crimsonrat | hxxps://cdn[.]discordapp[.]com/attachments/1256009606883442768/1286063807256465428/onibye-1[.]7[.]2[.]exe?ex=66efd781&is=66ee8601&hm=738f6adda77c7359d50d8cfcc2eba4c2e011200276b4c324ba552594c969d3af&

Resubmissions

23-09-2024 07:59

240923-jvnsvazdnq 4

21-09-2024 13:07

240921-qczwqatdjc 10

Analysis

max time kernel
668s
max time network
669s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1256009606883442768/1286063807256465428/onibye-1.7.2.exe?ex=66efd781&is=66ee8601&hm=738f6adda77c7359d50d8cfcc2eba4c2e011200276b4c324ba552594c969d3af&

Score

10^/10

crimsonrat lumma njrat revengerat warzonerat guest discovery evasion infostealer persistence privilege_escalation rat rezer0 stealer trojan

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

lumma

https://achievenmtynwjq.shop/api

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000239a1-1267.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 3708 created 616	3708	onibye-1.7.2.exe	5
PID 3540 created 616	3540	onibye-1.7.2.exe	5
PID 3052 created 616	3052	onibye-1.7.2.exe	5
PID 4964 created 616	4964	onibye-1.7.2.exe	5
PID 1752 created 616	1752	onibye-1.7.2.exe	5
PID 4732 created 616	4732	onibye-1.7.2.exe	5
PID 1668 created 616	1668	onibye-1.7.2.exe	5
PID 2772 created 616	2772	onibye-1.7.2.exe	5
PID 2016 created 616	2016	onibye-1.7.2.exe	5
PID 3712 created 616	3712	onibye-1.7.2.exe	5
PID 2676 created 616	2676	onibye-1.7.2.exe	5

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/1624-1198-0x0000000005630000-0x0000000005658000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000023997-917.dat	revengerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1592-1231-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/1592-1232-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3648	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b9584a316aeb9ca9b31edd4db18381f5.exe	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b9584a316aeb9ca9b31edd4db18381f5.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 11 IoCs

pid	Process
3368	OWinstaller.exe
3480	[email protected]@ucnher.exe
4984	[email protected]@ucnher.exe
692	dlrarhsiva.exe
4536	dlrarhsiva.exe
4880	[email protected]@ucnher.exe
4372	OWinstaller.exe
440	svchost.exe
6016	svchost.exe
6064	svchost.exe
6112	svchost.exe

Loads dropped DLL 22 IoCs

pid	Process
2940	Hone - Installer.exe
2940	Hone - Installer.exe
2940	Hone - Installer.exe
2940	Hone - Installer.exe
2940	Hone - Installer.exe
2940	Hone - Installer.exe
2940	Hone - Installer.exe
3368	OWinstaller.exe
3368	OWinstaller.exe
3368	OWinstaller.exe
3368	OWinstaller.exe
2104	Hone - Installer.exe
2104	Hone - Installer.exe
2104	Hone - Installer.exe
2104	Hone - Installer.exe
2104	Hone - Installer.exe
2104	Hone - Installer.exe
2104	Hone - Installer.exe
4372	OWinstaller.exe
4372	OWinstaller.exe
4372	OWinstaller.exe
4372	OWinstaller.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\NJRat.exe\" .."	NJRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
379	bitbucket.org
1208	raw.githubusercontent.com
1231	0.tcp.ngrok.io
320	sites.google.com
377	bitbucket.org
454	sites.google.com
828	0.tcp.ngrok.io
319	sites.google.com
375	bitbucket.org
317	sites.google.com
1204	raw.githubusercontent.com
1207	raw.githubusercontent.com
763	0.tcp.ngrok.io
1066	0.tcp.ngrok.io
439	raw.githubusercontent.com
453	sites.google.com
677	raw.githubusercontent.com
678	raw.githubusercontent.com
705	0.tcp.ngrok.io
1203	raw.githubusercontent.com
318	sites.google.com
364	sites.google.com
676	raw.githubusercontent.com
1205	raw.githubusercontent.com
374	sites.google.com
376	bitbucket.org
365	sites.google.com
1206	raw.githubusercontent.com
446	raw.githubusercontent.com
380	bitbucket.org
438	raw.githubusercontent.com

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 3480 set thread context of 4244	3480	[email protected]@ucnher.exe	235
PID 4984 set thread context of 1668	4984	[email protected]@ucnher.exe	238
PID 1624 set thread context of 1592	1624	WarzoneRAT.exe	293
PID 1340 set thread context of 1536	1340	RevengeRAT.exe	295
PID 1536 set thread context of 3680	1536	RegSvcs.exe	296
PID 3500 set thread context of 4988	3500	WarzoneRAT.exe	308
PID 2948 set thread context of 3096	2948	RevengeRAT.exe	310
PID 3096 set thread context of 1012	3096	RegSvcs.exe	311
PID 440 set thread context of 3784	440	svchost.exe	396
PID 3784 set thread context of 3480	3784	RegSvcs.exe	397
PID 4880 set thread context of 1648	4880	[email protected]@ucnher.exe	408
PID 6016 set thread context of 6044	6016	svchost.exe	435
PID 6044 set thread context of 6068	6044	RegSvcs.exe	436
PID 6064 set thread context of 2620	6064	svchost.exe	452
PID 2620 set thread context of 5348	2620	RegSvcs.exe	453
PID 6112 set thread context of 5912	6112	svchost.exe	465
PID 5912 set thread context of 4640	5912	RegSvcs.exe	466

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hone - Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hone - Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713979372953749"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{94A220EC-CDEA-456C-9143-B50D03CA97B4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{AD782079-97D1-4583-B0F7-EA199575EA0F}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{26FC7A1D-5ABE-40A1-87A8-1A95BC9EF82B}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{EF6339C2-B7C1-4887-BEDA-79F5D3C7E9B7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3180	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4884	schtasks.exe
640	schtasks.exe
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	onibye-1.7.2.exe
3708	onibye-1.7.2.exe
3540	onibye-1.7.2.exe
3540	onibye-1.7.2.exe
3052	onibye-1.7.2.exe
4964	onibye-1.7.2.exe
1752	onibye-1.7.2.exe
4732	onibye-1.7.2.exe
1668	onibye-1.7.2.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe
4920	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4920	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	onibye-1.7.2.exe
Token: SeDebugPrivilege	3068	onibye-1.7.2.exe
Token: SeDebugPrivilege	3068	onibye-1.7.2.exe
Token: SeDebugPrivilege	3540	onibye-1.7.2.exe
Token: SeDebugPrivilege	2916	onibye-1.7.2.exe
Token: SeDebugPrivilege	2916	onibye-1.7.2.exe
Token: 33	4064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4064	AUDIODG.EXE
Token: SeRestorePrivilege	3200	7zG.exe
Token: 35	3200	7zG.exe
Token: SeSecurityPrivilege	3200	7zG.exe
Token: SeSecurityPrivilege	3200	7zG.exe
Token: SeRestorePrivilege	3620	7zG.exe
Token: 35	3620	7zG.exe
Token: SeSecurityPrivilege	3620	7zG.exe
Token: SeSecurityPrivilege	3620	7zG.exe
Token: SeDebugPrivilege	3368	OWinstaller.exe
Token: SeDebugPrivilege	3052	onibye-1.7.2.exe
Token: SeDebugPrivilege	3084	onibye-1.7.2.exe
Token: SeDebugPrivilege	3084	onibye-1.7.2.exe
Token: SeDebugPrivilege	4964	onibye-1.7.2.exe
Token: SeDebugPrivilege	4840	onibye-1.7.2.exe
Token: SeDebugPrivilege	4840	onibye-1.7.2.exe
Token: SeDebugPrivilege	1752	onibye-1.7.2.exe
Token: SeDebugPrivilege	668	onibye-1.7.2.exe
Token: SeDebugPrivilege	668	onibye-1.7.2.exe
Token: SeDebugPrivilege	4732	onibye-1.7.2.exe
Token: SeDebugPrivilege	1620	onibye-1.7.2.exe
Token: SeDebugPrivilege	1620	onibye-1.7.2.exe
Token: SeDebugPrivilege	1668	onibye-1.7.2.exe
Token: SeDebugPrivilege	4640	onibye-1.7.2.exe
Token: SeDebugPrivilege	4640	onibye-1.7.2.exe
Token: SeDebugPrivilege	4920	NJRat.exe
Token: SeDebugPrivilege	2772	onibye-1.7.2.exe
Token: SeDebugPrivilege	3040	onibye-1.7.2.exe
Token: SeDebugPrivilege	3040	onibye-1.7.2.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: SeDebugPrivilege	2016	onibye-1.7.2.exe
Token: SeDebugPrivilege	4124	onibye-1.7.2.exe
Token: SeDebugPrivilege	4124	onibye-1.7.2.exe
Token: SeDebugPrivilege	1292	taskmgr.exe
Token: SeSystemProfilePrivilege	1292	taskmgr.exe
Token: SeCreateGlobalPrivilege	1292	taskmgr.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	1292	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1292	taskmgr.exe
Token: SeDebugPrivilege	3712	onibye-1.7.2.exe
Token: SeDebugPrivilege	3920	onibye-1.7.2.exe
Token: SeDebugPrivilege	3920	onibye-1.7.2.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	4920	NJRat.exe
Token: SeIncBasePriorityPrivilege	4920	NJRat.exe
Token: 33	4920	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3200	7zG.exe
3620	7zG.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
1292	taskmgr.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4016	OpenWith.exe
4016	OpenWith.exe
4016	OpenWith.exe
3368	OWinstaller.exe
3368	OWinstaller.exe
3368	OWinstaller.exe
4372	OWinstaller.exe
4372	OWinstaller.exe
4372	OWinstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 3068	3708	onibye-1.7.2.exe	126
PID 3708 wrote to memory of 3068	3708	onibye-1.7.2.exe	126
PID 3708 wrote to memory of 3068	3708	onibye-1.7.2.exe	126
PID 3540 wrote to memory of 2916	3540	onibye-1.7.2.exe	130
PID 3540 wrote to memory of 2916	3540	onibye-1.7.2.exe	130
PID 3540 wrote to memory of 2916	3540	onibye-1.7.2.exe	130
PID 4812 wrote to memory of 1496	4812	msedge.exe	184
PID 4812 wrote to memory of 1496	4812	msedge.exe	184
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 1360	4812	msedge.exe	186
PID 4812 wrote to memory of 2824	4812	msedge.exe	187
PID 4812 wrote to memory of 2824	4812	msedge.exe	187
PID 4812 wrote to memory of 3484	4812	msedge.exe	188
PID 4812 wrote to memory of 3484	4812	msedge.exe	188
PID 4812 wrote to memory of 3484	4812	msedge.exe	188

