crimsonrat | hxxps://chromewebstore[.]google[.]com/detail/roblox-for-free/hchahigddjfnomcffodpdldcelbdokca

Resubmissions

05-09-2024 21:46

240905-1m1k4szfrr 7

05-09-2024 21:44

05-09-2024 21:25

05-09-2024 21:14

05-09-2024 21:12

Analysis

max time kernel
438s
max time network
542s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://chromewebstore.google.com/detail/roblox-for-free/hchahigddjfnomcffodpdldcelbdokca

Score

10^/10

crimsonrat revengerat guest discovery evasion persistence privilege_escalation rat stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat

Drops startup file 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exedlrarhsiva.exesvchost.exe

pid process

3980 svchost.exe
1844 svchost.exe
5980 dlrarhsiva.exe
5556 svchost.exe

pid	process
3980	svchost.exe
1844	svchost.exe
5980	dlrarhsiva.exe
5556	svchost.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5368-1605-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/3888-1606-0x0000000000F70000-0x000000000110C000-memory.dmp	upx
behavioral1/memory/3888-1607-0x0000000000F70000-0x000000000110C000-memory.dmp	upx
behavioral1/memory/3888-1608-0x0000000000F70000-0x000000000110C000-memory.dmp	upx
behavioral1/memory/696-1609-0x0000000001200000-0x00000000012F4000-memory.dmp	upx
behavioral1/memory/696-1616-0x0000000001200000-0x00000000012F4000-memory.dmp	upx
behavioral1/memory/696-1617-0x0000000001200000-0x00000000012F4000-memory.dmp	upx
behavioral1/memory/3584-1618-0x0000000000FC0000-0x00000000010CC000-memory.dmp	upx
behavioral1/memory/3584-1619-0x0000000000FC0000-0x00000000010CC000-memory.dmp	upx
behavioral1/memory/3584-1620-0x0000000000FC0000-0x00000000010CC000-memory.dmp	upx
behavioral1/memory/5368-1621-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-1622-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/6120-1623-0x0000000000F00000-0x000000000100C000-memory.dmp	upx
behavioral1/memory/6120-1624-0x0000000000F00000-0x000000000100C000-memory.dmp	upx
behavioral1/memory/6120-1625-0x0000000000F00000-0x000000000100C000-memory.dmp	upx
behavioral1/memory/6132-1635-0x0000000000600000-0x000000000070C000-memory.dmp	upx
behavioral1/memory/6132-1636-0x0000000000600000-0x000000000070C000-memory.dmp	upx
behavioral1/memory/6132-1637-0x0000000000600000-0x000000000070C000-memory.dmp	upx
behavioral1/memory/5368-1638-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/4396-1713-0x0000000000B00000-0x0000000000C0C000-memory.dmp	upx
behavioral1/memory/4396-1714-0x0000000000B00000-0x0000000000C0C000-memory.dmp	upx
behavioral1/memory/4396-1715-0x0000000000B00000-0x0000000000C0C000-memory.dmp	upx
behavioral1/memory/5368-1764-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-1898-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-1939-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-2078-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-2214-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-2218-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-2219-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-2221-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx
behavioral1/memory/5368-2222-0x0000000000DE0000-0x000000000141D000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exeColorBug.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

206 0.tcp.ngrok.io
209 0.tcp.ngrok.io
240 0.tcp.ngrok.io
264 0.tcp.ngrok.io
271 0.tcp.ngrok.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

flow	ioc
206	0.tcp.ngrok.io
209	0.tcp.ngrok.io
240	0.tcp.ngrok.io
264	0.tcp.ngrok.io
271	0.tcp.ngrok.io

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3888-1608-0x0000000000F70000-0x000000000110C000-memory.dmp	autoit_exe
behavioral1/memory/696-1617-0x0000000001200000-0x00000000012F4000-memory.dmp	autoit_exe
behavioral1/memory/3584-1620-0x0000000000FC0000-0x00000000010CC000-memory.dmp	autoit_exe
behavioral1/memory/5368-1621-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-1622-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/6120-1625-0x0000000000F00000-0x000000000100C000-memory.dmp	autoit_exe
behavioral1/memory/6132-1637-0x0000000000600000-0x000000000070C000-memory.dmp	autoit_exe
behavioral1/memory/5368-1638-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/4396-1715-0x0000000000B00000-0x0000000000C0C000-memory.dmp	autoit_exe
behavioral1/memory/5368-1764-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-1898-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-1939-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-2078-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-2214-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-2218-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-2219-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-2221-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe
behavioral1/memory/5368-2222-0x0000000000DE0000-0x000000000141D000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

RevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exeVeryFun.exe

description	pid	process	target process
PID 2612 set thread context of 2360	2612	RevengeRAT.exe	RegSvcs.exe
PID 2360 set thread context of 1056	2360	RegSvcs.exe	RegSvcs.exe
PID 1804 set thread context of 4840	1804	RevengeRAT.exe	RegSvcs.exe
PID 4840 set thread context of 2976	4840	RegSvcs.exe	RegSvcs.exe
PID 3980 set thread context of 6032	3980	svchost.exe	RegSvcs.exe
PID 6032 set thread context of 5180	6032	RegSvcs.exe	RegSvcs.exe
PID 1844 set thread context of 2076	1844	svchost.exe	RegSvcs.exe
PID 2076 set thread context of 3316	2076	RegSvcs.exe	RegSvcs.exe
PID 5556 set thread context of 4852	5556	svchost.exe	RegSvcs.exe
PID 4852 set thread context of 4992	4852	RegSvcs.exe	RegSvcs.exe
PID 5368 set thread context of 3888	5368	VeryFun.exe	cmd.exe
PID 5368 set thread context of 696	5368	VeryFun.exe	cmd.exe
PID 5368 set thread context of 3584	5368	VeryFun.exe	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

VeryFun.exe

description ioc process

File opened for modification C:\Windows\System.ini VeryFun.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\System.ini	VeryFun.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegSvcs.exeRegSvcs.exevbc.exevbc.execvtres.exevbc.execmd.exevbc.execvtres.exevbc.execvtres.execvtres.execvtres.exevbc.execvtres.execvtres.exevbc.exevbc.execvtres.exevbc.execvtres.exevbc.exevbc.exeRegSvcs.exevbc.exevbc.exevbc.execmd.exevbc.exevbc.execvtres.exevbc.exevbc.execvtres.execvtres.exevbc.execvtres.exeRegSvcs.execmd.execvtres.exeWinNuke.98.execvtres.exevbc.execvtres.exeRegSvcs.exevbc.exeschtasks.exevbc.exeRegSvcs.exeRegSvcs.execvtres.exevbc.execvtres.execvtres.exevbc.execvtres.exevbc.exeVeryFun.execvtres.exevbc.execvtres.execvtres.execvtres.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VeryFun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exetaskmgr.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700444997036400"	chrome.exe

