quasar | hxxp://google[.]com

Analysis

max time kernel
834s
max time network
835s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

quasar fixtool72 defense_evasion discovery evasion execution persistence phishing privilege_escalation spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fixtool72

138.199.29.44:4782

Mutex

f13b4b61-ee9a-4324-aaa6-b2cda2ebc0d4

Attributes

encryption_key
34C77F56C844F60EFCA646B4DEE463035B43EEC4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RtkAudUService64.exe
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023dcd-1593.dat	family_quasar
behavioral1/memory/5364-1596-0x0000000000A70000-0x0000000000D94000-memory.dmp	family_quasar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
1005	2608	powershell.exe
1007	2608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2608	powershell.exe
2608	powershell.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

A potential corporate email address has been identified in the URL: httpswww.youtube.com@Omnidevcbrd1
phishing
A potential corporate email address has been identified in the URL: httpswww.youtube.com@WeAreDevsExploitscbrd1
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

clinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.exeMicrosoftEdgeUpdate.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.exesetup.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	clinbuildhosted.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

Processes:

clinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.exe

pid	Process
5364	clinbuildhosted.exe
5868	clinbuildhosted.exe
6068	clinbuildhosted.exe
840	clinbuildhosted.exe
5356	clinbuildhosted.exe
5624	clinbuildhosted.exe
920	clinbuildhosted.exe
6004	clinbuildhosted.exe
5132	clinbuildhosted.exe
4696	clinbuildhosted.exe
5620	clinbuildhosted.exe
5324	clinbuildhosted.exe
5484	clinbuildhosted.exe
4932	clinbuildhosted.exe
840	clinbuildhosted.exe
1644	clinbuildhosted.exe
1980	clinbuildhosted.exe
5992	clinbuildhosted.exe
3212	clinbuildhosted.exe
4276	clinbuildhosted.exe
5608	clinbuildhosted.exe
1908	clinbuildhosted.exe
4672	clinbuildhosted.exe
5320	clinbuildhosted.exe
2396	clinbuildhosted.exe
5836	clinbuildhosted.exe
5904	clinbuildhosted.exe
1592	clinbuildhosted.exe
5584	clinbuildhosted.exe
5232	clinbuildhosted.exe
3592	clinbuildhosted.exe
6056	clinbuildhosted.exe
5548	clinbuildhosted.exe
5320	clinbuildhosted.exe
5668	clinbuildhosted.exe
4308	clinbuildhosted.exe
2900	clinbuildhosted.exe
5624	clinbuildhosted.exe
5724	clinbuildhosted.exe
5660	clinbuildhosted.exe
5144	clinbuildhosted.exe
3440	clinbuildhosted.exe
4544	clinbuildhosted.exe
5148	clinbuildhosted.exe
6008	clinbuildhosted.exe
4224	clinbuildhosted.exe
5288	clinbuildhosted.exe
4776	clinbuildhosted.exe
2672	clinbuildhosted.exe
6016	clinbuildhosted.exe
6064	clinbuildhosted.exe
3768	clinbuildhosted.exe
2396	clinbuildhosted.exe
5828	clinbuildhosted.exe
5624	clinbuildhosted.exe
1324	clinbuildhosted.exe
1436	clinbuildhosted.exe
5792	clinbuildhosted.exe
6100	clinbuildhosted.exe
2336	clinbuildhosted.exe
2236	clinbuildhosted.exe
5548	clinbuildhosted.exe
5464	clinbuildhosted.exe
1440	clinbuildhosted.exe

Loads dropped DLL 45 IoCs

Processes:

MsiExec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeJJSploit.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	Process
1528	MsiExec.exe
2260	MicrosoftEdgeUpdate.exe
5084	MicrosoftEdgeUpdate.exe
4728	MicrosoftEdgeUpdate.exe
5096	MicrosoftEdgeUpdateComRegisterShell64.exe
4728	MicrosoftEdgeUpdate.exe
1136	MicrosoftEdgeUpdateComRegisterShell64.exe
4728	MicrosoftEdgeUpdate.exe
4260	MicrosoftEdgeUpdateComRegisterShell64.exe
4728	MicrosoftEdgeUpdate.exe
3464	MicrosoftEdgeUpdate.exe
3664	MicrosoftEdgeUpdate.exe
1436	MicrosoftEdgeUpdate.exe
1436	MicrosoftEdgeUpdate.exe
3664	MicrosoftEdgeUpdate.exe
5496	MicrosoftEdgeUpdate.exe
5628	MicrosoftEdgeUpdate.exe
1528	MsiExec.exe
5716	JJSploit.exe
4524	msedgewebview2.exe
5856	msedgewebview2.exe
4524	msedgewebview2.exe
4524	msedgewebview2.exe
4524	msedgewebview2.exe
884	msedgewebview2.exe
884	msedgewebview2.exe
3620	msedgewebview2.exe
5628	msedgewebview2.exe
5628	msedgewebview2.exe
3620	msedgewebview2.exe
884	msedgewebview2.exe
884	msedgewebview2.exe
884	msedgewebview2.exe
884	msedgewebview2.exe
2572	msedgewebview2.exe
2572	msedgewebview2.exe
2572	msedgewebview2.exe
4524	msedgewebview2.exe
5732	msedgewebview2.exe
5732	msedgewebview2.exe
2280	msedgewebview2.exe
2280	msedgewebview2.exe
7128	msedgewebview2.exe
7128	msedgewebview2.exe
7128	msedgewebview2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