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Users\Admin\Desktop\onibye-1.7.2.exe
  "C:\Users\Admin\Desktop\onibye-1.7.2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1256009606883442768/1286063807256465428/onibye-1.7.2.exe?ex=66efd781&is=66ee8601&hm=738f6adda77c7359d50d8cfcc2eba4c2e011200276b4c324ba552594c969d3af&
1⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4036,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:1
1⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4128,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:1
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5388,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:1
1⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5452,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
1⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5472,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8
1⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6224,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:1
1⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=2152,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=2156,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:1
1⤵
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6780,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:8
1⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=6800,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6848 /prefetch:8
1⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=6800,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6848 /prefetch:8
1⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6348,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:1
1⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5132,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:1
1⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=4716,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7120 /prefetch:8
1⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5440,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:1
1⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=5424,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:1
1⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6324,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:8
1⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=3984,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:1
1⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6784,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
1⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=4084,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:1
1⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5576,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=756 /prefetch:8
1⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6496,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8
1⤵
PID:3084

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=6988,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:1
1⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=5200,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:1
1⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=7332,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7420 /prefetch:1
1⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=6824,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:1
1⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=5612,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:1
1⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=4912,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:1
1⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=6032,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:1
1⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=5992,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6904 /prefetch:1
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=7004,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:1
1⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5632,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:8
1⤵
PID:2012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=4616,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7728 /prefetch:8
1⤵
- Modifies registry class
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=7804,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7780 /prefetch:8
1⤵
PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=7176,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:1
1⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=7768,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7876 /prefetch:1
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=8016,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7808 /prefetch:1
1⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=7760,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8144 /prefetch:1
1⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=8264,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:1
1⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=7772,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:1
1⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=7420,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:1
1⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=7984,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=7852 /prefetch:1
1⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=7852,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8304 /prefetch:1
1⤵
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8020,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=3968 /prefetch:8
1⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8496,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8
1⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=5652,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8492 /prefetch:1
1⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=5852,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=2904 /prefetch:1
1⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --field-trial-handle=8736,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8744 /prefetch:1
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7784,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8684 /prefetch:8
1⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=7932,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8412 /prefetch:8
1⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --field-trial-handle=7116,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=9036 /prefetch:1
1⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --field-trial-handle=8588,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=9072 /prefetch:1
1⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --field-trial-handle=9024,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8784 /prefetch:1
1⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --field-trial-handle=9012,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8968 /prefetch:1
1⤵
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --field-trial-handle=8820,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8616 /prefetch:1
1⤵
PID:1100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\S.tup-1ucnh3r\" -ad -an -ai#7zMap1634:84:7zEvent30889
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\S.tup-1ucnh3r\[email protected]@ucnher\" -ad -an -ai#7zMap2459:116:7zEvent15791
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --field-trial-handle=9016,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8688 /prefetch:1
1⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --field-trial-handle=8880,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8748 /prefetch:1
1⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --field-trial-handle=5956,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=9000 /prefetch:1
1⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --field-trial-handle=8876,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8940 /prefetch:1
1⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --field-trial-handle=8484,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=8800 /prefetch:1
1⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --field-trial-handle=8528,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=9060 /prefetch:1
1⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=9848,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=9776 /prefetch:8
1⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffe34f4d198,0x7ffe34f4d1a4,0x7ffe34f4d1b0
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2184,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1736,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=1404,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3000,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3000,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4272,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3200,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=3188 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5156,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4868,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=5780,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=5820,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6272,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6192,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5356,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5764,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5432,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5444,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6852,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=7004,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5240,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6832,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7252 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --field-trial-handle=4000,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6008,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6412,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6428,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --field-trial-handle=7664,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7672,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7916,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7812,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7440 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7444,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7992,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7808 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --field-trial-handle=8088,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=8100 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=8116,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --field-trial-handle=8140,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=8092 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7804,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7688 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --field-trial-handle=3920,i,12108349247525597615,7518193137910341029,262144 --variations-seed-version --mojo-platform-channel-handle=7788 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffe34f4d198,0x7ffe34f4d1a4,0x7ffe34f4d1b0
    3⤵
    PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2196,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1924,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    PID:3192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2180,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:8
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4504,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
    3⤵
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4504,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
    3⤵
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=560,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:8
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=3844,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:8
    3⤵
    PID:2428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=3144,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:8
    3⤵
    PID:1804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4900,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4904,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --field-trial-handle=5604,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --field-trial-handle=5592,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5980,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:1
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5992,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6448,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:8
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --field-trial-handle=6656,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:8
    3⤵
    PID:1928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5244,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=6260,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:8
    3⤵
    PID:3420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6352,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:1
    3⤵
    PID:3992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=7108,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:1
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6336,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:1
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=7412,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7428 /prefetch:1
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=7580,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7572 /prefetch:1
    3⤵
    PID:1664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7624,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7632 /prefetch:1
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7264,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:1
    3⤵
    PID:5712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7444,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7888 /prefetch:1
    3⤵
    PID:5828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --field-trial-handle=8064,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8068 /prefetch:8
    3⤵
    PID:5356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7144,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8104 /prefetch:1
    3⤵
    PID:5320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=8396,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8384 /prefetch:8
    3⤵
    PID:5332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=8436,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8392 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7232,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7616 /prefetch:1
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7936,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:1
    3⤵
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=608,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8452 /prefetch:8
    3⤵
    PID:2340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=8096,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8040 /prefetch:1
    3⤵
    PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=8956,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8972 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=9100,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=9156 /prefetch:1
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=9076,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:1
    3⤵
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --field-trial-handle=7916,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=8452 /prefetch:8
    3⤵
    PID:5172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=7644,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=7512 /prefetch:8
    3⤵
    - Modifies registry class
    PID:2948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --field-trial-handle=9296,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=9284 /prefetch:8
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=9400,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=9424 /prefetch:1
    3⤵
    PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=9404,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:1
    3⤵
    PID:5296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=9772,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=9828 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=10076,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=10032 /prefetch:1
    3⤵
    PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=10176,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    PID:4384
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\INSTALL.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9332,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=10188,i,1160276427941125663,1055203987883945379,262144 --variations-seed-version --mojo-platform-channel-handle=9736 /prefetch:1
    3⤵
    PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:4124

C:\Users\Admin\Desktop\Hone - Installer.exe
"C:\Users\Admin\Desktop\Hone - Installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940
- C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\OWinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\OWinstaller.exe" Sel=0&Extension=mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc&Name=Hone&Referer=hone.gg&Browser=firefox -partnerCustomizationLevel 1 -customPromoPages --owelectronUrl=https://download.overwolf.com/setup/electron/mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc --disable-change-location --disable-ow-shortcut-ui --disable-app-shortcut-ui --enable-app-shortcut --eula-url=https://hone.gg/terms --privacy-url=https://hone.gg/privacy --silent-setup --app-name="Hone" --auto-close -exepath C:\Users\Admin\Desktop\Hone - Installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3368

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\Desktop\[email protected]@ucnher.exe
"C:\Users\Admin\Desktop\[email protected]@ucnher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3480
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4244

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\Desktop\[email protected]@ucnher.exe
"C:\Users\Admin\Desktop\[email protected]@ucnher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4984
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Users\Admin\Desktop\NJRat.exe
"C:\Users\Admin\Desktop\NJRat.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4920
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3648

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:3616

C:\Users\Admin\Desktop\WarzoneRAT.exe
"C:\Users\Admin\Desktop\WarzoneRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1624
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F6C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1592

C:\Users\Admin\Desktop\RevengeRAT.exe
"C:\Users\Admin\Desktop\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1340
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa1pem0r.cmdline"
    3⤵
    PID:848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2F9109651C34678BD4AC8B13F1FE9.TMP"
      4⤵
      PID:5032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjzzp6hm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB75.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8206ECBDD353407FB7F6BFA3EADF1EA9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pulovbwa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDCE879D797BC4FB5B9CF8DCCBB92A646.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\opgr3fhq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE076.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3F526C780FF47CF969C83D2448C1263.TMP"
      4⤵
      PID:2288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gbu9a_nn.cmdline"
    3⤵
    PID:1616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2D55B09A9AE4C75A952B8443E9BB75.TMP"
      4⤵
      PID:1020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndgznxca.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE325.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF6FBB02557E4D8AA798B4BEAAAEF96.TMP"
      4⤵
      PID:3124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nrqkpmvl.cmdline"
    3⤵
    PID:516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE18EAAC97FEA4E94A54A5E96D3A46274.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w4aipt0o.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3364940E61D4CFBBF45876EB0ED3BDC.TMP"
      4⤵
      PID:812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\veyzssnc.cmdline"
    3⤵
    PID:1340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21A25A69FDAC404DA8FA2FED79CB854D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o8ykscpb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10F98D4F99034773932A2C1E29E99467.TMP"
      4⤵
      PID:2796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kt0xzpsd.cmdline"
    3⤵
    PID:1676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE96F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70B86793803743CAA325D7D035655551.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xuoondv4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57EA952295524ED08655238D972BF67B.TMP"
      4⤵
      PID:1804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zphnats4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD98225B568774D898C7C1DE37DF1986.TMP"
      4⤵
      PID:3764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9k5zkqgx.cmdline"
    3⤵
    PID:3936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52CFE0F4DD5343619642148B71E18F23.TMP"
      4⤵
      PID:624
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ena8lqon.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF41332B850C49A999BB42355C6789BD.TMP"
      4⤵
      PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f7lyzlnl.cmdline"
    3⤵
    PID:812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58B4C3D45A0B46938AC55276FF2F218.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l-ej1fvp.cmdline"
    3⤵
    PID:1040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc801597845858478E97A3618278451729.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gqgan3d9.cmdline"
    3⤵
    PID:1600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA1A396AD4B04D81BAD35256F5D669.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q6xalzej.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98A2BAE1894646A58E729765AA50D298.TMP"
      4⤵
      PID:2380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihs6dkfo.cmdline"
    3⤵
    PID:2616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc485260E9CCA42EF913886258B49599B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o1axoxm1.cmdline"
    3⤵
    PID:3484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84D4441AF2BD4C5099E47A1B3D396A7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kmxtnflc.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4168
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6903F4482BA49EF956C4B87B91A82D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:3784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcyey2m2.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc902B3840B9E942569E5F7ABCD5BEE3.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmtxqjis.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0A75AFF899146549D18C66C1562DDA8.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9dn-_bjy.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC06F5C6756E94E2798EA9A9619B1949F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5bqjgyf.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA4CC964438164348AFEDEE7C5DBCFDD3.TMP"
        6⤵
        