Modifies registry class 3 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{6187228A-205D-4482-8A23-E11F906D7577}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4172 schtasks.exe

pid	process
4172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exemsedge.exemsedge.exetaskmgr.exe

pid	process
4140	chrome.exe
4140	chrome.exe
2336	msedge.exe
2336	msedge.exe
3288	msedge.exe
3288	msedge.exe
6052	identity_helper.exe
6052	identity_helper.exe
5572	msedge.exe
5572	msedge.exe
5952	chrome.exe
5952	chrome.exe
5952	chrome.exe
5952	chrome.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
3876	msedge.exe
2740	msedge.exe
2740	msedge.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3800 taskmgr.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660

pid	process
3800	taskmgr.exe

pid
4
4
4
4
4
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe
Token: SeShutdownPrivilege	4140	chrome.exe
Token: SeCreatePagefilePrivilege	4140	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exetaskmgr.exe

pid	process
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
4140	chrome.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe
3800	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

msedge.exeOpenWith.exeVeryFun.execmd.execmd.execmd.exe

pid process

3288 msedge.exe
3288 msedge.exe
1380 OpenWith.exe
5368 VeryFun.exe
3888 cmd.exe
696 cmd.exe
3584 cmd.exe

pid	process
3288	msedge.exe
3288	msedge.exe
1380	OpenWith.exe
5368	VeryFun.exe
3888	cmd.exe
696	cmd.exe
3584	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4140 wrote to memory of 3996	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 3996	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4420	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4932	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4932	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe
PID 4140 wrote to memory of 4828	4140	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://chromewebstore.google.com/detail/roblox-for-free/hchahigddjfnomcffodpdldcelbdokca
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd6dcdcc40,0x7ffd6dcdcc4c,0x7ffd6dcdcc58
    3⤵
    PID:3996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:2
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2072 /prefetch:3
    3⤵
    PID:4932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2264 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
    3⤵
    PID:5008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:2868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4340,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:8
    3⤵
    PID:1812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4612 /prefetch:8
    3⤵
    PID:3976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4752,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    PID:3248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4324,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:8
    3⤵
    PID:404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5108 /prefetch:8
    3⤵
    PID:3816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5052,i,13707401744982067381,10924283554237312352,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd596946f8,0x7ffd59694708,0x7ffd59694718
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
    3⤵
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
    3⤵
    PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:5716
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
    3⤵
    PID:5928
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5540 /prefetch:8
    3⤵
    PID:5592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:1
    3⤵
    PID:2580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
    3⤵
    PID:3024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6228 /prefetch:8
    3⤵
    PID:1544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
    3⤵
    PID:1716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6096 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6504633787228475145,13440102519275229873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
    3⤵
    PID:744
- C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
  2⤵
  PID:1052
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2612
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jdzv3ym0.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3548
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc552E8A989FFE4283818353F7FEBEE8B9.TMP"
        5⤵
        
        PID:4544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjzbeb9-.cmdline"
      4⤵
      PID:1732
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57E51E9CD49947FBBCD339E9AB5EC89F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6rijjp-0.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4584
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CC588DA6D8E4154862682E649664E9.TMP"
        5⤵
        
        PID:1168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oyvdugyc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64E465378AD74C78A2EB525CD387B6C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-soq9p8.cmdline"
      4⤵
      PID:1116
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72CE8F084D147869BFF8BED7360AC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\he_c-lgh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3453A5D438A24AD9B1BE2626E5B60C5.TMP"
        5⤵
        
        PID:5704
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ymrs6ojh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3624
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21B7AD879D1544958A4449DCAB1443A1.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh6bi6u1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5192
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B948449EB644828ADD0F02460BD9559.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\52teo5lt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5256
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2572463C2864AC3B66BA124D4441966.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m9ypkmjz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83FA02A2C7147718D7DCBE96AC2F593.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\az2fxcr1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7422B574CE8A4101A2552F8A862D2010.TMP"
        5⤵
        
        PID:5244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qzavre5v.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3880
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66C01C53A04A4925A119EB198ECB78F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tsx2gvwi.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C0B41FDE2C94365A6D78833E1DAD5EB.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndllf5up.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC091481665D471798950A0CD4B4CFC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3eokxfu3.cmdline"
      4⤵
      PID:3912
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8209.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82655AAFB8694FC989647C2D3077A654.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fapwvzlc.cmdline"
      4⤵
      PID:5928
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8286.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88E9F2A1FE6E4A7FBD1B6B52ECE333.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1-bnd7zs.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8360.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A177DF76A824936A27377CCD5F6EE9D.TMP"
        5⤵
        
        PID:5712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfhvv0l3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6804C6EBE8CE4B0CA0FA7395A4D932EB.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5n2ip-z.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5380
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D521D5354B64E7A81933B476FE5AB95.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9-nrm2v-.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8554.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19FE13938A2946AEBC36C2BF44C13697.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8_p3arul.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B1E813F2F1849589D8D9BD2D115D38.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3980
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Checks processor information in registry
        
        PID:6032
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4172
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\llinftu4.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C91.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3D680B45C9D488FAE3078A595375465.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:444
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eh1troyl.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDA0CEC633EA4F469ECB3388CCD33CA5.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4sjjaat.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc824ED29A392749679FAD6B3559C651E.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ktzqsz9.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E611BBFD1F1488B89B07422167FCB5A.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yjckiojm.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62ABE1117E1F4FF88EFD226C964BF48.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdmhea2q.cmdline"
        6⤵
        
        PID:5988
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B33B33289AD481BB03EB14CB8629D36.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:216
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rc55yulk.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES304A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc836C1C1AFE1D4B8BB7FDCF83DCEBDB37.TMP"
        7⤵
        
        PID:5104
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wpwib36t.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A0FF164B2F548F3A4852385DB3B5E72.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jo1uwm6k.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3134.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DD41D53437349278B324EEF955932A9.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ipxvh3i.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F833CDA8A9049BAAD8E3890F04531C1.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2976
        6⤵
        
        PID:5572
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2976
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  PID:3800
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
  2⤵
  PID:6124
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:5980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DudleyTrojan.bat" "
  2⤵
  PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DudleyTrojan.bat" "
  2⤵
  PID:1384
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
  2⤵
  - Adds Run key to start application
  PID:4532
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
  2⤵
  PID:1116
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\VeryFun.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks whether UAC is enabled
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:6120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4396

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3316

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5556
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:4852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x478
1⤵
PID:3636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:720
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -UserConfig
  2⤵
  PID:2188
- - C:\Windows\System32\ie4uinit.exe
    C:\Windows\System32\ie4uinit.exe -ClearIconCache
    3⤵
    PID:1480
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
      4⤵
      PID:4548
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
      4⤵
      PID:4208
- C:\Windows\System32\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /FirstLogon
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
  2⤵
  PID:3536
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff702ad4698,0x7ff702ad46a4,0x7ff702ad46b0
    3⤵
    PID:4196
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=2 --install-level=0
    3⤵
    PID:1976
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff702ad4698,0x7ff702ad46a4,0x7ff702ad46b0
      4⤵
      PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge
  2⤵
  PID:1732
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff737e25460,0x7ff737e25470,0x7ff737e25480
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --migrate-edgeuwp-taskbar-shortcut
    3⤵
    PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffd596946f8,0x7ffd59694708,0x7ffd59694718
      4⤵
      PID:2728

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
PID:5928
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 880
  2⤵
  PID:3576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\0745137b-3f91-4cae-b097-c10a8cac5142.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
75a5bde9afa598477b92261afe08449e

SHA1
50c3831bdbe538e4ba07bcf5ca62a6a8746d9af0

SHA256
f1898838fe38c30a03152ed5c4b55f4c3a34341a50161c349b01c95f4b5fc8c0

SHA512
10dcc55c727638989bbe9f7d5dea2a61d7d022c5a2eee2fda54fac5a0806385d46008c6f97e06636bb06c0a311755605e0e7b172d83c0b1be1ae7c9f830f233d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
82b23492924d93ff8ede470a0fd57102

SHA1
0f52ff9fa8b667fff52f37a82664472bbba6a9c5

SHA256
dd2ebda49e981de5f1717cf26768856cd86a0bd56862bbd5b2df6508e914171c

SHA512
33edc6133282573457e7c3d3735852069fac822af827517a6681e59a508d0b91cd3a0a28b20d152c5494f403632a421d98fa8b7649329c9c130d2f82623d6734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
d386b1c8a34a84e26a35a3f1aacbb9bd