JJSploit.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JJSploit.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
964	raw.githubusercontent.com
965	raw.githubusercontent.com
1215	raw.githubusercontent.com
1216	raw.githubusercontent.com
1220	raw.githubusercontent.com
963	raw.githubusercontent.com
1222	raw.githubusercontent.com
1224	raw.githubusercontent.com
1226	raw.githubusercontent.com
962	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedgewebview2.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeMicrosoftEdgeWebview2Setup.exesetup.exemsedgewebview2.exesetup.exe

description	ioc	Process
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\msedgeupdateres_pt-BR.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source3944_273924523\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\uk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\msedgeupdateres_en.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\ml.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\130.0.2849.80.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\fr.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-eu.hyb	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\EdgeUpdate.dat	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\mt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\pt-BR.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\psuser.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-te.hyb	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\NOTICE.TXT	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\ar.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\msedge.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\manifest.json	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-en-us.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-ru.hyb	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\msedgeupdateres_gu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\msedge_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\Sigma\Staging	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\microsoft_shell_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\Trust Protection Lists\Mu\Advertising	setup.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FFBDBA95-DF8A-4611-9643-F1D13013482B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC24A.tmp	msiexec.exe
File created	C:\Windows\Installer\{FFBDBA95-DF8A-4611-9643-F1D13013482B}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{FFBDBA95-DF8A-4611-9643-F1D13013482B}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e60c131.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e60c131.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e60c133.msi	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\clinbuildhosted.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMsiExec.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exePING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4600	PING.EXE
5368	PING.EXE
1028	PING.EXE
5264	PING.EXE
5356	PING.EXE
1932	PING.EXE
1544	PING.EXE
6052	PING.EXE
6260	PING.EXE
5212	PING.EXE
6116	PING.EXE
3572	PING.EXE
4804	PING.EXE
3888	PING.EXE
3440	PING.EXE
5656	PING.EXE
7008	PING.EXE
3108	PING.EXE
2892	PING.EXE
5132	PING.EXE
5292	PING.EXE
840	PING.EXE
1852	PING.EXE
5856	PING.EXE
3912	PING.EXE
3528	PING.EXE
2320	PING.EXE
7088	PING.EXE
5676	PING.EXE
5472	PING.EXE
5804	PING.EXE
1216	PING.EXE
4612	PING.EXE
808	PING.EXE
2036	PING.EXE
6052	PING.EXE
5752	PING.EXE
4028	PING.EXE
5408	PING.EXE
6124	PING.EXE
4084	PING.EXE
1500	PING.EXE
6352	PING.EXE
5524	PING.EXE
6132	PING.EXE
5672	PING.EXE
2520	PING.EXE
5952	PING.EXE
4672	PING.EXE
2772	PING.EXE
3888	PING.EXE
2004	PING.EXE
5496	PING.EXE
5372	PING.EXE
5792	PING.EXE
3464	MicrosoftEdgeUpdate.exe
5496	MicrosoftEdgeUpdate.exe
1676	PING.EXE
2672	PING.EXE
5316	PING.EXE
4160	PING.EXE
5984	PING.EXE
3300	PING.EXE
4308	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exemsedge.exemsedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

MicrosoftEdgeUpdate.exemsiexec.exemsedgewebview2.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758121584921979"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exemsiexec.exeMicrosoftEdgeUpdate.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35725228-BF11-429E-B5B8-ED0F2BCABF82}\InProcServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass\CurVer\ = "MicrosoftEdgeUpdate.CoreMachineClass.1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C76C02A1-BCDF-4632-88E6-55698920001E}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59ABDBFFA8FD116469341F1D033184B2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59ABDBFFA8FD116469341F1D033184B2\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods\ = "26"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35725228-BF11-429E-B5B8-ED0F2BCABF82}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35725228-BF11-429E-B5B8-ED0F2BCABF82}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\MicrosoftEdgeUpdateBroker.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\clinbuildhosted.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\clinbuildhosted.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\JJSploit_8.10.10_x64_en-US.msi:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1088	PING.EXE
4612	PING.EXE
3888	PING.EXE
3912	PING.EXE
5828	PING.EXE
5916	PING.EXE
5936	PING.EXE
5952	PING.EXE
5292	PING.EXE
1932	PING.EXE
5036	PING.EXE
5680	PING.EXE
7036	PING.EXE
4076	PING.EXE
1500	PING.EXE
1784	PING.EXE
4028	PING.EXE
5524	PING.EXE
5972	PING.EXE
5500	PING.EXE
7032	PING.EXE
7552	PING.EXE
5676	PING.EXE
2996	PING.EXE
5264	PING.EXE
1044	PING.EXE
6104	PING.EXE
5316	PING.EXE
5212	PING.EXE
4352	PING.EXE
4696	PING.EXE
3988	PING.EXE
6064	PING.EXE
3572	PING.EXE
7200	PING.EXE
5916	PING.EXE
1544	PING.EXE
4600	PING.EXE
5752	PING.EXE
5472	PING.EXE
5844	PING.EXE
5356	PING.EXE
4160	PING.EXE
3168	PING.EXE
7472	PING.EXE
7008	PING.EXE
7116	PING.EXE
6260	PING.EXE
404	PING.EXE
6072	PING.EXE
2892	PING.EXE
1216	PING.EXE
2792	PING.EXE
7584	PING.EXE
1028	PING.EXE
3148	PING.EXE
5736	PING.EXE
2520	PING.EXE
3636	PING.EXE
4804	PING.EXE
3608	PING.EXE
5524	PING.EXE
6636	PING.EXE
5532	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

msiexec.exepowershell.exeMicrosoftEdgeUpdate.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exemsedgewebview2.exe

pid	Process
1012	msiexec.exe
1012	msiexec.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
2260	MicrosoftEdgeUpdate.exe
2260	MicrosoftEdgeUpdate.exe
2260	MicrosoftEdgeUpdate.exe
2260	MicrosoftEdgeUpdate.exe
2260	MicrosoftEdgeUpdate.exe
2260	MicrosoftEdgeUpdate.exe
6340	msedge.exe
6340	msedge.exe
6332	msedge.exe
6332	msedge.exe
6060	msedge.exe
6060	msedge.exe
6368	identity_helper.exe
6368	identity_helper.exe
1272	msedge.exe
1272	msedge.exe
6492	msedge.exe
6492	msedge.exe
3192	identity_helper.exe
3192	identity_helper.exe
7128	msedgewebview2.exe
7128	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedgewebview2.exemsedge.exemsedge.exe