        PID:5564

C:\Users\Admin\Desktop\CrimsonRAT.exe
"C:\Users\Admin\Desktop\CrimsonRAT.exe"
1⤵
PID:4552
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:4948

C:\Users\Admin\Desktop\WarzoneRAT.exe
"C:\Users\Admin\Desktop\WarzoneRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3500
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp990D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988

C:\Users\Admin\Desktop\RevengeRAT.exe
"C:\Users\Admin\Desktop\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:1012

C:\Users\Admin\Desktop\CrimsonRAT.exe
"C:\Users\Admin\Desktop\CrimsonRAT.exe"
1⤵
PID:3272
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4536

C:\Users\Admin\Desktop\NJRat.exe
"C:\Users\Admin\Desktop\NJRat.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1288

C:\Users\Admin\Desktop\[email protected]@ucnher.exe
"C:\Users\Admin\Desktop\[email protected]@ucnher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4880
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648

C:\Users\Admin\Desktop\Hone - Installer.exe
"C:\Users\Admin\Desktop\Hone - Installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2104
- C:\Users\Admin\AppData\Local\Temp\nslB6A8.tmp\OWinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nslB6A8.tmp\OWinstaller.exe" Sel=0&Extension=mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc&Name=Hone&Referer=hone.gg&Browser=firefox -partnerCustomizationLevel 1 -customPromoPages --owelectronUrl=https://download.overwolf.com/setup/electron/mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc --disable-change-location --disable-ow-shortcut-ui --disable-app-shortcut-ui --enable-app-shortcut --eula-url=https://hone.gg/terms --privacy-url=https://hone.gg/privacy --silent-setup --app-name="Hone" --auto-close -exepath C:\Users\Admin\Desktop\Hone - Installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4372

C:\Users\Admin\Desktop\onibye-1.7.2.exe
"C:\Users\Admin\Desktop\onibye-1.7.2.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:3932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:6044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:6068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2620
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6112
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5912
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\onibye-1.7.2.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
eddf99dd4a9f9fea4818be05fb6626f8

SHA1
3e556431929bacfa3de59be0f4fb51cdd94021a1

SHA256
55bad389627a5b8357b5033501ccc9510d4ee7870ea37a57f9b092378b2db49f

SHA512
b58872f3c76dd3a40bdc73b1cf7bb53252a17decd0a7151ed9ad27f53836e05a94784b201ad36099eda48bf2362b20c4081c5ed77ee8491551c3c7fed1c99cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
bcaf889651d9b18d775699fc97984f81

SHA1
0b7267ee5755857c2d4fee06eea489ea21b9cee5

SHA256
0cec770709eda75ca3356953e18cdd8af48ea065ce3e4ff1c47400c9a79e077f

SHA512
c724798ccfd428c729e62f8655b9b162809d3297fa627f2fb94b510d7fbd67d0666da15c9d71af5755248ba1b24bfeac55b1896aa0d1d2cfe46dc3f3eb50fc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\046fec1e-0ce8-4fb5-8ef1-cbf335581afb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
17295a286d334b9c23097b217d11d6c4

SHA1
3c525e238044ec9180cbce636949b571e414779e

SHA256
27654b1f4275c1fb97c8100e55947eefc8e6b8a0de7808e58612c96dd5636050

SHA512
8df093c652d794de2a1489a2f80dfa814c5e371841552f41ad5cf9930c385c79b392101e8f9698b782456449ef4851eba030391922e5d027fb75c6ff16b6f2a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
128ff2ef11fb338d624f1595b29ed754

SHA1
e5cc8ac0417c8541b5df8fec8c3ebe38924ff6f9

SHA256
01bf58cb92f01bc6e4b694ccbfea7509d55770d711c0d1f8eed5c05e3ee9cc03

SHA512
44b12818613d2beeaa0dc700831f3e790ebb570f0d7d595a338936b25137fedb55c8021e955f7b0aa2861f767a6b42d531c10da3fadf53fa1f0587092f810aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
c37c7fb540b3a75fb7f193a65a7cdd07

SHA1
665da8a1271604c945230ba5ec0f07db875881f6

SHA256
3e04d1fa849948578e9c597293e12279345aeb6da21625e0eadc30e7f739cf81

SHA512
d8492a242ee69fbf6a5f6fa9034f88368e47bef460b168f47f55382a2da6780e34a24e237180fc32cb3d4d6f5adbbc073493f3a1ad33e09897da5975a41041ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
6bdc241e995a5bf5beb63f0de896bd67

SHA1
5d2e2f7fa1ff6a2ec63a99bdeb3f48841bd50a5f

SHA256
c22c38c5126f4d1b7b61b2392a2c1e871a36dfa91d093442235f04ba88e0b9f8

SHA512
bdf2c4a1138a31a1509321820824305a09ecf94c448ba02f48675f171cbf345d6292e65d6eb242b4e3c1a6b68ca94c5503eaf216be8af6981e2e5de486c5c9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
8f3dbd8d86465c8f2d4b6668f763cf83

SHA1
bd306642402d8896e0f5a40bb393f6aacdb23f9f

SHA256
087cb212f7282d9d06fb9e910e6119e5b6c0551f07d0966db2d804f4e079a405

SHA512
92ecf65ee86d38d988953de9c14e95d93115d0bab9b64e7ab767ccd54a4cdb23584530ebeddfc9e5cb4d0f9eb79cd888fe7b401a7781b0d4577996e4a5911bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
544dffe595874c43293475ddac317b48

SHA1
2fa860ba1befada985381f044152a45a1eaf8804

SHA256
b8eb53867b364e2e8cecaa07eae55ef2f8d2d8af32bfb3b52169112b97ad27ae

SHA512
7e9b64042e04a3d436a35fa820a8a5eedfd52a6fce5851702b6c9ebf40ac406f504f36586baa9c059b14e0578235a153f151b9aa627ddfb29d2b375ee245d2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
3e6dde4d217eb17dc336f8ae0277f046

SHA1
7b032c652166786adf28cf17b2e41e0a2e9d7f66

SHA256
c300a96735e5689eaccdc1b48f8174f5fb89e1b7bf988c3a2b2eae3d937589e7

SHA512
a637eb0eb9d6ca5fb1d9bb01b876b4b0456e4adfa16c780126f8209bc4db6b90be55b8f6650309e1f2a92f398b0f359c538ebdd7e800d3d9a63fcec9a24c8acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
de15508eabdb81fd25adb2b7989ec5ad

SHA1
76f182724be83099002c3d30b00468bd23ab4e04

SHA256
38241245178bf4924045419796834aec7021ceef2df50bfc95178e2102f940b7

SHA512
ee65b8c464a55eee9dfebad8d77e79a0d707d53a7383e4c963c65d29f43d58ba4eb2d57424aa649399564e05d4b86e477302975f7e82b292ed0a3e9815f83145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
948c661529eab7a5b2661050c49398f4

SHA1
62fa5a7ea9764ab1d08bbe1008d887f39b826263

SHA256
780faa551c81a7d42c2072b8c5a21e20b672953e3cdfc4085f682a65c841375c

SHA512
79bfa447f5776b2c9fcf983ff61fc340a8e4249718c9d9b64e2db6dc8a2398be466ea2dcf6365b9ba980795054e6a0cbe958cb4d8c3589a202acfc14fc5206fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
60f097494db135489bc29de7d1b220f2

SHA1
2bc23a9100c99f8ae8b5dec11d3ba323553aedf3

SHA256
060e86e3b7d1b8536d8d512d9fa47ea90565556167c665ed46201652c49abca9

SHA512
24c1b754d92bab8732c6871c695b72b75b79f1e16e6fe873254dd5b88af911b559eec7dcf9c69aa6d59dd67e441fd652a5066ed076b0899d8f86b5dd887ac00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
c6ba61f1e467a3d80cdc032e5645cf0b

SHA1
7812b9e1b273524411277d0f437ad084d50092e4

SHA256
6439287b879d662582c78aba74346f3abd247acc5d6111f1fd07213e285c92a8

SHA512
380ab78d983caf49acc46e1d324fb2ca97008b9adce75937f94adcc8e80d8c51c2992f2bf0d27637bed4e06bac390104f8a1c943fd18924abaaca01758a06d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
93add7c68ce9ad1d9b8e880dd7c22cb3

SHA1
e99f888d141a4b871b8d862a540569f591e30a2c

SHA256
77a1853740ac86e9ea558bcdefa53748f6a38b05bbaa87a1c1696ce1aaf6f5a3

SHA512
118f8a90bbe64422ac1c19fd586c6a09ea0c30ed138f79861cf628ce382afe74191aed3de7105c46bff917e2e98b82ae8ae71ec794d3410bf9329875a8cab3ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
d4a5ebee215e98599a45017e3a40f2bb

SHA1
06efedc2e443bce8d732e2d731819e831ad231e7

SHA256
c11f97e48a724d5a9b364911c991e8876cf5f7bb810741129cb7a474afd60317

SHA512
f5a27af32c7f564b91b2aa4890875923029bd7c8a428287ebd2496e8d8b0a0313d1d3132df64a108ea0dfc02768eea11fbb2b548f8956c60b898b39bddab22da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
44e61d4c28e940bfc371dd13134b3d97

SHA1
c24339efb5a6fca4cdea86cb3f0e60e719285c61

SHA256
33aace3bbdd06f53ea062c19a4cca8051c7da78dc2f34d1dcd607671bf7aac38

SHA512
e7fa523b35e58078ccce420a4429cc490a9c9b71c382cc114b0f9daa02b60c685dbf57fae31c4627b6cf9c8d35dd7b95866c52a935982010437c7d7afa6cb3d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
780391fd7cf3562867279e4eb654d4b7