SHA1
21418f6d7ba8ae170088439ee75be4682f7ed051

SHA256
6ee80947f77cbc76929820695719590a932ef2ee383ce3879ae90bd9dbeeff66

SHA512
9a9a39d785b2da68bd5179647857f9ab459cee19f273f20fe35399ae035c52f90395fb5b3aeb29e5e04d13a690cdfd8a2ee68b8718f1c298c70a1e224306e67f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
38f6a580c9a98c791854dec877f5b160

SHA1
682aa65601014be7844aa609952ae4c971a5aadb

SHA256
cc64a379a20c1a6657aed7b491fc700a2770dc61de7d949f373195a90aab8e29

SHA512
f25d37e5a8e2aa691df0b0a5b4221715545a0198ac88d8f46d9a16e5814b83feef8429174d5a158a66e15899758bd4a2460d0b0be359cd3c97c06c50c1604264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2b3d7f5ecae6ff9f273852790cb77722

SHA1
89683848881f650bea1821bfc2ffa628c9c84456

SHA256
0d158ecce045d9885a439411d2d873720236133915687e2c8db28c4e9e5fd84a

SHA512
a409d0d2855f61450efa3cad6621df5f2957357861b5f907a6e796e07e55f5392b2e0fff79018b20145a2680a5b22430663c6a0f3efa95cd0bf4727fbe7a0b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a630a2bea0ab11fe517ef8b8cc33f988

SHA1
aad1927d03ea1e676ee0555e49dd087fa8127098

SHA256
9ee2e8065b5426b3cc128183afcf0eb2eed62cc6c092941f22e81c8d2d453df7

SHA512
4d61698aeb30d24dda46db6e3a140264749b6cfdbe28a4952794b1fdf88c5b19a24ae63daf3f4936e353c0bc0e18e4b8ecf25d7e18f1af1673970db388d3cb9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
6e229e470d6c00fb2e760a5cecbb1ac5

SHA1
8a9de9d0f79ed31219cca2d213a6c0418f586cd9

SHA256
c6b0a5c8977b848062b90907eb2a80bc0a903e9ec8ed087ff9d164d7a57c2160

SHA512
b15b81c4552ec6cf373859734fa512a8d47e25037307fc3bec5553ff323ee432a1b53fcc78ec0a8402e64303022c2abd8397990761b6daeddde2d7cd6307ef4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
c00e4ea6ad151f30110b9efb43274506

SHA1
70e5401762cd57740496597d80db3d64f6128025

SHA256
4c89d9d8cf623c27292e046e7279cfffd15d98eade8afefc9238b15cc464ee15

SHA512
94348b9b5345c64401e214462252b4398117b87a201afd633e67a5694a2c3bccb4341cc6b9264648cb9bca933109c2bca29b50e1859ad8e7d0dc0df999702280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
856B

MD5
91302f6a8547efb58efe24b40630cbdf

SHA1
a6b9f0be1bc10ef5b4b98759b6e6cd99ba6a330e

SHA256
f48199bdb8cd2928aa2b0a7fd700793a7a9b85a6de05e965f436d00c0e4bcc61

SHA512
1ecea48eaf428dc615285c7ea92c1aaaf811911b1ad7516467dd62bba14d9dbb2e587034c2315951345c7b551669be9fccae425352e8268e0a2c135e76bd65c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
327cd764307cb6ffc3a2595f85ce2464

SHA1
ad6aca522c8b7350a733a9bfb0e1220da28860a9

SHA256
d2bab31227cd29d7242ed92fb8fba2c3a316e9ad5a2e06d4fa9cf51c85860cee

SHA512
dd21f906b0df6d87f6def7117a0230baee6833cad188ed2c9ff1087ee34cc85044e79c62f646cf75ac6e7f9ab53a210f8939782f0947ff8385b9a0138b838f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffbc962ed0c6f435935d6c9251dd14b5

SHA1
c060cd91c801489adaf9f92a35aa8c50407fafdf

SHA256
c1950abf64929bba79c511817d7abb521e52949640badc41ea05e9e2166c01a9

SHA512
47d2de72d9809a6185684f4e7eb6690d5ce1e1991234b867c3874ce377820247e7075e40eeb3f589e2ce61248aea22ad15ab54de03cd2509f6b704f79b60106e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b09610e746a503af6d6ced93c8c9585c

SHA1
032b1bf5cc4ab323b2603bd52249ba21d3b9d144

SHA256
ed7823ada079ac95d7b286f76477a953483bfc3079225f51c295fe145391c000

SHA512
8dd6845898e36bb1697c034ac31494fab0542b82393f5c9f4bd0f39d53760162432ad4411679efb7154eb451f823edef32dd42859375d84fb33d51ac299f7fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b08f0139771a234914381e1acd2d0105

SHA1
d830e3ee913c116758ad2d08c4ad6fcac33445ec

SHA256
bc61aae4aae86af05a1dcd8f9def0d4b196312a11eabd90dc898448b6e507118

SHA512
76fe0ee12dcc11cab7551be037fb596c034272dacbba19940df7ab6e1943b7f2148c85385a13515479b3a73855b0d23c2c08b78d1ab86276eb597bf1715bbeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1bda5d476cea98065931747b6a2301e5

SHA1
7de0213e3fd567a7427d9323c8c3cb7c6a55868b

SHA256
73f7597c73d7962b7bd9d6fd097e371267956501967254415cda1bf252d0bb5c

SHA512
7052288295edb67f6e54a2d1d63c638c816df05c292989676ac171e4f923fa8eee883a899a57bf727ef66ca1f89825aff418f9724c7a378690fb3e56ef330c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dadff607a775a4121b175071a12e117

SHA1
ed39ffa9770d2dca7b9229dc9506c3bd5000585d

SHA256
208a903fcef136d64e567dad7a5eef32702154c711eb614977f591d7499e9635

SHA512
411adede56f9338b2ccd0beec15ee359324b94873d63bf1dc6a6012c7fea234326625689c5083a3f33e4bc98cd8ccb1b2df5f65fe123744c47128526a03092eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2e3a0b293484a063b81e367952ca97d

SHA1
fb21823566de5995131598f4d58dc61c92947353

SHA256
bab67e4808fb077ae36770428c4caf261f217559f40aa741927af61304d53ef1

SHA512
26a12da2041ffff20534d6aee384712faac6d2fb6aa35893677b22548e69e2720728ae52793bbd2a497bdcda970128b74f4410dbbfbaf54ca0d7615bd04e6a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca3e04e50ebac1653f8aaf9ed69c80aa

SHA1
f3ad8d9b8f47332791c0fd55af88abf6e7634788

SHA256
d562fe29e59181191eb8a9ed575fee4b397265f065df4ecb86486ad320ccb6e9

SHA512
5f069b579cc7b1a776a0346cf43d8648437481c31160044e1db317138fd51400c6c40b39e13f7a730768b85f81c2472a01016414d4195dcf6890cb2616570fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfa367ec1ed4e3b9d5189ba990a0ac35

SHA1
d00a354f680bc8ced78670fef1037b2ce33408db

SHA256
33e5647abcde192c1dfd3df93cb25b1f33533c0bf74da23a075a57776e1938a3

SHA512
2b7ba629d304d0236e4b0ad327d9626a8c448973f9de2c2af86d1e7390090676c319d587a1265981be899ed901cddbe09a906cd432cdeb287774757805920c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1973c7746321216e402a6086e03fdde

SHA1
a16ef42cabf3ae4429626272c255fdb97be5d171

SHA256
9c068927798619c1730060e50c2e16e50112559c066fece5c869ba9bd5cbd73f

SHA512
58e39db2a48532d27dc71510482f752493c20d6bb62984786dbdf9b1c51133215b6f5f180c0daf3247f7fa2d3b3cb591f77de0281bd2f1af691ef23d597e37c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
63143d19f8ee0d8fd7436d23d27efec1