pid	Process
4524	msedgewebview2.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zG.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.exe

description	pid	Process
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeRestorePrivilege	5252	7zG.exe
Token: 35	5252	7zG.exe
Token: SeSecurityPrivilege	5252	7zG.exe
Token: SeSecurityPrivilege	5252	7zG.exe
Token: SeDebugPrivilege	5364	clinbuildhosted.exe
Token: SeDebugPrivilege	5868	clinbuildhosted.exe
Token: SeDebugPrivilege	6068	clinbuildhosted.exe
Token: SeDebugPrivilege	840	clinbuildhosted.exe
Token: SeDebugPrivilege	5356	clinbuildhosted.exe
Token: SeDebugPrivilege	5624	clinbuildhosted.exe
Token: SeDebugPrivilege	920	clinbuildhosted.exe
Token: SeDebugPrivilege	6004	clinbuildhosted.exe
Token: SeDebugPrivilege	5132	clinbuildhosted.exe
Token: SeDebugPrivilege	4696	clinbuildhosted.exe
Token: SeDebugPrivilege	5620	clinbuildhosted.exe
Token: SeDebugPrivilege	5324	clinbuildhosted.exe
Token: SeDebugPrivilege	5484	clinbuildhosted.exe
Token: SeDebugPrivilege	4932	clinbuildhosted.exe
Token: SeDebugPrivilege	840	clinbuildhosted.exe
Token: SeDebugPrivilege	1644	clinbuildhosted.exe
Token: SeDebugPrivilege	1980	clinbuildhosted.exe
Token: SeDebugPrivilege	5992	clinbuildhosted.exe
Token: SeDebugPrivilege	3212	clinbuildhosted.exe
Token: SeDebugPrivilege	4276	clinbuildhosted.exe
Token: SeDebugPrivilege	5608	clinbuildhosted.exe
Token: SeDebugPrivilege	1908	clinbuildhosted.exe
Token: SeDebugPrivilege	4672	clinbuildhosted.exe
Token: SeDebugPrivilege	5320	clinbuildhosted.exe
Token: SeDebugPrivilege	2396	clinbuildhosted.exe
Token: SeDebugPrivilege	5836	clinbuildhosted.exe
Token: SeDebugPrivilege	5904	clinbuildhosted.exe
Token: SeDebugPrivilege	1592	clinbuildhosted.exe
Token: SeDebugPrivilege	5584	clinbuildhosted.exe
Token: SeDebugPrivilege	5232	clinbuildhosted.exe
Token: SeDebugPrivilege	3592	clinbuildhosted.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	6056	clinbuildhosted.exe
Token: SeDebugPrivilege	5548	clinbuildhosted.exe
Token: SeDebugPrivilege	5320	clinbuildhosted.exe
Token: SeDebugPrivilege	5668	clinbuildhosted.exe
Token: SeDebugPrivilege	4308	clinbuildhosted.exe
Token: SeDebugPrivilege	2900	clinbuildhosted.exe
Token: SeDebugPrivilege	5624	clinbuildhosted.exe
Token: SeDebugPrivilege	5724	clinbuildhosted.exe
Token: SeDebugPrivilege	5660	clinbuildhosted.exe
Token: SeDebugPrivilege	5144	clinbuildhosted.exe
Token: SeDebugPrivilege	3440	clinbuildhosted.exe
Token: SeDebugPrivilege	4544	clinbuildhosted.exe
Token: SeDebugPrivilege	5148	clinbuildhosted.exe
Token: SeDebugPrivilege	6008	clinbuildhosted.exe
Token: SeDebugPrivilege	4224	clinbuildhosted.exe
Token: SeDebugPrivilege	5288	clinbuildhosted.exe
Token: SeDebugPrivilege	4776	clinbuildhosted.exe
Token: SeDebugPrivilege	2672	clinbuildhosted.exe
Token: SeDebugPrivilege	6016	clinbuildhosted.exe
Token: SeDebugPrivilege	6064	clinbuildhosted.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exemsiexec.exeJJSploit.exemsedge.exe

pid	Process
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
5252	7zG.exe
4848	msiexec.exe
4848	msiexec.exe
5716	JJSploit.exe
4848	msiexec.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exemsedge.exemsedge.exe

pid	Process
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6060	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe
6492	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

firefox.execlinbuildhosted.execlinbuildhosted.execlinbuildhosted.exe

pid	Process
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
1772	clinbuildhosted.exe
4208	clinbuildhosted.exe
7072	clinbuildhosted.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	Process	procid_target
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 4152 wrote to memory of 3156	4152	firefox.exe	84
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1416	3156	firefox.exe	85
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86
PID 3156 wrote to memory of 1860	3156	firefox.exe	86