SHA1
c4ee2553c4cfb4c31b6f3e476de8fd2fc6fbd45c

SHA256
e7ae401a75d0223dc04590324269e94ccb231699ce5032987fe0c03181ed31f3

SHA512
a14e04583c8e09102e388c379f836e5cf8a9e19b7d832e1833de78203e18265c3813220f6d2894cfb8d866c3ee557d1645528b982222aa3246afdbb97b11c2b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
9d19bd35e32ea77d3523da481c3719fa

SHA1
70acc1a82f49b5e0e2cacc4a4d8e14cb1a0c596e

SHA256
1e93ce58950146d586e3afc2e722f5b4f018d0192b0895a0eed346a53ddf4f84

SHA512
5100ed7f041282e00bb68059a82f7f197a9499c880b746019f373fd91d07b6a65185476d829eb1402e94e103784dedbe0e733bbd52926d136c0155001a010eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
457184e92db23d51814554acadaf1eb2

SHA1
dde144cfef55fc66a71a1cffcfe5c4dbefeebcbe

SHA256
8554e83234db11023a0a2613643b5bc495e64481790ac27d815274efe6848b91

SHA512
3cfa6cb08e6193d36d37292609d1f48e50f5dcd2e1b0b3161dc8b32e752316ba90e9c313f3932f8237f3ee9b909ba3bdcf77328533ee7f38d63ead45b71f9eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a822eb28df8505c9f287783b82322b3f

SHA1
0ea51d68ff8387cd0007212c26d87ad9a1bff310

SHA256
b475eab7d0a58e3a510bb63bec817c89f4b7a5f45635ee5b7c93799d7bec08e7

SHA512
13501c7368413967a98b6b138aa0a33936bbb0fdddc1d5570f26d74c50ae2f44b4545f64f403e370267d9404de48ad3046285e1430d41bbc04fb947f3f227670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
8ec185cea6510a09f3c1496763fb1581

SHA1
e1fa7e9858c332dff568eae107df4703e847f03b

SHA256
1b81e07fdb0c44c2da336382ff67da50d73e734cd929663b002898949dbe21d9

SHA512
9be5b4303e23bbc465ae68b386fa9596fd12768e822f0c90e62842d0633066748085accf8d5fa7919b05da462c36db6221252315d099986853cef8b0d86ec6f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
ae50eecb9aee9b66396d804fa2ca9f24

SHA1
953c32e1d225240b44604d29a45fe0581dbb538a

SHA256
82e1c908ccb9cf03960d4add4cc23457377cb361efa50ac3efaafc1d605034b1

SHA512
aad65fe474c07f986e2c0b9fec45aa03f0409568dbdb5408c089a4cd463ff776190dbcf7cfacc168a0a470aa4c34aba4d8e5953b60152c264008b583be2f74e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
a3a5dae10e94eba3097d232c0f7a1814

SHA1
21a04891947a8eba393749fd335be3a87c587900

SHA256
df4b9b6c1da12fbf5995d3678ef364d897a218654cf9606d5e0968719677fd28

SHA512
1f4762de2d0a7b4f021ff227867c4d0db66eb50d18fac888a27de1dbd2069bf9fbdb5ebe2dc758709d3c46fc4e042e67cd56c5893468796d89a6146a57f0ee82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
1b752941102251c9c9b0c8e6af53cb25

SHA1
3f677b509992d23e12ad052b3768774fb53f870d

SHA256
2044f8cb2b4c5156b077e9231b0144885f377ee889568ba2e6350ae55c9ab7b9

SHA512
70109964a2ac77d70e66c4843cedafa424b5e7966386cd3b425c04e3669443d24b2e60126c08595a0a2bdd24b5a215e006e4a6c22c5cb43d7bcd828a7d53dde2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
96ed7c9ae38d61b6cdb77149f20ee53c

SHA1
53f002247f2582c32a60316c0a361007eca7e9f4

SHA256
25618d283ed895193d33b0cf251e62bb9f653a6c51b3d6999527892b4020a88b

SHA512
5aeb822c0fc8530fc87a23ad5605b586147bb62531ac4b1e41a42d027e519dfeff943819c4d3ee8ec5c2ad52f16e76f97aa89a7e7cf24e85a96c8c698c2474cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
25f56da74adfc8a5ba6d051e368ff83f

SHA1
6efcae990c66aa1f87d4e88f534e5bbaf8f0a6e2

SHA256
27ab59dd60c25eab875e093909d4d73afcb179bddd768304ff214fd6d9be2ede

SHA512
d418fd48b39059af39bbfd0bbbb1c00fc6a56c6ede72995ea318cff0ffeb90b2105644cad12a844cf0e35762e83fe2f3fe15e10d89d56e0fbdcd57bd095f6b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
1df5e26e038742b50b54b259cf148723

SHA1
79c6792fc1677c46a67642f4e67d3ceb81da2ddc

SHA256
8c0dbe82df826bb1a4864874e3467cca307bc5702c2422358c07a0b41f768467

SHA512
df43240a3a7cfe3524476c01eba1e04559802e686ecb9b6a3aad83506effcf9b5578a342e0970a168412c058bf51990f5bc86e3738801403678a0a07638a6782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
82766f5c74ff2bacfb440b524eed2d4d

SHA1
9e222a58c9e267df1e55f65d1e831fbf5d36b298

SHA256
b391474a2105c779ad27313fc9ef44c20fee1c3592c3e1d138e778aa787fdfa2

SHA512
a339dc8586369e6b9cc4a436552ea55f7a9055d84505df3fb8d5ad3b45cc19b31d9db655d5c1bec44ff192020e08473d55244ce6dbfd06933a981a46cfe2cf29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
80372883deab0654ec6d8bd26a6f8f4c

SHA1
58aa825973d05ee3a639c544cc60bacc77a5bfd4

SHA256
9c0944c9c27b553d878a8297040208670475a45c335a438629dccc5315a05e98

SHA512
fe5f3938ad60f9277d046b418276e90c4b9206bd0034905c5512b0fc9b238a4ee41e6f8a03aa08418bc768d16c7a0f5da61f9462dd57cbd8cd9d5f06906f7fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
cfa6015275f37aff87243c902a37bf72

SHA1
94d42557d3faab5e6858fca1818070be1454c04a

SHA256
508be473bb168d0550e51a8c8725fd2cc6b9f5019a2d9e3a014119f6621b3514

SHA512
cc77386c8cb5c5e4d2c02d2ed0fc981909177d34bacbb7d31eac8c5348751d096384aaab3b14cdf21e87e38255be47cf914ac276d01aab566a27c814696ab956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
41373b5dc3c47c775306870015bdd3e1

SHA1
d866b2b4c1be54c38d931a7c4dd4e60c005eda7b

SHA256
b1f75e5f785122db8f3bfa443659dbe2d3016c03d4cbf337f613e730bf09521e

SHA512
aa9cf5735da3a3d1b273ec3418e2934191b4d034b843cf15350cd17b56c1f1a52f238f7d59a4b4c2a532d4fdfc7bd5e99c8562e9ab92bdc43124aba86065b475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
b4ef42434af49db24c837b0423d7adcf

SHA1
507b1501961fb8417b58e8c8c92f94560e149b4f

SHA256
4bbe5855d5653b898c91a10c09b7f8cbd65f7312294abcee368f2933f7e5310d

SHA512
b8da790838b34d03625266d62a6d0ac9c37a47c7b711f1d8684540e2ab39907b5890ea8b7ffae873e5c631979d9e31e567293790108bf7c5a95cf891c6cf5616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
c9e1f2ab767dd6fc5fb9755651aed3b0

SHA1
b18b5f84bbf33bc49f0d3a71ee18891e274d5ad3

SHA256
8e09f3976e2af7387fa2713086bd3ece8b59be0f180583be381642787e6be0c7

SHA512
bd91bfb960fb1c139d3a59f5edba1bc4ceaa999fb20f5d94e013f0e5d1e3b2c188f6ab976063afc81c68e926b08bbbb4f6dc50ea9486c173084366690d1597a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
22KB

MD5
e91db506dca5aac40d4c518e0eebdbff

SHA1
f11fdb7646b79fb51ce079dd6d52a55d573e0955

SHA256
259a1302fae0472c1d032ec98e132176cf28d728d4f202fd69789c88a930ec22

SHA512
9c71d91fa9bb877ed45f38102d6de9d9170cbac2c7147f4b621edb0a2f8cef03cfbda2b5c9d9e3ff4301a2e0c840fa4dd0f975261b6abdd2d2c9a1d303ffa0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
ce5a64e6d4c854f7dff7835ec1712dc3

SHA1
7165a5f6aea10ab27cbd5b1d4c825215ea3ef11d

SHA256
cc8f379bfe8c1f0e8896b622fbcd9e2223bacad7955846092e1bba2407d94648

SHA512
3cb13c2bb13b676be8581dbd65081fa47ed68e91e4421c66f84647cc6d921931afb1f7f16867f58f78c8c3dbc2de212beb22db61e449b3a5cf67fb2fbb7bb775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
a99efa077038c172b7005324c983de19

SHA1
4b411ce1e7d8d705fed2b6d4bfb1e7f995c62683

SHA256
289648cfc5cbb1cd73d12b25cb6170d749a64c02b0abe88a6b77d1a613694c54

SHA512
aa3c0bc29b25d9d9b69f6ab1a31d931d0be6110832c1c69901ce116e1ba00d84565b6600166a237f83260e3d63a23dcd8b65187d696cb8afc21c888654324d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
33013f7ae6b87f820c084a63d0b15a88

SHA1
e0518158216b0ed1ff5e4bc6e0965657f2d2c4d5

SHA256
b2d7d7d0d33951f8a724ef399bec4cfa11e387faf4daad939bc423e4dd11cbcc

SHA512
a42cf4917b2d5570f182cb5b281a05a18151df589e0f369f6dacbd9d0890780febddb4209428dafbe9f6358a08ca897e891a33f99d75d81d11a4c8b19af3b88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
89ad5c16537fd37ae1192ad87c413f95

SHA1
76871b6dbe46dfefd4a7b8142247ff965126427d

SHA256
dfe7c618388ac6968daa5d2fee1db95a4d45221d33cdf0c3ebb5d214c29ff4f1

SHA512
b5eb2cf18174ac93715a3862a18557d44efd16f97077fc55247a0d47c1f911026f2b6c0c57c665cd9cec39041e40555395c59be18eb361db17a88775898ed359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
ad805b48a0d32227ea02f44a97f73460

