHA1
9aef2e4e49ccc29a82ea21ca5903120b0b606920

SHA256
588e3f8f72121e65501dea90295615c1a01edefdadf03d58a4345a8ca6c709e0

SHA512
93d79b700e0f58e812284b0a52df8d79af1299451436df4b10f15ef04f46d3e37d17155f40e1ebe61885b3d0202c5773f78cc6b32f44bbed717eee527807942c

Download Submit
C:\Users\Admin\Downloads\altinstaller.zip

Filesize
6.4MB

MD5
caf6dc57668b89bafe51a0e65aa6aa05

SHA1
a81475c1ff6dbcdd5d6690877da54978d3a6d5e6

SHA256
12c2f14f920e8378f5e4479df718dddd6da35041f4c65d5ca4472d4814a148b7

SHA512
ff3a1c47d54cd79bcb09a80de0f444687921c62717a7a6943d1955352870b9708a1c279fecfd022874ad9868d0a896c69c017482ed02c3a6007b0c44712731f0

Download Submit
C:\Users\Admin\Downloads\altinstaller.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSIDB5B.tmp

Filesize
76KB

MD5
950087e828e1b7426f703678e446c799

SHA1
c9f28be9b9f810132ec8d78c161e5a232491e60e

SHA256
8a41eaa0d699f48661c2560aeffe4b0432cf755f1b15e31ac9aff667d498b3ee

SHA512
9ab24bf84a4534e219df132a0b43874c1d6410ef802c69e65c5aaf3d0c46085470690851ef23303f9a48076e8ae552d816903e02c43c1af83e6fc3457d2acb93

Download Submit
C:\Windows\Installer\MSIE2A1.tmp

Filesize
75KB

MD5
6f8e3e4f72620bddc633f0175f47161e

SHA1
53ed75a208cc84f1a065e9e4ece356371cac0341

SHA256
2adf199f6baf245f0b07d31a3a1401d4262c3e6c98b8f10df923ceb2c937291e

SHA512
80187277e78f59b7ea71ed3caa55452e730d93b8c296d5820d470776a428cbb7e7fead87240e811436f85e4d89df2b9f31d6d16658d21abf59395cab7074a869

Download Submit
C:\Windows\Installer\e5d2146.msi

Filesize
6.4MB

MD5
69283c93e4313778fb572173c2eda692

SHA1
02ad06ff30a170a58fdb4012a974ea593830beae

SHA256
76098686faa6dfad700cc667fd26ff975fd02602bf7ff6a4a0d57098d029519d

SHA512
ed98dd4b32959802f3ebc0e1f79801f70823b47b6847fcc7f6d8a01ba88ad2e2b2b5061eb4aabe567962d7b8c156f42bedf0918b1f41c9ee37a2772827e7849b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
95bf338eadf84e81300e3d0def711e15

SHA1
3667491ec978bd19ee54f9bb721e51d7632ae8d4

SHA256
abb2c2fbfdd1d9c33910342d2af9ec65f4c63d0af9e83e0c03684f9d51a3d362

SHA512
08aae63831f4a02c94d548a11829e2d986f7ec5c7a01393fc07569a7b7e30aa5eed18ac7ed802837c2d6502383332a0b4dcc4118f430be8548e181d649c14669

Download Submit
\??\Volume{78b4b32e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a1b8d1e8-7575-4945-98ec-738d61820548}_OnDiskSnapshotProp

Filesize
6KB

MD5
3db6ac2031f69869f8b2f352059ad9ad

SHA1
5a523413c4abe0f00e04ee8e26dd5bfeaaa525ec

SHA256
4816452213f6bef8a6a982b4667b1e17f4be98c501cb61bbe304a202cf758ad6

SHA512
0e15f79192a045bcbfca976155e417a113e0bfa8190f1e417b8d39eb6dc435a2ce2203fd48835b2277cdb9636c6a277ac9e4e88218d54076c10247fbbc2a3a60

Download Submit
memory/3616-732-0x000000006C700000-0x000000006C719000-memory.dmp

Filesize
100KB

Download