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

msedgewebview2.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://google.com
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74adf85a-5758-4f48-a192-bcd53920dd47} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" gpu
    3⤵
    PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2532 -parentBuildID 20240401114208 -prefsHandle 2508 -prefMapHandle 2504 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80ea10d2-cbe2-4130-aa1c-6b1bb7bfa39e} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" socket
    3⤵
    - Checks processor information in registry
    PID:1860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3052 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec1dfee1-ee9a-4e79-a477-b3909fcd3a98} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2772 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff003655-319b-4879-8f3d-7e9983835662} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ee46469-2b20-47f4-b8db-1ffc21b84823} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" utility
    3⤵
    - Checks processor information in registry
    PID:1068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5220 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc9b0de-4ba0-430e-a965-ccd7e42926ab} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {826e8211-e9a5-466e-90c5-c1c5e8bcbf74} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5680 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54c23fdb-ce69-4f93-b739-6218dcfbb8b6} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2836 -childID 6 -isForBrowser -prefsHandle 1464 -prefMapHandle 2916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ab51e97-dbb3-404c-99b6-fc14e775f633} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6200 -childID 7 -isForBrowser -prefsHandle 6212 -prefMapHandle 6196 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0109545b-8eac-4709-9ec5-91ec9bd632f6} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -childID 8 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fa7d65b-6c7d-4746-82d9-7ec8fcc30476} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6708 -parentBuildID 20240401114208 -prefsHandle 6716 -prefMapHandle 6724 -prefsLen 30532 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef254e0a-9a15-4eb5-83ea-106fcf57d578} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" rdd
    3⤵
    PID:3972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6832 -childID 9 -isForBrowser -prefsHandle 6824 -prefMapHandle 6720 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4dc0d02-3727-4ef7-9eff-6f9febf24eae} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -childID 10 -isForBrowser -prefsHandle 3560 -prefMapHandle 2848 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0beefcc4-090b-47f9-a449-16d378895cac} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 11 -isForBrowser -prefsHandle 3616 -prefMapHandle 3896 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec3cb990-bb9f-4ff8-acad-0bbd38d152c6} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6288 -childID 12 -isForBrowser -prefsHandle 6424 -prefMapHandle 6412 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {434d6b7f-3470-49b3-aefe-7ce40206485d} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -childID 13 -isForBrowser -prefsHandle 5744 -prefMapHandle 5680 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {825a6b23-39eb-4d73-bfec-b755ba0f440a} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7372 -childID 14 -isForBrowser -prefsHandle 7384 -prefMapHandle 5744 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a778df22-8502-4f42-b3c9-929d1671cee0} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 15 -isForBrowser -prefsHandle 5676 -prefMapHandle 7416 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2425b1ca-34bc-48dc-9c26-015033cbfe79} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7556 -childID 16 -isForBrowser -prefsHandle 5308 -prefMapHandle 3964 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2edc57c5-e43c-40c0-9087-d7a7076bd612} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 17 -isForBrowser -prefsHandle 5696 -prefMapHandle 7364 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8777c76a-b8af-4dac-83f1-5f1c118bee4c} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8168 -childID 18 -isForBrowser -prefsHandle 8220 -prefMapHandle 8216 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1ac2e8c-aeb8-4ba0-a0fa-2abdfa266134} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7972 -childID 19 -isForBrowser -prefsHandle 8320 -prefMapHandle 8324 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9d231f6-f404-470b-aa81-9099df9ac94c} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7680 -childID 20 -isForBrowser -prefsHandle 8616 -prefMapHandle 7672 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {437e5a1b-9f26-48aa-8dae-91f8ba7ddd90} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8852 -childID 21 -isForBrowser -prefsHandle 8820 -prefMapHandle 8596 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04369010-fddb-4810-a7b9-fb770c6672c7} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8484 -childID 22 -isForBrowser -prefsHandle 8384 -prefMapHandle 9044 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3377184f-4072-4797-984f-542bda49bec4} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8820 -childID 23 -isForBrowser -prefsHandle 9020 -prefMapHandle 9024 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ff3c3a-4b19-4cd4-85fd-7a7b8c0c4fd4} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8852 -childID 24 -isForBrowser -prefsHandle 8648 -prefMapHandle 8736 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {642f84a2-312a-4a5b-812a-388742327074} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7488 -childID 25 -isForBrowser -prefsHandle 8896 -prefMapHandle 8908 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e5c4a8-4c64-45a9-a3cb-da84f6709691} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9400 -childID 26 -isForBrowser -prefsHandle 9320 -prefMapHandle 9324 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbdc5080-39e2-41c7-b7eb-840a59e17489} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9604 -childID 27 -isForBrowser -prefsHandle 9524 -prefMapHandle 9532 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db439551-e6b6-4ee8-9d8e-31b9c5956928} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -childID 28 -isForBrowser -prefsHandle 8660 -prefMapHandle 8748 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ade0cddb-2e12-4276-8c1a-0fb0ad68c34f} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7736 -childID 29 -isForBrowser -prefsHandle 7748 -prefMapHandle 8628 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19a08e30-40b2-473f-90fd-2caccba67e18} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8312 -childID 30 -isForBrowser -prefsHandle 7776 -prefMapHandle 7788 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d39b4495-a89a-4858-8d7c-c0fd7a0e5dba} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 31 -isForBrowser -prefsHandle 8256 -prefMapHandle 8260 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea0557ce-0615-4479-aa84-ed8ab0a4a693} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9404 -childID 32 -isForBrowser -prefsHandle 9444 -prefMapHandle 8640 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21a0696d-846e-4945-a0a3-4a5370abc285} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8856 -childID 33 -isForBrowser -prefsHandle 8356 -prefMapHandle 5628 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ae6ac1-c3c5-4c44-81b1-399685f31a0e} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6588 -childID 34 -isForBrowser -prefsHandle 8312 -prefMapHandle 8020 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b898d0a3-8c97-4043-b50e-d0eb30fe5cea} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:3588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9712 -childID 35 -isForBrowser -prefsHandle 7336 -prefMapHandle 2784 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d9ed83b-ba1c-41cb-92da-a05eee6ef461} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8236 -childID 36 -isForBrowser -prefsHandle 9416 -prefMapHandle 6576 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b47f431-a424-4541-8313-a9dc221557b5} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8480 -childID 37 -isForBrowser -prefsHandle 3880 -prefMapHandle 3440 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc766125-f2ce-43d9-8b0a-052919bfd00a} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6440 -childID 38 -isForBrowser -prefsHandle 9432 -prefMapHandle 6340 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0147c6e7-ecd2-4f90-8b05-729737f6378d} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7760 -childID 39 -isForBrowser -prefsHandle 3908 -prefMapHandle 8020 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fc0c77c-1d7f-40de-b7ba-d4a3596c3a72} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7744 -childID 40 -isForBrowser -prefsHandle 8160 -prefMapHandle 9320 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f43b5d1e-1c47-4d48-bc60-2a105d3a6d07} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8684 -childID 41 -isForBrowser -prefsHandle 2316 -prefMapHandle 6372 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdddad4a-e29a-43f4-8813-36891f00f71c} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7976 -childID 42 -isForBrowser -prefsHandle 3308 -prefMapHandle 7320 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7fa5435-2d93-47ac-84d2-fb1c2b64c0e9} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:2824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7332 -childID 43 -isForBrowser -prefsHandle 7528 -prefMapHandle 7304 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a694466-6725-41dd-bd92-600930a01f32} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
    3⤵
    PID:5148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5144