SHA1
b418d941359753e7ea65425a4c84b5c74b4803a1

SHA256
c8dad0a18348635db8647b16c9b980a5224029f82fb4ef62642df890149201c8

SHA512
9a43922cd45496fa375ca2c65994eb97d1bf25e8a469a5721edcef39db0852518de0cafd73a1df081962bd3f78da9361742b93f1ff5760ec5092f882c71750d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
009d95abc7b262c5488e24fee03c8207

SHA1
493a32b9cbe4473fdcc87058283331deded0377a

SHA256
eb041f8a777a7f8f670ca6b1d655e43420ed32383bee659e6fd7d78d8c25047d

SHA512
43687cfe4120a12558fa7307b030d4ac3d01c3ce316d47db6eb1077f0b242f4232254d12a3afce97255c6ee92bef81a75a880184216931b3d2c7a65110496017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
1832f49032c5dad70aef8e3da9b6c076

SHA1
28731f58648637152dfec083e429e964e2df41d8

SHA256
8124af3287c4e496ac59c505643e3cd7140d394fa5c77c59f45b322f630cd2d1

SHA512
4e5a0213b33425610abe766c34c0b821a77bef88b8aa9d4c588c20b9371db5a7591ac77fb76b5a0624678729f9da7c930fae0ecc08394540045bed15164d4527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
2f734d4df80553debc1579a53a4b914a

SHA1
b6c3cceafcfd0f3192d0ac43e17f6aee0a409ce0

SHA256
d7facdb7658f8c40e4c938d6ce7a43e3e2ba67c902d8a2b10a7b5596416a436f

SHA512
2a044ae17c6f9e4a904f3b340dbce991c5c9439e59db3f3ca1e51f709df34eb1c1e13f6126616438c3eb7fd8cc5e6ebd8f0c4c6c9aa05390ac974b1ef15d6923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
4e3fe27e7b1d5c67753dbb598f31896c

SHA1
6d5d3b54bc221ceba50acac427d36c678afb87d5

SHA256
68660d6c7b22bc5189a0eee3075480d83c9f9343f3ee217b5b9ccfa6df764912

SHA512
214943509dbd001f92a0d2700f533c8be54a6f1b047d7ef17d6a6648a76722df2f255571820f6ca4170b703e1129f8ce007bd5f9e95264eaa673b2697843f65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
2263ee710e5aa4a8b3d23090695c62b2

SHA1
d4a65da55f2b7b2182474697ab90c4ddea768910

SHA256
7b7a9259a276c2d6a6f9e626098199d297691b03e675927f28b29a49934b027a

SHA512
62b65b0e77c9c829033cfac4f7df82dc128790300cfede0bf42dead3e19fd534afb625989baecd55f3c2856df234b6da2e05a959408771d36dd3d3c2e13f10b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
78058851cdac3fb2a04c896a4b58222f

SHA1
8468a98d4fe23201cd9644e75f1fa1dd829ac410

SHA256
478416b27ceecda7ae65739cc95cfce20741313a6bcf6b3eaf41a4eda5cdb014

SHA512
55d0bd908c3172a3d8d11d169322391629d97d997b0ba28cbee986763ee11d0ee5c510f6e7815dc6fdd9093b65f2e49365bedefd4f909a7d54770a4f32490ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
dbe2ac609ee2deccb13828b6a5ddc98f

SHA1
ce622dcc86ca64828dec5e051675d41b7e08b0a3

SHA256
7f72a1f03ff9c24d1ad1dc5c3a96312cbb3c0c562d3c135d49b86ae52ee8c106

SHA512
21a33d39dd88af9a805056899a4731bc92efa388516402a9f79851093848c5a98fbd8300525effdb8e367e7eb7c256b15c170605112e3b85bd115ed64a4a921b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
f0c07b0055d8f3a94153193d93bef0bc

SHA1
2856dc6a8e12f51788379b4823a82c477abaf135

SHA256
9b502632ca54366c13f1c8b40fa1eed3468a7629a215b434c0d83cbb85be264c

SHA512
b53eed8405c1678f910bf2fab57dfba1d3afd29a2d4cea3dea5b4cdd43cbca15ca06e294f1bea60a732ca9949cab20a9aaa9caed98b9a9e55b3cc829c386857b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
117KB

MD5
d787e611c1b823c845aee864666652ef

SHA1
5dfe259432d83805fc961edd043713b278b1a030

SHA256
5661d110d92e1397ef30edef27b0d399c635fefb0d23ac0ed01d9a514d35b660

SHA512
be2b2d169c956d571dc49a02149e4e2fec19a37b1b43ce707a51ef5c6daca79e695099710ccebc74a1b6b13c0a6b03437dc68b4d88feb6a96c7e5c2cb37931b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
fc25224630b966e5ee07224c3214b44c

SHA1
6a1fb76248868ed6c29b822f95059a3dde1de6e2

SHA256
c0227893c85f344bd4736eeb8d64ff9cf849b5901407b5fc4fcd4c59035f73e3

SHA512
9f43e263e192ae21686821185d1ab1eecda7c33c6423baeb94276b3081072b5a533cb80fb08f5b49444790a005fda7311a2809b8d4441ea95085f66885fd1401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
117KB

MD5
f9245d6b10f1367de777ecf9f3d5ed22

SHA1
a7a21ad1bc1e028bf3c7917a15bbc0cef3b533eb

SHA256
99f1588611c2405204341978f4af54a71313121cc9468285f97282692ac8a7f7

SHA512
60a1f42114dd99094887c3c99c0d7d3994f337a7d823b774aeba357c516915ebb0eca74129bd262aa6e0b5c41b4b3fdfe3ae52ec876c504ec1129de62bec0d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
57KB

MD5
3cbb6a38e9b2cc0fe645e83cdf7c7e47

SHA1
99480e1ceb85e81aa996dbf55bfa41af4516ffbe

SHA256
0c903be2d62c178d8a1401ba4ee41ca44870f20e0046000a847ce7ffa71ec532

SHA512
c8824ed2d5da3be449b579e8b13b808512f33f0aedbd31ca08219e03ec95d9153cf393f55dc1ee646f0a04d1a5da1372e0e19b74d564ce9cca597afd3fc4e097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
121KB

MD5
d07dfd53b67acf43800e2965983900a3

SHA1
61549f9e0c79f40d4c60eebff9865ba3b9ed01ad

SHA256
eb0a6c7306610f771265e431d755420500ce878f2c52bc86d8efa5e777c783f3

SHA512
b69dc3be095dbbb842a094a1858eaa0f347bbf7f452fb8d8a6d32b2e192c173b9b634c1e7666768cde57bc51dbf0477a8839c2a0db6aa5f08b28d48c6ce93d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
3996977e0ed5b939250c3253b0a757d2

SHA1
9cbaa2aac1c5f9ba96992ffa9100183c2dc941a0

SHA256
31758e9b5e13e382c95f8c630bdc9cc838aa4b58524ead4555ea106a9e54cc64

SHA512
6cef56e4822c42d4e990b51a1ded96c72793d06009cbdbca651aed1f2977578d607b408e46c1f29d9f24710af39a83573eeb42f79ebed34da81375758bf78388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\downloadCache

Filesize
14B

MD5
df741b3f19d9dc2621eaf973c8c9fa9d

SHA1
f45f1d9791c05366a8a23322d497c89957e75e61

SHA256
6e5ddba6d7aa3b287ea364034e1f843e4146ff92c07d8426f4a7c4b0e6435006

SHA512
650de3f99038bffbfef41a9acc0a06e15803550c6456d0bdeac9ebe18aea94ab3a0bb7d85b7a0230ce6f510f5e26fa739fe58924f355d7e3714ec37daa4c70d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

Filesize
9B

MD5
b6f7a6b03164d4bf8e3531a5cf721d30

SHA1
a2134120d4712c7c629cdceef9de6d6e48ca13fa

SHA256
3d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39

SHA512
4b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
752B

MD5
d81eee90018d3b1c2fb13e977d132491

SHA1
c07b05b92693567301cfe92df233084dbdcfc85a

SHA256
e83cb16f401394eb4a0a11d529e17f9363c52c6ac0c528bf2c03398195f2e450

SHA512
cb682d65339c25535859f0585ccaea38e80a6497613f2b4ecb7b06039a3a493617fd7edce421e29f2cc072a3e95fe547db65e2366ab96ca55ee664341d7cb8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB6A8.tmp\DotNetZip.dll

Filesize
467KB

MD5
190e712f2e3b065ba3d5f63cb9b7725e

SHA1
75c1c8dd93c7c8a4b3719bb77c6e1d1a1620ae12

SHA256
6c512d9943a225d686b26fc832589e4c8bef7c4dd0a8bdfd557d5d27fe5bba0f

SHA512
2b4898d2d6982917612d04442807bd58c37739b2e4b302c94f41e03e685e24b9183b12de2057b3b303483698ad95e3a37795e6eb6d2d3b71e332b59deeca7d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB6A8.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
126KB

MD5
25802e743767fdc032480ce80725ef21

SHA1
d4feac2ad599e6d0a419092b6e771f68c5027c25

SHA256
495a72c7ea5f479b3bc4a9a2782e73a1cd3fc398c6598c0f3c0bb2e57c30b482

SHA512
08a5692cf826f361af45bd4153044c84a2bfd803375c69df6181a8865531f69477fd1244f6e28362c093382f850636495f8ee257267ea76c9b9a4bfe1bb55376

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB6A8.tmp\nsis7z64.dll

Filesize
514KB

MD5
284c46af1fd2ec3a60ee0c28f276f2a4

SHA1
4d4d41c0af12d928e4e553ab6b80e6b4ab8007bc

SHA256
2368be6d8b21e0047146d3f61f90966a71d0737eed0146bc692b59f3cac97793

SHA512
ca9e4ef79c9c7c5f2282ddeee34ec39a51cddf26dcad4e9f2e42230499b0b898ac2dfd33f25438aa995741d23037fa01a0269823c283b234ecec0f155d3c05ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslB6A8.tmp\websocket-sharp.dll

Filesize
270KB

MD5
7d7b21a6c7bad831559fe4e5e58cf44b

SHA1
550d610642a99deb6ee22482ce9ea25356b4edd4

SHA256
b93affd08edb54fe4e88be626a95eca78897fb874dc0aab214782b5d27cff7f5

SHA512
19483586da7022077e88672b1a17fa196fb425a4f4f3840ed2cd7a45354de506cafd3b193b881be844909bdea3ba6362e0226b0e485df9442d55b83c37100423