SHA1
1f2d1748b82d052064581b9e133674d8d394d73d

SHA256
a9072b70ddfd426e4a152ce3c91a1cf0059624cdaff840cc6e5af1e1b2dd3f48

SHA512
d34d3e3dcba5f1589baf00da705c9cbf0fe20ae12268fbf0698676a8a924d199916470a2dbfee33c49bc32d6d55b88d06ea5f1975e78a6552e403840fe713da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ecdbadbcdf32c1bc395feacc0e1f1d4e

SHA1
45b4a6ca409633490c262ca2898a9235155ca109

SHA256
6ed9622a6154eaaeda6e8f18601f201fe88f958e1d86e006d0eeee9b95a761ea

SHA512
223279aa63a65a9de72208de7352ff235abc308d76ef1a8da94f71355c0fae2fd61ad228875fbe38abd9a4a58aa40257540ba326a8fc7d238a4f5a12d0acfaff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5368a43293c16b5b343f0f528c4b017a

SHA1
38d33d46da01fec2e3f48bb4f79bc5ce06c48c06

SHA256
6548c822677a174d2cd31416476c7dc02a4888d60bbdfa39289c33b91ffa2f64

SHA512
098fd057f136238be6ec513eacdfd45f0181f0924a8f60b0f9826abe90f1bf02a2487dcc83194bce051952346cb520a7434d8c2e700e042b3cd485ed1ee24362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5101f7f3371adea208360e409977929f

SHA1
9d0e1bd78303399ab1de3ebca5583e73206b7f44

SHA256
777043e792305d57bd5c658b70d4c42fc3caedd19cd3476adfd787a2099a8977

SHA512
85b9a0bab20556a405b86078bb00c06cb53b6a7d4233293a7968a0e901c01ff6f1a09cef39d37fd5927acf3fc4e96f4a66c56dfb249e4ccd42d426c25ca8156f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b746db81ff958ffede383c2cfdcc4c80

SHA1
513c42a976ddce9692e503bdd5b6ca4cb4157327

SHA256
f19b0b39e893a5f71e35e6955902b8a0354c65c25170b77c428ece59c45054f6

SHA512
37473c534ec5b17c236e0385bbb51ae143c1745b67388cc50c55b3515800a83ce42651dee79fb2e6e44e2334064b9ef33751802936ae136ea6aee08417ab2ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7ebe0b44360fd07f439b85afeac6553

SHA1
0c9e6d253b1748bd56bfe91f38bfd60be6409188

SHA256
178422e604cc918884b99b5ccee6a6b61e40247a156d3b64eeac6745e4c27a30

SHA512
5b171909748257fdb3ca57365af66ad09ff9403bbd8066ce68ea78fe95ceeb4b593f3a3de2011b99e6cf4c06d46b1dad0d5755f21d4e350cb5881d84af5972e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
12d3251b173779044cb658af54f12680

SHA1
de2665055699449055244667167db27bda0380b0

SHA256
13ccf560d21bd5b6ba7a3d1ae2609869c4c91a38597799769f54946b26f364a7

SHA512
b3645a4f9ba0b1687e5cf122cd1bc652df732bbc4e0750e3ce5d358ce67f8d329205317e8ede5c06c0f39cfb284aa412e0e76535cecfbbded6e5d6a8d0992189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d61d45b77a1a48d8f2f257bf23247af3

SHA1
adebb97fb9f625cd338613faf255d556ce67e261

SHA256
49ef2ef6744da2cb0704f06cb01a9971bcfb5cf0cd3d1200319f21535054c943

SHA512
077c2c7accfd881c0d5e66ccd1c34b5744f44a3046261677c3edfde316d2d80036720fb278821ef645ca1d151129adaf4f8f74c2a3cfeeee29f03ee7c4e59ef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
938a9a157f77691e81072e27783ab167

SHA1
f65cc241fc78de642709bbb158670d2bbbc52229

SHA256
65fcd09fc27221a08e4de64bf090898b63bd512e3c032f6b13a6c7a88cd8b814

SHA512
f6400c6d6e0ec9e0358eb25518bb6ed374886ed43eff82969ae3011a1f58007f246ca3bbfae96631d44392ffac1c1b139c0ae07437c1875e7f2b93771e158b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
97a4176f54525f95e90b338a7864068d

SHA1
5aff0cd08055f9c30ed80f8abc05da5698777c68

SHA256
1713e2947510f817f22451d0a8e069ae74b5517f2fc6758970ca65562786ec95

SHA512
a284d2c63669f4cfff752e4c514d1e9d604f4cd082272a35b470865929b4a0182440c037ed77fce98834213161267155d36e7ad24ec58d1c9613d1579fe80707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
829cc74f3fa69f4bdfe17dc78436a83f

SHA1
bfc723484bbc02bdbf50f97b2f948ce34e0dd3ee

SHA256
08b4e96b234fa414a20c98fc4a7172f64d9ee92d82de28e381c4e4e93c674da2

SHA512
4e974983c5d50a43081038ee074b88404eedb061f868a373e273d1af184c505fe963bb688b49f87a91e57a64fb635c392b70a01d7698e148214491e8a8192258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
296aeea33536a043353c13a7b0c2333b

SHA1
1316b2da19d1e83465c93c51ce1f3830c853cf51

SHA256
c9b68d316cd804a72e56c9e44e901611adda41bc5e96cd473658d5fb9ca133e3

SHA512
6071c3c008f116b76483ad047486435db7237358b26d40e2744540314d90762d6af4d0bbc955da08f0e34620e82373b1c3786e4fa008ebf7d8deaab9970afd20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
113f77d028ae900bd5ba07ef166b1274

SHA1
2f108bd7acd7334d67c4258b533f8e765aab0a07

SHA256
7b86cbed68c28aa84e162ac1d844f9ef8e5cba2f552ab347e82b6e7b495b5092

SHA512
1aff6f8ba763f8a450dd54cb8a27a944d3f1d0a3835657cb863f9f8cebee0547a87ccc8f9697569f4592d2f67d47e6891a81986ade498f27d9f17b89e3376e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7096d1dafdbd0313d3c65d3a3aaaba1f

SHA1
7ea1f105ebb36e036651465818afdcb53bece077

SHA256
d387eff49f314ba0c96b9b2ab8a6a946b0e9a39b3f78b05edcb9dbd0b7c0fb90

SHA512
4e96a5108783f4de3a7d707fd1c08b107e0f3d9eb4aad8217dc69be421b2b4390cc9de025cd1a5b93af750fe39e22486d55dd05d57850ef9fca40af80bf5404a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c13bb7801c9fcd41d3e2c0d147d1c31b

SHA1
d6ac28a25a801c3a4d86354c17ca6fe17f796a58

SHA256
f2f1e6d00398c892dd5caa5f161cdb8229f5c8af2f26daeac9390387383151d3

SHA512
57f5d8f729df8d73daf134eac849e93c2a0a7f9ed342eb0a679adaac10c4743ebb688e650886aa41c9b0d710490660804f3e1208a8cbde2d3af6173bd25b305b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8e8729088437db19873f7d7cb6f9a04

SHA1
86f3aa09e061c9d2b170083ab73a22bda83e371e

SHA256
ad1f73b806c8d5f396afc28e8a3ca547d497845820ac36dc1c0355adeaa410a0

SHA512
9cc65d4beac641960cf934bb2d5a4bdc167b5c254562686a2f9302ced63ac18a6fad61fe98efc432d5b1a7bf51c1718a5717df5342a3b90c2af839504a0ea86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c189448157c513a53bba9802588e0c66