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\clinbuildhosted\" -ad -an -ai#7zMap24574:90:7zEvent7618
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5252

C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
"C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fzskw5ENxFXe.bat" "
  2⤵
  PID:5644
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5708
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:5736
- - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
    "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZOodTBxX6w8.bat" "
      4⤵
      PID:5956
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6028
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        
        PID:6040
    - - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmaNq6l65NHF.bat" "
        6⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        
        PID:1800
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4jF61t3xebKZ.bat" "
        8⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5316
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guXB91VgAxch.bat" "
        10⤵
        
        PID:3768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        
        PID:6036
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uLVjeosWyMHt.bat" "
        12⤵
        
        PID:5264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        
        PID:5468
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lvBkUkb7Xw4q.bat" "
        14⤵
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:5916
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSQcEERrldIP.bat" "
        16⤵
        
        PID:5980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        
        PID:4308
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ODlWfEu4eE19.bat" "
        18⤵
        
        PID:5124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:5936
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKtiQHn1ZDfV.bat" "
        20⤵
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:3988
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwRUzFFB8uwp.bat" "
        22⤵
        
        PID:5996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        
        PID:5924
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hZLfiA16U7Gp.bat" "
        24⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JRSjMqd5ty8d.bat" "
        26⤵
        
        PID:5820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6124
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUt9D6TasnNF.bat" "
        28⤵
        
        PID:5244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        
        PID:5280
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lvvEtqeepttZ.bat" "
        30⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:5844
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lFL9oGMsUQEp.bat" "
        32⤵
        
        PID:5532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        
        PID:4092
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SboEsjo3VXK0.bat" "
        34⤵
        
        PID:5280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4160
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        35⤵
        Executes dropped EXE
        
        PID:6100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xlhiMaLTXVyl.bat" "
        36⤵
        
        PID:4884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4084
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ExRfIwYJFhYO.bat" "
        38⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:6140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5372
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        39⤵
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgWgBBVy3nZC.bat" "
        40⤵
        
        PID:5272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:4400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:3636
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        41⤵
        Checks computer location settings
        
        PID:3416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0pZtYYAKDP5B.bat" "
        42⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:3944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        
        PID:5616
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        43⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lFh2vGWM693M.bat" "
        44⤵
        
        PID:1136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        
        PID:2276
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        45⤵
        Checks computer location settings
        
        PID:5400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I3stRBde0AiN.bat" "
        46⤵
        
        PID:4372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:5496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        
        PID:5412
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        47⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeklSRmqxY8j.bat" "
        48⤵
        
        PID:4772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:5500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4308
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        49⤵
        Checks computer location settings
        
        PID:388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSU1TSmZ9m7T.bat" "
        50⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:4028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        
        PID:5092
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        51⤵
        Checks computer location settings
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4soPqDH6Zbl.bat" "
        52⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:6096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        
        PID:5600
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        53⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8DY2HYdawwD1.bat" "
        54⤵
        
        PID:5308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5656
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        55⤵
        
        PID:4308

C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
"C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3a94F5Vrnbv.bat" "
  2⤵
  PID:5588
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5596
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    PID:5712
- - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
    "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkvCHGbJpiYa.bat" "
      4⤵
      PID:5972
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6104
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6132
    - - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mhnlPojMuvqr.bat" "
        6⤵
        
        PID:5756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5676
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wNAcwWGNt4xq.bat" "
        8⤵
        
        PID:4544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5672
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NewBuZ2cYiya.bat" "
        10⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2996
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUiTo2Yy2o3G.bat" "
        12⤵
        
        PID:6100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4028
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYpwzSb42cs7.bat" "
        14⤵
        
        PID:5900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5408
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ny44StEqdtsq.bat" "
        16⤵
        
        PID:6108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3440
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O6qJYmYnGjJY.bat" "
        18⤵
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:5524
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OY8UEsPl25v7.bat" "
        20⤵
        
        PID:5580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5952
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEN0gS7Z4RCt.bat" "
        22⤵
        
        PID:5596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        
        PID:4612
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\enZLv0S69YtM.bat" "
        24⤵
        
        PID:5212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1852
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dc4kEHVMC8jz.bat" "
        26⤵
        
        PID:5852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5292
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        27⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\93fccZHqftEf.bat" "
        28⤵
        
        PID:5364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5984
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        29⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sBnReSH8XodG.bat" "
        30⤵
        
        PID:5732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:404
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        31⤵
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wcc3fWTy4utK.bat" "
        32⤵
        
        PID:3852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4672
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        33⤵
        Checks computer location settings
        
        PID:5480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mp6BVO87UVgk.bat" "
        34⤵
        
        PID:3184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        35⤵
        Checks computer location settings
        
        PID:6120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seifJwBxW5l6.bat" "
        36⤵
        
        PID:5412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2036
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        37⤵
        Checks computer location settings
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VX4vL1X1LV9D.bat" "
        38⤵
        
        PID:5632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:5212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        
        PID:5984
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        39⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWjh72HRvGPY.bat" "
        40⤵
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:3636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        41⤵
        Checks computer location settings
        
        PID:3948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AJKYvwuhbQQx.bat" "
        42⤵
        
        PID:5332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:5372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:840
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        43⤵
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VInvzCHERV1L.bat" "
        44⤵
        