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\CommandLine.dll

Filesize
71KB

MD5
29d9046304542e1ce30eba022c49dfcc

SHA1
b93d5a7adae25e6a0bdbb53cc86e39684effa70b

SHA256
dd954bc5c2f8ead7580ee492a242ea3f09dc07b601bfadd1ab5ac804fc54da01

SHA512
ecb1c1317e2c8b7681944b0ebc289da68564166c9b4d4a90897b5788893f03406977265ce4c745315d73562bd5523d02195b095ac055b791ff4a39da81edebb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\INetC.dll

Filesize
34KB

MD5
87050902acf23fa5aa6d6aa61703db97

SHA1
d5555e17151540095a8681cd892b79bce8246832

SHA256
0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750

SHA512
d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\Newtonsoft.Json.dll

Filesize
692KB

MD5
98cbb64f074dc600b23a2ee1a0f46448

SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34

SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13

SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\OWInstaller.exe

Filesize
304KB

MD5
dea51bccf2e3866ec42047819e19fb59

SHA1
ee857cfd60ee52e8c49a446b9aee64014eb0b0d4

SHA256
d6fa8cb9a2a82fa6bc2b344d5d2708f1b3a3145a8054e26f50e9454182f431e4

SHA512
0ff726c81b88231466a831a0cce6d679cb2584a120aa3f641851104a013aab089b6967a490aa7c7b3ce3d3d97349e92bec187f24feae26c34b780a84a42b5b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\OWinstaller.exe.config

Filesize
632B

MD5
82d22e4e19e27e306317513b9bfa70ff

SHA1
ff3c7dd06b7fff9c12b1beaf0ca32517710ac161

SHA256
272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827

SHA512
b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\OverWolf.Client.CommonUtils.dll

Filesize
650KB

MD5
f927b95203a3d1d253938ead1f8143c6

SHA1
271c063b1d5aaf64ae05677ed765781a4a43e8e7

SHA256
ac480a104d0ec21bb96ec6e5ea3418a3118ea80a07426dcd2e1e01ff41147f40

SHA512
c71e6870b5f9a381e896d870efe2cb0226f02624d62e180a3878e4d1353727da08044eee44ef7ec4ebd692eb5bd4639b0b7d48ff174ff50f51cf32c585d9a8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\SharpRaven.dll

Filesize
82KB

MD5
551a0903c6598fb93777fb10fcd11e3e

SHA1
2970874eebf32677338f619e77ce8901b4ef96a8

SHA256
cd53520a046058fd26cf0051bff47051948d3b7932234a90a60e3e59e57d6361

SHA512
1186e6c3ae3ff9d392fda5b517d3962357c78af872a7a457b553cd2b84ccf8a399fdaebbb3d3ca60e130b04825e1a1663dc6931644b0a7f1de5fba6b07ec5e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\System.dll

Filesize
21KB

MD5
51bd16a2ea23ae1e7a92cedc6785c82e

SHA1
a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c

SHA256
4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33

SHA512
66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\UserInfo.dll

Filesize
14KB

MD5
1dd4ca0f4a94155f8d46ec95a20ada4a

SHA1
5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81

SHA256
a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d

SHA512
f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\images\icon.ico

Filesize
14KB

MD5
9a03fbfd56d8e501797359aac3d72ed1

SHA1
b31e87a87486c00f9266559707e2cae4831f9d44

SHA256
81c69b545c347e1708603fb912511d8eddf755cb27f37fdc6a6fd959c6cfb94e

SHA512
29eb96fe4bdded257f3330672b1f9f2086c28e1e863a093a6fb750b6e59210b47b5ed481e3828442f38c5c6d63ef37709716af1e3913afdf37bf8e574f976fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\index.html

Filesize
20KB

MD5
6d8c9edde0ce101ce0abd73be45c684a

SHA1
ce6d94d2d1a7f4761438781affd3aa991018e4f5

SHA256
f15c54f4ac4f55bcfa281b668220eb144e63b9de2292e970095a4dc566209682

SHA512
06f35ece48e4e19174da18ecc5dcac3a7e4d7ffbb102c4859221c7c569027ca72e40c9ed945872bf4396bc02ced7ae46655c88e3ec40d0a2f2e3bd0fcec80203

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\js\block_inputs.js

Filesize
789B

MD5
b5b52c92b90f4283a761cb8a40860c75

SHA1
7212e7e566795017e179e7b9c9bf223b0cdb9ec2

SHA256
f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544

SHA512
16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\js\libs\cmp.bundle.js

Filesize
346KB

MD5
931c0aea91b1daf5c4936edac6a4ca1a

SHA1
78c35061126c76a97a42df7b8ca0639ae52712a8

SHA256
630a2295e409485e27a06aac96a49f04d553f3ba299799e26a496776d3583325

SHA512
a237db9a0d973d5a07d36b98586d099b4a9277ff125f8cdda52f515bd5d1ce0fe82bc0ca8e3f9396a7eea625e8d8da0b5c39963b580320ca7a6eb5f461e017f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\js\libs\jquery-1.10.2.min.js

Filesize
90KB

MD5
44e3f0db3e4ab6fedc5758c05cf27591

SHA1
2d408aa1d35661019c95adcc60b78c0727ed25b4

SHA256
bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144

SHA512
4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\js\utils\strings-loader.js

Filesize
5KB

MD5
9c94eb933d8a43dd3825e67a7e30c980

SHA1
7ec7b16af6f399219209ba5967d377040486a11b

SHA256
96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf

SHA512
a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\js\utils\utils.js

Filesize
118B

MD5
a0952ebeab701c05c75710c33d725e7e

SHA1
1da8a2e889f1213d481ae3cd5571670c01e64adc

SHA256
b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246

SHA512
5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\app\manifest.json

Filesize
691B

MD5
cac2b68f5629dbb79f65b63f4e106094

SHA1
ccad7e63342172d7a96035f1004e3722409688c0

SHA256
4af83e9f905d9ea7b1aa89ad49a39c2f63005e3b06a8191880853fcef490fa17

SHA512
61e7a8b4a1b73b309cde27b023dfc6ddc7ae8aedfb7f5bfed3a2ba785e01a569dfb7cfef4d2a5700dfcf23be50b14e4bc62343d2038ca93c6a9c2b517d51fff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\log4net.dll

Filesize
270KB

MD5
f15c8a9e2876568b3910189b2d493706

SHA1
32634db97e7c1705286cb1ac5ce20bc4e0ec17af

SHA256
ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309

SHA512
805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\uac.dll

Filesize
24KB

MD5
861f7e800bb28f68927e65719869409c

SHA1
a12bfcd2b9950e758ead281a9afbf1895bf10539

SHA256
10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010

SHA512
f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C01.tmp\utils.dll

Filesize
58KB

MD5
c6b46a5fcdccbf3aeff930b1e5b383d4

SHA1
6d5a8e08de862b283610bad2f6ce44936f439821

SHA256
251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0

SHA512
97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ow-electron\InstallerTrace_2024-09-21_13-15_4372.log

Filesize
1KB

MD5
6e940397e8af78261ac5937a36d5d5c7

SHA1
cb33ee1e004dce02d8af211ec8de2fd65074c3e8

SHA256
f67f4978226dba698d7e1f8478028d4cfbba8455b6f4baf0c3cd74e1802b2252

SHA512
193001167fe3974c5f34b877154d643e367c866be246acb199b97f08c38fe2a60d2bf8af31f06b716c426423203d8620ed2d2cdc601bc79c5cc3bf3e641bba43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC06F5C6756E94E2798EA9A9619B1949F.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\Desktop\ConnectImport.xhtml

Filesize
761KB

MD5
94bc1e3d2c9d4e7ffa1a878b86560b6f

SHA1
3f80fa23eb5585c04f14ddd8c2f033d3f55eafc4

SHA256
7d167a73a2269ec4135c86bceabc62fb591a4ee6e92ea3c9a2d30240c0ffedf4

SHA512
51790127860bbc35b50e504cb411e70c29fb61089b77db26868702bc40c9990d23f5cc87ecc8c5b12467ad7cfc7f041d6f8891a29ec5de7770333666eb78173b

Download Submit
C:\Users\Admin\Desktop\ConvertToPublish.docx

Filesize
15KB

MD5
8d318e97a556d9262f70314795e5aadc

SHA1
446dd1dd79959d0e981e19eee9453d049f6730ee

SHA256
668538ef864d840c3630550f92474536293a40f0827af0ab5b9c090d9685c25a

SHA512
782833dac82090520882e48501ec094d6faadc747c84bd1f210f0d30b125ffc9e2733f8973dde6876a0211e94a26cb1f9490a50018c0b25e443e208474c09114

Download Submit
C:\Users\Admin\Desktop\DebugRename.xht

Filesize
1.0MB

MD5
288fe3fc582445cde2e2155cad1bc2e8

SHA1
a2268437db84ad95300dda889441ca8a1c341520

SHA256
ab40f289b828a1c4ff4cbdd8f5fa0c9749c15cc110d39f53cfa6de1c52b41087

SHA512
1463d9d6c35ac39bd5f4637f201ea12fc31663333255f5648950e2f9cbc0aeebea13a7f734cc13d0f8c9544a5d02e2cc5532ceaf28072606aebbefc5d23d6974

Download Submit
C:\Users\Admin\Desktop\DisconnectFormat.xht

Filesize
501KB

MD5
c4875fbc0a0b3b8b08f023929bdbf357

SHA1
0ff0cc154b2c80c10cc95f13da15867e8b0e76b4

SHA256
f492680f414a8869d7dd67ec65ba9336348336fe0264484a97d37755124d414c

SHA512
2d3c34c44b0938cdd656ce4228295a6981845feec7472ad9ff83fd8d00da38c1aa0ec60c712ba7271fb586816b7d319abb81862e9a7162f9dcc7048e329f4ba9

Download Submit
C:\Users\Admin\Desktop\EnableCompare.3gpp

Filesize
1021KB

MD5
4e7e074c7581d4abb96ecfd485e0c6b9

SHA1
99ec39576e6c211066207749b9ef2e73739d744b

SHA256
eb6ccc827793167dacc7d13da15bed28289844cc288bc97ade1b8beebbe73bb5

SHA512
b40ba1409bcf582ffd46cfaf36b10c4e464bed0f4fdecd350661092d0265ce3c168536b4a976784349a64f47b0c7afb5a47a76e28c8697f1b8421208a4cd4cea