SHA1
322a59e88d140463fb9bfdda63ed6670826024a6

SHA256
fbc9d9eef9671aaa39b0b30a02b3cdcf65e885e3ac2c079d4d95d575d12d9cb4

SHA512
c4cb166085cd14c4fdeb5bd977c0d0ae5c703d93a63ee062649125f0493424f4d60aa9b49faf2488e1028601715e95e7f04cd9704987ac1f6b2f541d3fb4095c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff27feb76b8dafc0f8f76775ea1710e6

SHA1
8b394488cfd40d9470b7f09fb80a7eef286e2094

SHA256
7a269c1104c93c0cf04a6abc17837fcd913457745b5f1869705df2f5e8849739

SHA512
a1d2473a359f0c6d9a3f59589e32caf86fc98404a59f7de4aceb44a230d1fe1325ec3ea6bc7c8b0e2e131d9284077ff15c02165f24399f29dfeac7b8807c3ede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa5465199e9b574864f062578c4671a9

SHA1
51450cf6950a934266b774228fca395fb267240d

SHA256
abe745c1d16a2f8208d921976812514aa4236209d4372498f3d406f3a9fe8956

SHA512
5479c5eef170d90ac70571c659aafb25be4b238604372f52767bddde1204a6e6c1fbc3b32938a53c74b12a8444c2b6c8c3cbe573098e5cffbe82f47d2fe2d0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eeff2e17e51c1305536c7e8e0f62e9c7

SHA1
ae89a51b9af84b349d15a2f41941af9e3cc5798c

SHA256
ebd010865e5e27f877093c2baa6eb1b1e5aed01655007afd1c5cee507c29f961

SHA512
12c0c544c264899adeecbab00c7b2ab5d335ba40f323e461c6f92d6017b45378ad3ca74dbee29b5a029bd30bc734074be3f2466e72f27fb8b5f09367b82eb7f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db229487c1cc7d04d914ecf57e0e62c7

SHA1
54980e84767bb5fe08e709a144cc9a2641855756

SHA256
0b8694630461594acf4320fd1b87b8a319d364a020fefdf2bd72c98c0805c57e

SHA512
0a14b51649e1fb0fedf5f0b15cc9e96936c7f9ab4a4b19e470042bbd315036c8a2ea3a24457b6c5c41b040bfa1c80ff2d141292f12daa3bf10801fa1c6422cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8724fc988101ecf84eefb1459fcfe5c3

SHA1
aefa249e1694d502535953b44ea4cf61c66967a3

SHA256
a8f2166175608132486f4d184b8a88c34fbe0a4f5653a5e9d8b58c6981ab5a20

SHA512
aadc287d953d9dcd3f123945444ac9a3d22179d4f430fcdf3caa4bcd0038e2b6aa21f68f18fe6fca4fffd6323ddc8c0f561796e895a4965cda0c370978d23583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cb79de83-3114-4877-9acb-f1fa7f39a898.tmp

Filesize
9KB

MD5
5e1b23f41a1deaf51f0b0803b2a83fae

SHA1
58fdcbeac5e380ec17acb1478144066f9b30bc9e

SHA256
dbcf6fff9b83b921c9957f09952ed1bbc2f51076142d8c4d5fc7db62105f0629

SHA512
c5a66be20e7cb2d00b2d4d0e7159ec087417c1349af370dffc6acc904592b0dd0ba0913e17818e1e4344afc44b63612641b2c956a93ea4832d3070a89454ee0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f2569b38-26ed-4485-aefb-459ec5e04fca.tmp

Filesize
9KB

MD5
3e62c778fcdf979646ba27ce6539413e

SHA1
8c3aa69ea5a0f44b38aea5896c3e00dcbda75f4c

SHA256
4b5a31225699b81bfd47b87297378862a3b70dce478639a470e4b72883e3a612

SHA512
3d4bdb1b91a9e1f4f057856cbcdba2fd56543f8c031c72c2e3aeba736e455c6e918a51c64ccd9f87a73e50ec4a22beaf08402e2e8f8bf3090e5ac3c97673cd5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f6bf948cc9fc7e99924dbedcb925b9cc

SHA1
f04f6112516f633319e57f173ddf7e4855018fe6

SHA256
35b32a6e5d8165eb8b601a8d36d2072cf17d57afd4f4c4acf357ed63eac74f84

SHA512
97f22d749752ee6aa58868846815c8a76ad168be626f09001031214b0f0c4f4da94f563ebdea8867f87c78515ddb034a40d67adb70164174622e49ada28152ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
924d6d213d05ea2385c471adbec546ae

SHA1
ad9bb0da3ed1545533f4e4d3b4a3260b5b783823

SHA256
37e9a37caadba33df315ccdbed53ec86fd23ad5c7581504edf4a999ef8bb31f8

SHA512
bfcf9cb82fbb4528c5437e244e91cbc7ae64ee90a6ff75a7a5062f16cd4477bb159c04e0a675055305201c33e9a082433605ab2562c5bd9b0da729fe51646a13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5af7aa51562489ed4a6584e1ea2551db

SHA1
2ffdf07173b0ac47810daac12edaea1ecd89c136

SHA256
e712ef9b1fd6f637b0d955ba0a5d69a651b40a8aa89096a414f2b73d5381c9c9

SHA512
68105c0d45ea96baa9df76d579aa671090b0b15d217a648f1693100abae1bb07999cf57879d3d1ac48da24d36eea76fe1b2eb44a2745bbf7854da335fe7c8fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b4baee5f45e883a8f85127a2480e9b78

SHA1
487aeac1279f875a8aa6dc05eb16c60992611d01

SHA256
a0351ec08be4997e0460f65118908688b5f90532c8a5c3e12082383c84dee189

SHA512
3251ca847b6acb81a11de2e23d49b4871e16026d84be724d9a19ef2c7e0c0d176b3797843f92333f252fe8137087542faaed313f1c6ed278e395e579b54f8d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\88681319-f70a-4c71-8cf1-01d8831eb14f.dmp

Filesize
5.1MB

MD5
9ff8f50f197cea426ba838a416ac1641

SHA1
22fa4b1a3d3115d7b19f07021157aa12a90af47d

SHA256
c1daff30b409bef628c15dccb3d5fb780c234beb529335eecec47a00733dd873

SHA512
15cd50c1a6a9a1c1a553a495660757272551db9f011b8b8a7f24c695bff9b3b652f48c0219f9762da6845ad0b56bc4a2ffec78a4e7e73061ee6c168bb0b73349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaf1146bb5e90143a1924e3aac8bbce1

SHA1
2280ee43be856e9b5d6d2f5eba75f3cc602b5308

SHA256
70a61d70387c32da2c47e49a2b1f44c277c78314605b7344be9355a6e7b85d81

SHA512
446c675a4266765b9ed5eb5c333aa8d91940bde17a97299f7af592a2b62f8fe571d15b20074a613e10420fd32b711a22da1482b13dc4b2ebb6a0c237931dbc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
43KB

MD5
edf3b94d12feda9fec733db26bcfee48

SHA1
b8a381a326bbdcff3e6cfca8c4e2951bc75e3084

SHA256
1402cb49197f078fc86b8522c42006091fb0c091922f420f78c6e1728e005adb

SHA512
7f8fb7d5de19adf67a504d81fe504430aa8a9da1909e12ae15b0f02aedd0ec732e6225742cd1afb054e29a3f6819605b1ddc0835729e176fdd4975fc71feb17a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
70KB

MD5
4058c842c36317dcd384b6c2deaa8b95

SHA1
1085ddb12b29b79ffe51937ba9cd1957e5e229b4

SHA256
0e562969cad63d217848a5080273d1745dc4277d210b68a769c822f2fbfd75f6

SHA512
435a67024811360b12339e3916945b0639e2d9319e9d540b73e093848a467b030e91e01917b7fb804eb756dabce2fe53c2d7ea586554ee6cfee70e652a85924a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
38KB