        PID:5452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:5196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        
        PID:3944
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        45⤵
        Checks computer location settings
        
        PID:5500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LrN7vEowatrn.bat" "
        46⤵
        
        PID:6096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:4136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2772
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        47⤵
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ji2PHvLEwGxJ.bat" "
        48⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5856
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        49⤵
        Checks computer location settings
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LY6ijPABb8Wj.bat" "
        50⤵
        
        PID:5040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:5540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5752
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        51⤵
        Checks computer location settings
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N5src4IKXppH.bat" "
        52⤵
        
        PID:5188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5524
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        53⤵
        Checks computer location settings
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MToVvNec4Z3O.bat" "
        54⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        
        PID:5916
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        55⤵
        
        PID:3996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12Q0928C0tHW.bat" "
        56⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:4440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1676
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        57⤵
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNM17zeJcEt3.bat" "
        58⤵
        
        PID:1972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:2600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        
        PID:4600
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        59⤵
        Checks computer location settings
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GLosAtXBXWme.bat" "
        60⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        
        PID:4800
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        61⤵
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e8X8L9KIvy6W.bat" "
        62⤵
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:4932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2672
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        63⤵
        Checks computer location settings
        
        PID:8088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3el8UmeYH8LH.bat" "
        64⤵
        
        PID:7072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:7292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        Runs ping.exe
        
        PID:7036
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        65⤵
        
        PID:6444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O4l752ooChcI.bat" "
        66⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:7380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:7472
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        67⤵
        
        PID:6648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bLoM8Y5rHJ43.bat" "
        68⤵
        
        PID:8180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:4612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        Runs ping.exe
        
        PID:5532
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        69⤵
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eBRTplYup9Qp.bat" "
        70⤵
        
        PID:1288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:7840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3888
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        71⤵
        
        PID:6376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZrTjYLMtxvm.bat" "
        72⤵
        
        PID:6880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:6524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6260
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        73⤵
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeG2OtsRxHot.bat" "
        74⤵
        
        PID:7892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:1020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2004
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        75⤵
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\odKWvUwVwWuM.bat" "
        76⤵
        
        PID:5236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        
        PID:5896
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        77⤵
        
        PID:7908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3koi2ezuvrhZ.bat" "
        78⤵
        
        PID:6500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        79⤵
        
        PID:6864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        79⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:808
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        79⤵
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiOLxyOCp55g.bat" "
        80⤵
        
        PID:712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        81⤵
        
        PID:3840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        81⤵
        
        PID:5400
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        81⤵
        Checks computer location settings
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iJrjpFbp7TCM.bat" "
        82⤵
        
        PID:5512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        83⤵
        
        PID:1216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        83⤵
        
        PID:2348
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        83⤵
        
        PID:4028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEXFdnbDrcXZ.bat" "
        84⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        85⤵
        
        PID:7232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        85⤵
        
        PID:6376

C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
"C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nw39VCWI7dlM.bat" "
  2⤵
  PID:3168
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4848
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:5828
- - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
    "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XDWO8Gh53SmG.bat" "
      4⤵
      PID:2228
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3592
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        
        PID:1636
    - - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l0z1UgINqwvz.bat" "
        6⤵
        
        PID:5988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        
        PID:4524
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DBkcSshvHMjf.bat" "
        8⤵
        
        PID:6032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:60
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5212
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eHzacrcKyFp4.bat" "
        10⤵
        
        PID:5844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:6124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:5680
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BZzCixG0Bnrl.bat" "
        12⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:6072
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232

C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
"C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6HdOM0XY3wVK.bat" "
  2⤵
  PID:4484
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2396
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    PID:5820
- - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
    "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCk6QASbGRo3.bat" "
      4⤵
      PID:1476
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2264
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3108
    - - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKegVBDbk8Pj.bat" "
        6⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5472
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Kd5BpnjLsiJ.bat" "
        8⤵
        
        PID:5788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:5952
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t9y161VvwXqj.bat" "
        10⤵
        
        PID:4368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5264
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vIgiCE63z3I.bat" "
        12⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4352
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K3NxSCUrZ09i.bat" "
        14⤵
        
        PID:5392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5slMVndF5mon.bat" "
        16⤵
        
        PID:5672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        
        PID:6084
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7uTWnoyvrI9g.bat" "
        18⤵
        
        PID:5344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        
        PID:5300
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AK0xYITjmLiU.bat" "
        20⤵
        
        PID:3772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5356
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        21⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6oszdZa0SOrK.bat" "
        22⤵
        
        PID:5900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5132
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmHjgPEbm93K.bat" "
        24⤵
        
        PID:5964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:3168
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        25⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WFXi6EXWagVj.bat" "
        26⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3300
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWoAPkwxFeys.bat" "
        28⤵
        
        PID:5948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:4696
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        29⤵
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zb1utK2psUGN.bat" "
        30⤵
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        
        PID:2772
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        31⤵
        
        PID:840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P8vDuuCdUs95.bat" "
        32⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6116
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        33⤵
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3LqmTCLWgBh.bat" "
        34⤵
        
        PID:5804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3572
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        35⤵
        Checks computer location settings
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mlhZ9lTlIR5n.bat" "
        36⤵
        
        PID:5312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6052
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        37⤵
        Checks computer location settings
        
        PID:5804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmlT57U9wMwS.bat" "
        38⤵
        
        PID:5656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        
        PID:3628
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        39⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\852YIEkP7HFS.bat" "
        40⤵
        
        PID:5620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:1088
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        41⤵
        
        PID:2772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2q3pYotlx3w6.bat" "
        42⤵
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:5500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6052
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        43⤵
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4YbfweqzU5FJ.bat" "
        44⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        45⤵
        Checks computer location settings
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cJBnw9u2m6Kj.bat" "
        46⤵
        
        PID:5248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:5072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3888
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        47⤵
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e00i4HAllzR9.bat" "
        48⤵
        