Download Submit
C:\Users\Admin\Desktop\ExitCopy.vbe

Filesize
873KB

MD5
18c313bbd6e61f92258eedda0aa6432b

SHA1
2a35444d889e0f28c86dce0ec31ee68cfa53727e

SHA256
c6f7c740996da908ad7c181fb93d74714dd2ff6e13db0e8d75255fb909f90423

SHA512
a0f3d2825f5f9761a7ce12d046cc240222fd4ce7ed35e44ec8fd22cfe2303dc2791f8e23d6ba3c7aeef116d307ea6d0c88bb9905a6c391c51aedfa4b0615010b

Download Submit
C:\Users\Admin\Desktop\ExpandSkip.docx

Filesize
15KB

MD5
929b4a004d014bfa781f49359d50aa9d

SHA1
390668ff255066a985a30dd47500bcf9284da33b

SHA256
ea1086a9f3ba1f51e385f6408ea4eebc90f7b182f6e56299abab76db77d4cc1b

SHA512
06a81b27c0272b19e0a811b4795e100dddd3c44f5416180f158d902f260695785ae9eec3812ce7cdd6df744a08f72d44f442cc311ac31cf1724a3413c9114fe7

Download Submit
C:\Users\Admin\Desktop\FindUnpublish.iso

Filesize
910KB

MD5
73ae89646c3aa6fa08469e05b184de6f

SHA1
d40737f59875cdbc5e4dab7440b359515312906f

SHA256
96d150c0142ccf6cae8c52b9417d8f54a500a0dcb0590b53fa768459cf4553a4

SHA512
08b16683faf8904dc9f75fc3e58a1c865a9ddc07ffddc0e4f233cd0d0c0b98a1a0e6e1f7cb0d16e176e05f7f2c12ae5c0ccb148f8ece4e4704da3189e7b19eea

Download Submit
C:\Users\Admin\Desktop\FormatUnblock.mpeg2

Filesize
427KB

MD5
dff19e323c4d4562adead484c4a5c3f1

SHA1
6c7db60c2497a259d993619548e1bbfde8cff805

SHA256
ff148a4d5b5ce2eb0828452f7af1328c5921ee572796c1e28d63513a280f223b

SHA512
3d3f257cf95bb885befcbce2ff350f5b2b4d2ef39221b42ae80566e266c5745cc589e6009f3dc6b6e3d655a11f635274a39520b5bfb1e7d0d41fa95dae8a0914

Download Submit
C:\Users\Admin\Desktop\HideFormat.pcx

Filesize
724KB

MD5
b584c5011eb69ce4350935d75acca781

SHA1
ec906aaa02e3f09c17da88782cb48d79b57b0602

SHA256
4d2c3ff275c961aeb4693f398ffab46f483673fbfaed762f6126bb5cbc48d0be

SHA512
97b0748d84b20e1192e9410d3ab4a160cfe8be0c05ce4edb4dc2608686b899247b48358afe405afef6072d81c89c1e8e7fd1120f3239c6167ec296c2df7f6594

Download Submit
C:\Users\Admin\Desktop\LockSet.docx

Filesize
17KB

MD5
152fb9b88500c6ecacb21672ba167c3b

SHA1
2065b95fa64c2ab1c53c132c946362bf53bb9cf0

SHA256
d55a7d703f7e21644c6851d0fbfe76c5aed2ce31c6c01131d8c163e5c87bfe60

SHA512
a6ba3f09af20dded77a65f99e01f96ac64ce8f5a689cb959f1746b9cff930ca8ab94fd536f9b3a5dbe74bf6ce59cbf72b78905dadca82ec68885dda5ca47c917

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
2263183008dfc3d67cc1398ce4d297e6

SHA1
9f34791e3ec79cee4827ece8dd879ec26edd2338

SHA256
f3038ca66de19bba4cc75d5f651ebcc69fc2c2c6d61025dff8f5400458b5578f

SHA512
742d3803e77862312c08435cf4ee3fd72b3631b0c852a627f624bb990acd5c45a3d9b071d753e39b1769b8a3a5be83ede2968545bf3c5c7f80e750513a0aad05

Download Submit
C:\Users\Admin\Desktop\OutRead.vdx

Filesize
650KB

MD5
69eb517221e82b8a1043ab4dd37fa59a

SHA1
a7b3109b90bf1697911db15067ecfd916bd3347a

SHA256
98c4b825070a66e2744889d1f376f3a6f44a8fd85773194fb3ff3f085802a72e

SHA512
4370493fd09bbb4dcc60da33a671088dd0b535b87d51848a8067d28b8a611aaec11a13e3882b4f5dfc15bf64a1ced7b15b214c4e3efe9669b243f3ad0748bdc5

Download Submit
C:\Users\Admin\Desktop\PopProtect.ttf

Filesize
575KB

MD5
d1dabe3201075e5f2843fdf2a7fc05e9

SHA1
18dd2368254bb578d431029b5ee81a1185d47ea6

SHA256
7ca9e0cb21b5c3e71360fc2fa9522e072d6395377e4a0adf7da1a91dd1ca8c30

SHA512
3bbbfbf2cc7279733e22e78441a0df1055935a848509f9e41062bd9475adc32c306b5bc7fb58850d97a5227c4d12936d30797c3b649d0c6be83563cb286edce6

Download Submit
C:\Users\Admin\Desktop\RedoTest.pptm

Filesize
687KB

MD5
806ccc5471a40e5060b8fa86fcb1b8cf

SHA1
5144e71701d6ee65c65d6adbb3d7923700c79dfe

SHA256
9430141e044370df9539a1137c49d172eda85fe8870e554225994fc3fb86fa0f

SHA512
37385d5bf884f5d540c49fa653f0463cf977ca509d56007aec43225287d39ac7d6c2ea2eff00f7eb67cf6899703570259fe22833d919a51f91f7cf530ce79f93

Download Submit
C:\Users\Admin\Desktop\RepairUpdate.asx

Filesize
613KB

MD5
b9404a28a04b7a53186aa6198db55af5

SHA1
fe3c6d90b542a36aaddcee7db8a7d5d252973b9f

SHA256
051d97bffe604a652a33b73c406697b73ac7a94ba7cc31647c70fed60878c35a

SHA512
872b25191d60580df201fd32ea7c783fcecfe8d15c27faacdd8b406b8478239e98f548e57caca7bbfcb64ab532d0d31afe1ba34b544cb6abd8c8ddf8382d8aa8

Download Submit
C:\Users\Admin\Desktop\ResetResize.tif

Filesize
835KB

MD5
f54630c9921954f70a87f28b318e91af

SHA1
59bb298276af04446f97d73e5298cfaab90bcb6e

SHA256
b6a81b8628f9df2674c464d9402fc85813fe8b5f599b0bc694e17741499372cd

SHA512
4dbd8c6d3cd9e6ffb350c58f7f45b13450397aaae37b8b7e8c447c67f2c9b4a2d0a5402dd7f406841870ad58ada4f11fab8e7531213e1fc9840778e04c12b8e8

Download Submit
C:\Users\Admin\Desktop\ResetUnregister.reg

Filesize
1.5MB

MD5
87b0a9f4503dd194ca5d2fd9a15b7833

SHA1
07370a574e1295a23ea0a5566e1a5bdbfdb05ca3

SHA256
48d54d2f7a6ad5dabf5dfecf6a1fe7be95364b7ec69016e153cc57e811eb38ab

SHA512
67a26e4f2dad2951ec4afa52077cef18312e6f2669e082b6291574bf9843da63ffefc12e8a83e0949993f0ee5ba2eb7d1a7eb69873e4c53c1e815e1f55f1c222

Download Submit
C:\Users\Admin\Desktop\ResolveRepair.vdx

Filesize
798KB

MD5
c41209a62225e60ffc4ca0cbb3b76112

SHA1
6250ccd406182bf9a2a41be849681b676b9f94d4

SHA256
f3a12168cc24fe9d69a90e0c1062e724b37d1b045cf98a8024e708c06ca982ad

SHA512
5e8ee48eacd7a674c97c7fe2b674b12efa677f8f224c94414444a74140494ab40d52737e4438e9f4c833ac216cbb51a616ea85ec7f742e4e7c2088f83a2cb677

Download Submit
C:\Users\Admin\Desktop\S.tup-1ucnh3r.rar

Filesize
20.4MB

MD5
3de951d84fc054adba8ad6a9de01283c

SHA1
8b35da11fafd3fda2b48680063d0bd7fbd6203be

SHA256
545db3182e129e42cae3c7c99b0700faaef01f806113d533d8ede8fc85dea916

SHA512
f9ab4d23521afc2318e95aebe541d4877693ee88cc371790550f2d1e0fffe3cb6e358458a8f5b95434556210a56b0e630339d056e5915a4dabc3fcef5b2a7aac

Download Submit
C:\Users\Admin\Desktop\S.tup-1ucnh3r\[email protected]@ucnher.rar

Filesize
20.4MB

MD5
45652e2f5279d6b1d3c83ca884950f76

SHA1
89a1ecab177ee832b7da976a306582b55442a76e

SHA256
a729e3e166ac5767ee3cf3c5d0ddce513de51d9999867367e3f2a68fd2a849cb

SHA512
15508449ccaadf892e15e46f91a62025baf7ef61e02de85a6fa08b31def220c11707e057c561e38aa8baa586c11b684e434dbd132f3de1ceded1338fb176855f

Download Submit
C:\Users\Admin\Desktop\ShowUnblock.xps

Filesize
947KB

MD5
459665e9cbba6e9eddd5815d6834a550

SHA1
ab3d33f4764fe46056fe3e2c22eacfbe0275e904

SHA256
6cf3473d90b664333fae7bc318c7841d0816bfff8bfaf2fd8221ef45166e98bd

SHA512
415aebcb12c3bbbeacb1c8aef4b300f145ac0a46dc4cb533eea60d33b5c029dd2aaf4f2770e6e594ee89262efb55eaf92e1931e82f9a2a752be2e9bc6f20a9f3