MD5
bff21faca239119a0a3b3cf74ea079c6

SHA1
60a40c7e60425efe81e08f44731e42b4914e8ddf

SHA256
8ea48b2ac756062818bd4ee2d289b88d0d62dc42a36cb6eee5bdd2ff347816c7

SHA512
f9e5baefacae0cdb7b9c93afc43ad6ec3902b28c0cdf569e1a7013f4e5c8dfb7b389b5e2bc724b4ddfe554437320f4f2cc648642944c6f48ad2a78815acd9658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
d717dc20ddf09d562cc7d4bddc69ea5e

SHA1
3c0a07ff93171250557ff41c1621eebd8f121577

SHA256
5b92638f93b754c48a8050863fe38abcb2ac7397979bf3b9dbfa2ffecce2383c

SHA512
07b48be4727a55e34ff097e8974ba14251436417edd64b3876b09cdfc31220551ab12f6f080af697e23b6cd9afda50ddbbbd00df53fbd538893b62fa43173e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c00de79c07572d89fef6aa0e6a68b581

SHA1
0d2c19589f598628b0ed21cff9f3034c14ee2eb6

SHA256
6a4e300ae1e28cba1dd6bb6a3649aa842158787f2f81819279b60db728700622

SHA512
8135f33b476cf94b691cb408420972ba5f4c3ca8bd01bef75ec835b3f43bb1a5c5baf27c016b31af57c5d0e9ad9e1c1503d8e0d804c7221b34b3de9ff364cd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
28a93cb1731948abff79cddc9000dde9

SHA1
c8ddb780985995a5a6500872c58d08c2937c24fd

SHA256
6ef98512b62e48695eb41c8267021c9d2d676b708e572b4b51385ffe80e2d08a

SHA512
42d07fa530f836a3b15befe0aa5c1ecf2eea77848534196627d1cd855acfe8b2c0b8eb2b26aadf925e41e2ad8219c5e170de384a5bdc2fecc8522ee2aff8d733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
861B

MD5
1a99d8ba7efd6fe3418f52d81b2cee41

SHA1
b829982bd1e80d6db0450a518af46ea05889fba1

SHA256
0b8b46ef12c114cdc8ba26ef5c89e55a41c0387123e2b811ab017d98d7931340

SHA512
c63fd59bc773c2ac4a89f84f9ed09b25438dc8296ade59239b8013be750870bccc5654bd2401464347ce6b71a026e42690db9174be227f3bc133d14eb619a354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
c4afd000f025ed1ef78105a463b0812d

SHA1
8b9b9ad75eed9921d758e77d69e9b1032c7c001f

SHA256
7dbc7f2b673df6b1f0e8af7745c6545da4678660f7e322bb21a5ca0f8738a9f7

SHA512
223a0b705008dba474c1ee02e1b536d35a4ea99b59ee0d7dd83ebc951edcc8fd9c8c129e80c40cde8868ec58f4deb264fc5e0005ba7ad9841f3f144606c4cea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
602971336f93ca4f7ff9af0942929711

SHA1
8978374ab83637cecce3aef2037eeda8ee95c014

SHA256
a37494b1b6936754dbd2bde9855a408c22b863e0a53dc19cde6ae0f47305f7d7

SHA512
9d2c8cc064b3fa0ff1e7d00c4bbc7b87d0d3cfd89390bfae5d3ce560ab2416e03d856a2bb27bb308ecb7c0d06790dab3ebf2e647c1b0165df424c98b047fdf22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
36d3dbbef388e13159f812f87f5b25a0

SHA1
2d0e56f85afb565c353031f2106c49a3a8958617

SHA256
fc81395b9e25e34e5d7423db2e6983ce88bd8488502687ecc36cb7154054e68f

SHA512
c4ae23e9956594509d30858d32f7dddcefcc8147209806cdd597ca9a68c2be9396fac2d0e0ceca6538410ae324e04a3bd5d3cf7b2a1107eb7849c7783ccca538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
caff9c9232c94ab2fc42b8ec08f98304

SHA1
a4e2cdb9f45471209fe551faedea9b059c167366

SHA256
48774bee02a9416f94c59abcfdd98cab5f7b53360d986b0fbbe25c54dfa92fb0

SHA512
ddd1e181d24853bf8cfe06cd9adf9b43016d58dc7024043537d95188021fb9ca30030c0ca4117131aa31e7007a88cd06839bc2638349a5fc4e023545bfad3215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80f7bc3c111e42acb28a1d50f6e78da7

SHA1
dcc233b4e722bd9fe6050d759fe7e1f0b8a56b2c

SHA256
1d662d2b855b600b78cf36c26776a59e02726ca2acb9a41308ec61b23057ccf3

SHA512
6d12619400e77176385121297a44d8b85e0cfc9581c774c7bbba2776cb7a32688d6df14da0aae77adb5ed62c0dc247b2d9ae66fa78130d869c89b57e5d0f63fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5178d1e004131292e50bbc7293bc2e66

SHA1
301e9d6f6dce5cbd28b93f9217b28f310ac09d73

SHA256
c9289d4260b176a7c387bbf9acb9658b973100f5e6d8b8e2d486eb805690641e

SHA512
897ebece3fc2ae598702987a672596dac74ca22ff48d3a7ee9d91b62cf29ae99438e8cee139084b9bb998ccb2519f5f16646edecbd9ff80ba877ad630f4b7740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
edbef43db912ce248016b6e570f379eb

SHA1
e5731ee297aeb5f4cd99a75cce79252e10b36c47

SHA256
b314cef5ae689e149538f7926b07f36896ed5d8313d293a420c84cd91ea432f1

SHA512
e0d60d059f508a21db69c3d5b412a8edb1de81a0ccfd530d1e7da6c9e8ecdc5fff0316b920ce7d36db3d06739cfd78069ec8d7457620c0462e663dc7bb6847b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
01447ae33adb46068fe47addf81442b6

SHA1
48980640b0eebc75fb5be96e1df4b4ffa275a49c

SHA256
743ac141565b1173790d57c001bc325e6356f561f3266ac8a2417934b0497994

SHA512
5d71c7c633f6d9c3ea5d71373a5fdd823b65bb3fa81ce19bf2312facbec28e3c5f28218eac848e2e2e254ef9567be22a07f1b9dfe1aa8ef816262659b299e8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2ac99851b421550f726dccbed4def48a

SHA1
aaad04e75cbaddcaa699c3d4e2c17ffa1e9d55bb

SHA256
c136ab8c5596fa3f5b4f5e460801fd158e1f77c61dbf253588851285c1146239

SHA512
9b038e1f9d4fa38c8758f163f20655a99388edda88ec73e3a87d8938c54583d078a93a78f8c6b932572f5ba796b864e155d5c0e0d40d2b4b79a3828cc7b16586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e7d686cc3a5d080563ce5586f89a299

SHA1
c8245e0c623345bcf782a72a9d7284405455e6b0

SHA256
753553253b2f0bf5349472c541faa04eca7c76ad58b6585cd409f63f0ec4d0b7

SHA512
5a6905d33afedc8c88943040083b1d0fc9ec64452f3137557af6efaba5501fee4d5b22e6c5dcb1973180fc48ebb18cf70ed70deb40d1af8d403774c1c79dd3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb1f662b28499d5427550581ca379d06

SHA1
33f612c9987286ed3bea654811a436d10c72b942

SHA256
7c3cf19e0898980cef429af5bdaabf9a57f1e6951de3110c6a0710d54ff74914

SHA512
f7dee1241fe0adb708a8043e3587c8804390ecc0fc5d9c6f6fea3aa00cf87c6cf038d88df4b42f38fe3054437662654c26fac2a378078a81e2ab55a5553c345b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7e4a9d44df86521b8d086172109a44a