        PID:6004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:2408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5368
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        49⤵
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGSlWa1HG7iL.bat" "
        50⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        
        PID:5184
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        51⤵
        Checks computer location settings
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PILpvVgpIro6.bat" "
        52⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        
        PID:4384
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        53⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3zpPkUzQUhm5.bat" "
        54⤵
        
        PID:704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:5312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:5916
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        55⤵
        Checks computer location settings
        
        PID:5232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pk8HgzD1juod.bat" "
        56⤵
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:5396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        Runs ping.exe
        
        PID:3608
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        57⤵
        
        PID:6308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0jc6bNVRzYZm.bat" "
        58⤵
        
        PID:6744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:6864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        Runs ping.exe
        
        PID:7032
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        59⤵
        
        PID:7416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KakSC7ieXCsG.bat" "
        60⤵
        
        PID:7704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:7756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        
        PID:7772
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        61⤵
        Checks computer location settings
        
        PID:7452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\20FgGmQSjDI1.bat" "
        62⤵
        
        PID:7428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        63⤵
        Checks computer location settings
        
        PID:6240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGJ4dPMelWjB.bat" "
        64⤵
        
        PID:6716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:7004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7088
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        65⤵
        
        PID:7696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ATeh0hXpiUQB.bat" "
        66⤵
        
        PID:1332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:8100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:7116
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        67⤵
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8kdGvtKRJNoX.bat" "
        68⤵
        
        PID:7492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:3404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        Runs ping.exe
        
        PID:3148
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        69⤵
        
        PID:5776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O5XlNunTPrsq.bat" "
        70⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:4424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        Runs ping.exe
        
        PID:1784
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        71⤵
        
        PID:6924

C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
"C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g1Pvi08amPlI.bat" "
  2⤵
  PID:5648
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5828
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    PID:5032
- - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
    "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKoRQftBWgjM.bat" "
      4⤵
      PID:5608
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5876
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        
        PID:5732
    - - C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LzUdOyXPbrxW.bat" "
        6⤵
        
        PID:4596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5804
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAeWkRoqoCzR.bat" "
        8⤵
        
        PID:5472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        
        PID:1760
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NV9EFvAeyN9N.bat" "
        10⤵
        
        PID:5144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        
        PID:3168
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dLlLY5vbPoiA.bat" "
        12⤵
        
        PID:3572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:6008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:5972
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOTTVcBNFsBk.bat" "
        14⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5496
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EhFiXEEasfDd.bat" "
        16⤵
        
        PID:4368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1216
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        17⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYwSxp1JcQxY.bat" "
        18⤵
        
        PID:60
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:6064
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        19⤵
        
        PID:1320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nu16VB1E21sB.bat" "
        20⤵
        
        PID:5212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:5500
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        21⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqRpRQJD03tA.bat" "
        22⤵
        
        PID:4512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1500
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        23⤵
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAYmvKEXcIIz.bat" "
        24⤵
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5792
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        25⤵
        Checks computer location settings
        
        PID:6012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0fX0cCHAjiVM.bat" "
        26⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4612
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        27⤵
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riok9iYgQDbP.bat" "
        28⤵
        
        PID:880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        
        PID:1592
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        29⤵
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOy7qW9oHThP.bat" "
        30⤵
        
        PID:4676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3528
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        31⤵
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njEfTcEmeQUr.bat" "
        32⤵
        
        PID:5392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        
        PID:3528
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        33⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWUxjRXYYiP5.bat" "
        34⤵
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:5892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        
        PID:5292
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        35⤵
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x4hpp5duK8iD.bat" "
        36⤵
        
        PID:3628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4804
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        37⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CdvgZrZ1LMyk.bat" "
        38⤵
        
        PID:3464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        
        PID:5312
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        39⤵
        Checks computer location settings
        
        PID:5248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g4CsInAvc7kY.bat" "
        40⤵
        
        PID:5168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        
        PID:4092
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        41⤵
        
        PID:5672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\apKyfZLgR9Gc.bat" "
        42⤵
        
        PID:6084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:5500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2320
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        43⤵
        Checks computer location settings
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmJ4rojQXnMW.bat" "
        44⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:5948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        45⤵
        Checks computer location settings
        
        PID:5312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bvY4S32eX8UZ.bat" "
        46⤵
        
        PID:5044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:3524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:6104
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        47⤵
        
        PID:6136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GD5TJACixVwK.bat" "
        48⤵
        
        PID:7100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:7072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:2792
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        49⤵
        
        PID:7804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcDHSFQMvlsf.bat" "
        50⤵
        
        PID:7380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:7516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:7584
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        51⤵
        
        PID:7896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L10aSmZmVxQU.bat" "
        52⤵
        
        PID:7372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:7560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:7552
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        53⤵
        Checks computer location settings
        
        PID:8052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1ugXDFjaZiBi.bat" "
        54⤵
        
        PID:7244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:6352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:6636
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        55⤵
        Checks computer location settings
        
        PID:6700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OjFOogyUEhMs.bat" "
        56⤵
        
        PID:7420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:6936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7008
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        57⤵
        
        PID:2028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UBBrje2Nt63o.bat" "
        58⤵
        
        PID:7588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:4208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        
        PID:5892
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        59⤵
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aPL9Yy2kMocO.bat" "
        60⤵
        
        PID:6116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3912
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        61⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAeHEpT52Hn4.bat" "
        62⤵
        
        PID:6872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:7084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:7200
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        63⤵
        Checks computer location settings
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o7aQHh1L97uz.bat" "
        64⤵
        
        PID:6860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:3456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        
        PID:7352
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        65⤵
        Checks computer location settings
        
        PID:7372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KxLERHRyi1LV.bat" "
        66⤵
        
        PID:6128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:5204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:4076
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        67⤵
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mtBZ3DWvVOtk.bat" "
        68⤵
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:7472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        69⤵
        Runs ping.exe
        