Download Submit
C:\Users\Admin\Desktop\StartInitialize.dwg

Filesize
538KB

MD5
99e6e80b6f4e9a5070b3a0d8e4dc0a8b

SHA1
32fe2d923dc5cda651e598863598dee9c5b5ad7c

SHA256
9e055c772f72dfc0addc04b03bc9bec094f1c575742bd8a180b630ea9a86397e

SHA512
146736fd73b07f06ce1f72c91dac04dbfb1f5f69318b261ddf003a2547954f47be9132216617c1135c7aeb0c33b6ddbd210abc95d1ed2429860ea0f65ff0e2a3

Download Submit
C:\Users\Admin\Desktop\SubmitConfirm.jpg

Filesize
984KB

MD5
068c7fa445f92b58cd18db31f4c71f50

SHA1
38e8529771790e48f3f31c928bf224ddd6dde2ad

SHA256
2464a810e1b77d675378329b11444fff803d7a4b8f4e39d53307d3428e4f268c

SHA512
d128a943a8dc84db3a78bbffca1f8d55eeaa8a3ba4a3d2a0c86a178f7b328b79d38d72e990e1c60d5f5b197d7737885cf662e3d37d0ebef5984e89d7ee378c0e

Download Submit
C:\Users\Admin\Desktop\SyncGrant.exe

Filesize
390KB

MD5
e7b4ae2fb165d73e8261201ee6d0acab

SHA1
44ac305f88c555a41736ff5d609b7829f24c97b8

SHA256
df0148677990d2e993bf6d966c0a9f4c7741ac87bea65f03ef9a0cd3e6a79bac

SHA512
bc83d80fb7fe3ab0be96bdba8a629cf07cbf29f4aeb2ec94f2614c360382ba267f39cc9a98178878280199f08186bc823b4b6dabd71b9848952baf5bb8d45273

Download Submit
C:\Users\Admin\Desktop\TestSuspend.m3u

Filesize
1.1MB

MD5
e977ad9fa1833bd4426a1b24e24ed027

SHA1
3558ce5bf6fa8c9f98b03d374c06224f9e44a4fa

SHA256
8a6da9ae06463a05e71d0e50023729701472f59638c7ad205c5947b3cea70f23

SHA512
8aed0fb515fa6d1fe9c27af3c72fe2657313fa7b6355c1be71cbf078f5af86eac6b330bdfa3f63ad1169c71b3235dc811cf8bd013e0a84f069bd237c917cedd6

Download Submit
C:\Users\Admin\Desktop\UninstallPublish.docx

Filesize
19KB

MD5
e3886f6ad69892e2f3867bbb061f7f28

SHA1
5a3bacbafe1843b4a1bb5a9424d519c1a68fccb5

SHA256
be033162ea9c4616e7b88fb2136d90e7afc50e9014330617ec45c587d9f546fb

SHA512
440aa5dbb0913fd4bb518bfa7685a73cf9316ca74508ffaec9fbc0dcfd66baf0771dc1945cfc40f1907abadbd1cc8bede1232267dbcc386ac250467fe72f4c56

Download Submit
C:\Users\Admin\Desktop\UnprotectProtect.cr2

Filesize
464KB

MD5
da602e9f7bb4ba2d1df4af27c86ab8ed

SHA1
48f85836d04a3ee9afcaa8a9c34b61159b7f383a

SHA256
7c81ee1aeeaf0518a9ca9d72c89a53e1851401bf16dc434533a059a9c4afa67d

SHA512
606c99c502e62452cf1e47648f8a7a46ec9417de57ac9b37c14668141e8b2f64109eeb21bce577aa7e0b488f7a4576f92a9be6fcbe06f4cf518ee6302d940224

Download Submit
C:\Users\Admin\Downloads\INSTALL.txt

Filesize
15KB

MD5
dd63184811cb2ff705c3e466364d3773

SHA1
18197ac257fd5293ad6180a711c976b8af878cdd

SHA256
edebc46c7d07258a20170050d9595ce4e630f5d584a4eb00220bb90c8997a31b

SHA512
098a5df0ee2d96e50bb1822b0c120471cd7fc8fb88eff6a179bff37369ed6b18b1b82efa5f565388d72c673142a64b6dabe76962b616fa81309004a7e85cec0a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 129752.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 839862.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 997525.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\snort_upgrade.html

Filesize
81KB

MD5
6e0ea29e2d14aa25528d75f753e1a20b

SHA1
c1a62799c93fa943ca61a900ad30c9f42401ebc8

SHA256
2ce2dc566cee21d769d0ef6400c259cead97abdb4eb5a059600e3659c3a3035c

SHA512
903b2b1331d045c6a7add055e3ed44e16ab01b0d1a6538903d93fedf39c3fc4ea4094438375afe0bbdc3fdfd6aae5a732af0e83272a351513b2e9af254e54069

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
090481b070a51870de9a6232e4552341

SHA1
3b26a831df310e5717d24aabbeefa9335105924b

SHA256
af42ddfa45cc63c4ae89eb833728452bcbe97c5a6fa76f1d75a160b7ecfa6e04

SHA512
9ab50126417e12fd195019b6ba75d3783141847a34712d9444cfcfbbc7e1ae1eff31871421e988342b73fe21f1404bd37ca4e53815ebb9213f931aaa78adb90d

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
133d4ad33bcbd6f1db500a37e7ce2b6e

SHA1
c70d302a1372268f2e8c5d581dc4d2a2f4a6239f

SHA256
f8ae9f7cdca0d02a9038f32575fff82be43598cb311b77b5c69f60a07a33759e

SHA512
d8366c2780742b78f53d06564382aff3b480430129584da8e140b32afc90d05ff4374800a145d4e030339efe6fbc3089c672692504d6492c961eae0c5e1e62e7

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
806059e65eb17da6fc1ba3fbad795fd9

SHA1
aea69b4004e65c16d366574ea618cc7102946e10

SHA256
707844dc7b14174174ea0b9a6a99db817052b5120b8462eb665bb462333ec9f2

SHA512
f95d30631f9c88b4f19a61aa77872150bb77d8160ec38e2e3afd0b62a39cfd69a5384b807364d269a28f9205634bc9e7501685d34e8339d05834977c39638600

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
7ee66f82fe477434726f35a9b55b3d62

SHA1
55ec3a5373a25922aa789dac0ab938865071d2e4

SHA256
e9e47641c0be9a5fe87e37522a32d9a710228074a44d992cd4fd890f90d862f4

SHA512
8baf2c90da058f3d5591cdeca94fdac65de386ce6fe0a62d48319f341b25bf21132fe7d9938c8aa87e2285861991f9ee05af79259e1bd80a8afaaf74b22af483

Download Submit
memory/668-532-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/668-531-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/692-1273-0x000002909F170000-0x000002909FA84000-memory.dmp

Filesize
9.1MB

Download
memory/1292-586-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-585-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-591-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-584-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-596-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-595-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-594-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-593-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-592-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1292-590-0x000002435E700000-0x000002435E701000-memory.dmp

Filesize
4KB

Download
memory/1340-1237-0x000000001AFF0000-0x000000001B096000-memory.dmp

Filesize
664KB

Download
memory/1340-1238-0x000000001BB80000-0x000000001BBE2000-memory.dmp

Filesize
392KB

Download
memory/1340-1236-0x000000001B5B0000-0x000000001BA7E000-memory.dmp

Filesize
4.8MB

Download
memory/1536-1240-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1592-1231-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1592-1232-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1620-535-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/1620-534-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/1624-1191-0x00000000005E0000-0x0000000000636000-memory.dmp

Filesize
344KB

Download
memory/1624-1198-0x0000000005630000-0x0000000005658000-memory.dmp

Filesize
160KB

Download
memory/1624-1197-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download
memory/1624-1196-0x0000000004E20000-0x0000000004E28000-memory.dmp

Filesize
32KB

Download
memory/1624-1193-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/1624-1192-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/1668-626-0x00000000006F0000-0x0000000000754000-memory.dmp

Filesize
400KB

Download
memory/1668-625-0x00000000006F0000-0x0000000000754000-memory.dmp

Filesize
400KB

Download
memory/2916-37-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/2916-38-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/3040-560-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/3040-561-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/3068-34-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/3068-35-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/3084-513-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/3084-512-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/3368-340-0x0000019025EC0000-0x0000019025F70000-memory.dmp

Filesize
704KB

Download
memory/3368-375-0x0000019829750000-0x0000019829EF6000-memory.dmp

Filesize
7.6MB

Download
memory/3368-325-0x00000190260A0000-0x00000190265C8000-memory.dmp

Filesize
5.2MB

Download
memory/3368-327-0x0000019025A10000-0x0000019025A56000-memory.dmp

Filesize
280KB

Download
memory/3368-331-0x000001900BA40000-0x000001900BA58000-memory.dmp

Filesize
96KB

Download
memory/3368-322-0x0000019025AC0000-0x0000019025B64000-memory.dmp

Filesize
656KB

Download
memory/3368-361-0x0000019025E40000-0x0000019025E62000-memory.dmp

Filesize
136KB

Download
memory/3368-324-0x000001900B9A0000-0x000001900B9B4000-memory.dmp

Filesize
80KB

Download
memory/3368-318-0x000001900B580000-0x000001900B5CC000-memory.dmp

Filesize
304KB

Download
memory/3480-557-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/3480-536-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/3480-563-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/3480-583-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/3480-526-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/3640-1568-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/3640-1567-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/3680-1241-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3708-30-0x0000000000890000-0x00000000008D4000-memory.dmp

Filesize
272KB

Download
memory/3920-630-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/3920-629-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/4124-579-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/4124-580-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/4244-582-0x0000000000CC0000-0x0000000000D24000-memory.dmp

Filesize
400KB

Download
memory/4244-581-0x0000000000CC0000-0x0000000000D24000-memory.dmp

Filesize
400KB

Download
memory/4552-1243-0x00000226CE230000-0x00000226CE24E000-memory.dmp

Filesize
120KB

Download
memory/4840-525-0x0000000075CC0000-0x0000000075D35000-memory.dmp

Filesize
468KB

Download
memory/4840-524-0x0000000076C30000-0x0000000076CAA000-memory.dmp

Filesize
488KB

Download
memory/4880-1801-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/4880-1588-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/4948-1276-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1282-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1275-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1277-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1279-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1280-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1281-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1284-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4948-1283-0x000001E8BE230000-0x000001E8BE231000-memory.dmp

Filesize
4KB

Download
memory/4984-575-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/4984-555-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/4984-622-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/4984-558-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download
memory/4984-627-0x00007FF7503F0000-0x00007FF753541000-memory.dmp

Filesize
49.3MB

Download