SHA1
533a5feec01bfaf2718e4fc5c397e7f2c9e279f8

SHA256
d258d1237916f13f794e81e018ecb9821cacf1162275954f8ff29fe7c6ea5986

SHA512
913a1e128a7a7b799f514f51a9d65ce24b81bc7cb872b4bace11ed646cba3680031759a8c47345bbd0e3f632a26b311ea0467152c079dac2f53ed38c24359f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
ed1ff529db49b477c17a04b3300aa12a

SHA1
56bfe4d4a9c49c4f6069e2794ba22b87795b3074

SHA256
b4b21f728d32acfc2113d9b5fca60351ba44bc3929ec0e55594ff09fdf33df2f

SHA512
c6ffd802c69e10acff9457960e40a6b7952e9c42aeb7a0048857002cb9b2f5b0d32b70de988f10eec5da211f3f8c6b9b2104075dd1b44d514d237bf2c23fe02d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e43ad43420ae3880a7c70c8ea376fb01

SHA1
e64dfd84efed6cc24ae4f7f2ee020d467c595eab

SHA256
36ef88c9ca8e06b0fa9e9b8cc3e40fe9f1b0c16b9cf4027b9562dcade2266cf5

SHA512
d85eefd0d0762331de9be40e47c09c0a1329ddc06fb4fcf170c4e3d0db4584f9dd8db8b7885128caf2547601d3c72060fbfa788026086f2c4e7edcddee99dd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c2564930b9dfadc9aa5fefee150ce7b

SHA1
6adefec7479891ee62ec7b41282465df4d0770d1

SHA256
438c14dfe18cf00a0dd7dc90ab6e71ccc320511a933edda47721f9ed24f54a90

SHA512
d4c725ea9dbcdc7bc8762e2d6ef0b60c4da6e4f2a3ad320be8021ea378ca56e7b1c699b36dc960653553f49ff558461612accb6b5096e378469fb7216248f84c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9d0bfffa78f59291ce837c0a2e784b14

SHA1
84126ff0950415d742ec1ff8be25fbd29d30f85b

SHA256
e7ad50d5df1fe0c5032eb5d181f83857065f90b98b64eea39c264bf8eb4fcffc

SHA512
8620a5d6a591b9f230f67e4344319d8b6c5a3b42ad6b9207fdacc99acbb6e41c84beb146293430e5deb2f7722472ce8bdbf2eb0713deadfd2a1d520e9a1b9af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58945b.TMP

Filesize
538B

MD5
0e1a49ff537b7edb9899a436ae4a041b

SHA1
62741b1a8b8422e235c5e78f0a1c267fe86b9015

SHA256
88b2da864d099e280e2769e50bd76ba70020a5f7f275b8ea2fd6a74b1e551f5b

SHA512
67a00cbe01a6047261c92f291902c281df96c140a26dcfbc4747bb4fb834a3ed6e06da4006a76c464ea12fd4e2a075b648310f102565d670e8be1009065d0d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
edd78347f016eba09195a96deae974f8

SHA1
2eb96885cdced1f03449bbc0e84a74ca7075332e

SHA256
dbfd83cbaa48ca8b630765b82e268d9c2067d24d4475a87f2d4529a516220470

SHA512
7701db8d69c8405eb2006d6810da346a61257b6e59ad2620550e1606c1a623f99a9303a51daa76abb0dd050b401397211b17b5b502e86a4d56b6fe49480a824e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f1427f39a7480e120909321f070b5bb

SHA1
0a2a59b182a210e2f7595f4fd329fed2c392434c

SHA256
c9f4fa24337df565f26414b31e55b4a7c79d2b49149ce0e1edde4516b686b8cc

SHA512
f8b0ab323553fd40ffc18c7a0181c83022cd2484b0cc680ff5f2910bfd11bdde6c787289946e2aa62bda6c8140f363cf282645d0e7b07f6cb683a66a833661b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
abd30b9492aadde24bffcf8be863c0e6

SHA1
015392729e0e04a731f145c9ec3c36fbb57bc640

SHA256
6344a51f135df86e1e08767a725fa45a61eb58806087a41e42fe0e3accccebdc

SHA512
2566fa788ce3db6c0f469407cc4b39c03591947a728f641a7910174e35ed18f8b3f08048a17c285119bb7afa62e3799ded4ae3df7bcf106353a61d0758e982fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e57b913898d98c3806e89f7dff287f9c

SHA1
7a3ef3f0fb8d6d5550cf12d9ffd798a0e86b00f6

SHA256
0ada38ef44a94641b438df7274b089ddd36821679dd65f439592bc50987c80b9

SHA512
b73d146bf8b4021148ca052ed01c0d0b1311b06d47e60409004b48e93cd8c00debd616e7cf1924a6e4cf60d8896f95a82263f3314bf4cb10646503dc4d1157da

Download Submit
C:\Users\Admin\AppData\Local\Temp\6rijjp-0.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\6rijjp-0.cmdline

Filesize
253B

MD5
d5e443857779f414bc3c44edba43e143

SHA1
177446932a92c00bb8b6e7fc35441ec69a1143b2

SHA256
46d6ebf8196d10a12f6135729e98eb3bb62355933a5607d259c251474869058e

SHA512
60e2a0663f17a654735fc4c5156bb0ce6b0c0a112011d993a1fff5dcc55055da697e6c0304ff94cee49101d0da84c31c0ce6c99bab9d94f87647af6f2398c3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B13.tmp

Filesize
5KB

MD5
980fabf4d222cfe5b55290faa63bd473

SHA1
fc35116d5eb267b0864073b6d07e54c2eb63e94b

SHA256
62afaf0fd16d40a8ead53fa47772ddd888975219ec3d0cd7b038923b9776d526

SHA512
f403ff594309350cf4f9f1e90245e98c3ee9ebdb26124506a79d2305d72d9821d74bdfec56a0ab760e941cfdce66299c99513e5d7162cb2adeeb6c9b256be257

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7BA0.tmp

Filesize
5KB

MD5
5757c2bd45971e46d42a20f26413df58

SHA1
6e24e40a053b18074857f8918c2962fbe58def0e

SHA256
b75822c7caec038e56efbd83b1682186d46114691e546fc07193470aab169d5e

SHA512
0d4c898430b04e8a1ac94fa7cf72fefe333bf1f3e0ca3b9fdb355a9fbde4be7217d5c81f53e409443a82e760cf4bc1b1b4a43a0bfd2516687564ccb717bbf0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C0D.tmp

Filesize
5KB

MD5
b51db98ebf370e5273b23af2158ebfad

SHA1
4fb8fba0fbbbcdf4497e1b749acc6e25828875fa

SHA256
b393290ee695d9328fc40a8ff2d1d70cad57b55bf3172a2c941fe0bf2eb5ee81

SHA512
152e83a1c9b9804893e2d14776b641e3c6c6a9fa69828bbab735e9c8681fd37cf31beaf38625591d84226282b00a3901b1013a0a583f79e22595262de031de59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7C7B.tmp

Filesize
5KB

MD5
e6ff30315a827b58ab0eb9b54da4d852

SHA1
60f84abc30c85885ff3b2ff8c798ccc632fdf850

SHA256
cd45f62a97760be9aa426a9827ac029bb122ebe8082a0c77bd1026c942d0055a

SHA512
5303ba310ab3b9db03e2df2cd91acf248d913f1e5c873a2f3bea8abbf7ca338e953af04cea9e40ece7913faa620adcdbc921b42c94924ab2c598307f4d8f3d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CE8.tmp

Filesize
5KB

MD5
9c63f945d9589111b082254a3f7ea567

SHA1
b9e6407917aac0311a7e5f808a73e836421c9f8c

SHA256
f547f0cdc42f103773865a08422301e29c1dae719b15ec9a4566d89b7eebb417

SHA512
20700f718a9129060341ef2ed1f31ee39bb4113b46bd7a212a42549c760bd4ca1198d5fd1923fea0d36ee1a4c7e93959b468705d79ada6c15017300477a2cfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIA007.tmp

Filesize
24KB

MD5
dd4f5026aa316d4aec4a9d789e63e67b

SHA1
fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153

SHA256
8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737

SHA512
3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIA02A.tmp

Filesize
3KB

MD5
a828b8c496779bdb61fce06ba0d57c39

SHA1
2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

SHA256
c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

SHA512
effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\he_c-lgh.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\he_c-lgh.cmdline

Filesize
267B

MD5
61b4132ff412baabe2d7a1acf0800147

SHA1
4336c631a4912b45d91e3f089f4ad376893886af

SHA256
96912017bae27b3627b418cd59d1e42c96ce6128144261c9bc55c564aa7d2964

SHA512
aa08333fbb4533ecd90f46e17bc09fdb7913fc2529ee2921f104660604b2a8cef36559e96bc5ea43ef2222b88db2cf89912e681ebc1b96316969527c9df45601

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdzv3ym0.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdzv3ym0.cmdline

Filesize
253B

MD5
ffd60336ad7f5adcb8bf2ca54ec6f471

SHA1
a54e4edb5fca119cc50322f992bb4b1f354a4e95

SHA256
27de532500ca3d5fa1172283cb2ab2ad090ab2cb16dfffaf81fec166a93c3ef5

SHA512
f84dd1321187e4a2078e4da8b94019b6bd57fc28e16600336d5398c6040b08776bd9580e38b7c485561cd24051438037cfba954b4d93d9f823152e694ecb2a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyvdugyc.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyvdugyc.cmdline

Filesize
224B

MD5
c439a4e703400dafc6ed43c0dffa5dd7

SHA1
9298d7c5de45f7314165653ccd8f240f7fa030a1

SHA256
72044df8bdef0327208296f96862ad06e6f6a30107e945b17716468d683b1164

SHA512
313fc3704acc4c24c3b94f8c393e2a603e0bb688ddde593efdd3c6672b3ff741a5653a56510299083575da24e53662cab772c1d7e22309e10969779f90756704

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjzbeb9-.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjzbeb9-.cmdline

Filesize
224B

MD5
fbe8fc17c9cc00a937fa20055db9bb12

SHA1
0b6e1d307e68a204fbb4ae14b28ff94be124bfe2

SHA256
c48f2e4db5740403f0b55fe28141404cfdfd6a6adadb138499ee06d4b3317507

SHA512
832cc008bd92044829ac26f46140fb851e36225f0e3e8c3e9ddefe7237d9090d4112fba5c000c15a1ec83206a1d76b17cea38af156ee8cdfa871117d326903a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
91B

MD5
de97f8c7f4f066b79ad91c4883cc6716

SHA1
92cc8bf74888ea1151d9fd219eb8caee02978556

SHA256
a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9

SHA512
cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\v-soq9p8.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v-soq9p8.cmdline

Filesize
261B

MD5
754345fcd299bc6ebf4c11e93f865197

SHA1
7ccee8adde18bcf7213c28818053f9cb21076536

SHA256
1c64a5c56ddac0e3c0075e85b11a7b3a7922acbfd92c9eb7bc61c27cce23b378

SHA512
83edd58182cd4a35830c0f420e8fb9c6d6e99853dc3b091bfe1b277507eb520f689254eba93a0a77efd542b45db8cb1c929e2c429266c120d094ccf446c5bc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3A0FF164B2F548F3A4852385DB3B5E72.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc552E8A989FFE4283818353F7FEBEE8B9.TMP

Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57E51E9CD49947FBBCD339E9AB5EC89F.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62ABE1117E1F4FF88EFD226C964BF48.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64E465378AD74C78A2EB525CD387B6C.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E611BBFD1F1488B89B07422167FCB5A.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc72CE8F084D147869BFF8BED7360AC.TMP

Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8CC588DA6D8E4154862682E649664E9.TMP

Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
\??\pipe\crashpad_4140_LURSMPAGNJOJSJAI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/696-1609-0x0000000001200000-0x00000000012F4000-memory.dmp

Filesize
976KB

Download
memory/696-1616-0x0000000001200000-0x00000000012F4000-memory.dmp

Filesize
976KB

Download
memory/696-1617-0x0000000001200000-0x00000000012F4000-memory.dmp

Filesize
976KB

Download
memory/720-1708-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/1056-1078-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1116-1583-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2360-1077-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2612-1074-0x000000001B3D0000-0x000000001B476000-memory.dmp

Filesize
664KB

Download
memory/2612-1075-0x000000001BF10000-0x000000001BF72000-memory.dmp

Filesize
392KB

Download
memory/2612-1073-0x000000001B9D0000-0x000000001BE9E000-memory.dmp

Filesize
4.8MB

Download
memory/3584-1618-0x0000000000FC0000-0x00000000010CC000-memory.dmp

Filesize
1.0MB

Download
memory/3584-1619-0x0000000000FC0000-0x00000000010CC000-memory.dmp

Filesize
1.0MB

Download
memory/3584-1620-0x0000000000FC0000-0x00000000010CC000-memory.dmp

Filesize
1.0MB

Download
memory/3800-1349-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1353-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1343-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1352-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1351-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1354-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1342-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1344-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1350-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3800-1348-0x000001AC55640000-0x000001AC55641000-memory.dmp

Filesize
4KB

Download
memory/3888-1607-0x0000000000F70000-0x000000000110C000-memory.dmp

Filesize
1.6MB

Download
memory/3888-1614-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3888-1606-0x0000000000F70000-0x000000000110C000-memory.dmp

Filesize
1.6MB

Download
memory/3888-1608-0x0000000000F70000-0x000000000110C000-memory.dmp

Filesize
1.6MB

Download
memory/3888-1610-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3888-1615-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4396-1713-0x0000000000B00000-0x0000000000C0C000-memory.dmp

Filesize
1.0MB

Download
memory/4396-1714-0x0000000000B00000-0x0000000000C0C000-memory.dmp

Filesize
1.0MB

Download
memory/4396-1715-0x0000000000B00000-0x0000000000C0C000-memory.dmp

Filesize
1.0MB

Download
memory/4532-1582-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5252-2220-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/5368-1621-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-2218-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-1939-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-1622-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-1638-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-2222-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-2221-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-1898-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-2078-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-1764-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-2219-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-1605-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5368-2214-0x0000000000DE0000-0x000000000141D000-memory.dmp

Filesize
6.2MB

Download
memory/5980-1543-0x000002A80A200000-0x000002A80AB14000-memory.dmp

Filesize
9.1MB

Download
memory/6120-1623-0x0000000000F00000-0x000000000100C000-memory.dmp

Filesize
1.0MB

Download
memory/6120-1625-0x0000000000F00000-0x000000000100C000-memory.dmp

Filesize
1.0MB

Download
memory/6120-1624-0x0000000000F00000-0x000000000100C000-memory.dmp

Filesize
1.0MB

Download
memory/6124-1513-0x0000024129F30000-0x0000024129F4E000-memory.dmp

Filesize
120KB

Download
memory/6132-1636-0x0000000000600000-0x000000000070C000-memory.dmp

Filesize
1.0MB

Download
memory/6132-1635-0x0000000000600000-0x000000000070C000-memory.dmp

Filesize
1.0MB

Download
memory/6132-1637-0x0000000000600000-0x000000000070C000-memory.dmp

Filesize
1.0MB

Download