        PID:5036
        
        C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe
        
        "C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe"
        69⤵
        
        PID:6388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JXU3VjXZf0Gg.bat" "
        70⤵
        
        PID:6160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6352

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJSploit_8.10.10_x64_en-US.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86F5CD8BB3FDAB4339351CBCCD7CAEE8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1528
- - C:\Program Files\JJSploit\JJSploit.exe
    "C:\Program Files\JJSploit\JJSploit.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of FindShellTrayWindow
    PID:5716
  - - C:\Windows\system32\cmd.exe
      "cmd" /C start https://www.youtube.com/@Omnidev_
      4⤵
      PID:5532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_
        5⤵
        
        PID:1456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbb4646f8,0x7ffcbb464708,0x7ffcbb464718
        6⤵
        
        PID:4152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12277140729787191412,6200616363125988820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        6⤵
        
        PID:6320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12277140729787191412,6200616363125988820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6332
  - - C:\Windows\system32\cmd.exe
      "cmd" /C start https://www.youtube.com/@WeAreDevsExploits
      4⤵
      PID:804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@WeAreDevsExploits
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0xf8,0x138,0x7ffcbb4646f8,0x7ffcbb464708,0x7ffcbb464718
        6⤵
        
        PID:1172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        6⤵
        
        PID:6316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
        6⤵
        
        PID:6516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        
        PID:6712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        
        PID:6720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
        6⤵
        
        PID:7156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
        6⤵
        
        PID:7136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
        6⤵
        
        PID:6868
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
        6⤵
        
        PID:6252
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        6⤵
        
        PID:6268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        6⤵
        
        PID:6944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4152 /prefetch:8
        6⤵
        
        PID:7212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        6⤵
        
        PID:5908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
        6⤵
        
        PID:7112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5948 /prefetch:8
        6⤵
        
        PID:8040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
        6⤵
        
        PID:8108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12220867214181738840,5736667658807549439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
        6⤵
        
        PID:8116
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=5716.5616.8473526521514980158
      4⤵
      Loads dropped DLL
      Checks system information in the registry
      Drops file in Program Files directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      System policy modification
      PID:4524
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=130.0.6723.117 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=130.0.2849.80 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffcb9524dc0,0x7ffcb9524dcc,0x7ffcb9524dd8
        5⤵
        Loads dropped DLL
        
        PID:5856
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1764,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1760 /prefetch:2
        5⤵
        Loads dropped DLL
        
        PID:884
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1956,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:3
        5⤵
        Loads dropped DLL
        
        PID:3620
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2276,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:8
        5⤵
        Loads dropped DLL
        
        PID:5628
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3356,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        Loads dropped DLL
        
        PID:2572
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4892,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
        5⤵
        Loads dropped DLL
        
        PID:5732
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4812,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:8
        5⤵
        Loads dropped DLL
        
        PID:2280
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.80\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4936,i,11761521809545426291,11146339318363755625,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:8
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:7128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mboost.me/k/1k2?altId=QVV1UxQvgxdaeOGu
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:6492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcbb4646f8,0x7ffcbb464708,0x7ffcbb464718
        5⤵
        
        PID:7648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        5⤵
        
        PID:2152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
        5⤵
        
        PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        5⤵
        
        PID:4388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        5⤵
        
        PID:3568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
        5⤵
        
        PID:4460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
        5⤵
        
        PID:1472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
        5⤵
        
        PID:4568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
        5⤵
        
        PID:3332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        5⤵
        
        PID:1616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
        5⤵
        
        PID:7136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
        5⤵
        
        PID:6328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
        5⤵
        
        PID:6164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
        5⤵
        
        PID:7148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,3346032758732825492,13571075044304852932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
        5⤵
        
        PID:6504
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4972
  - - C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUE40B.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2260
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5096
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1136
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4260
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODMyRkYxQzItMDM0MS00OUVDLThBQjEtNTNDNEZFMDhGRDhFfSIgdXNlcmlkPSJ7RDdGODNENzMtOTcwQS00REJBLUI0Q0YtQTIxQ0Y0QjBEOTlFfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3RDk0RDhBNC0yREM0LTQ2NzQtQTA1QS1EMzBEQ0U0MjBFNUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjMxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDg3MTY1MjI1NSIgaW5zdGFsbF90aW1lX21zPSIzNTQiLz48L2FwcD48L3JlcXVlc3Q-
        5⤵
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3464
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{832FF1C2-0341-49EC-8AB1-53C4FE08FD8E}" /silent
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3080

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1436
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODMyRkYxQzItMDM0MS00OUVDLThBQjEtNTNDNEZFMDhGRDhFfSIgdXNlcmlkPSJ7RDdGODNENzMtOTcwQS00REJBLUI0Q0YtQTIxQ0Y0QjBEOTlFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDA1MzJCQUMtQzNDNy00MTVBLUI4NkMtOUEyMTY1NEU0RjVDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzNSIgaW5zdGFsbGRhdGV0aW1lPSIxNzI4MjkyODYzIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNzI3NjU0NTU1NzAwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA4NzYxNjc2NTgiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5496
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\MicrosoftEdge_X64_130.0.2849.80.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\MicrosoftEdge_X64_130.0.2849.80.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  PID:5976
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\EDGEMITMP_53758.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\EDGEMITMP_53758.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\MicrosoftEdge_X64_130.0.2849.80.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    PID:3944
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\EDGEMITMP_53758.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\EDGEMITMP_53758.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=130.0.6723.117 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{187C4F11-6127-4FA9-A6EC-DC4DCE77FD9C}\EDGEMITMP_53758.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=130.0.2849.80 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff628ead730,0x7ff628ead73c,0x7ff628ead748
      4⤵
      Drops file in Program Files directory
      PID:3184
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODMyRkYxQzItMDM0MS00OUVDLThBQjEtNTNDNEZFMDhGRDhFfSIgdXNlcmlkPSJ7RDdGODNENzMtOTcwQS00REJBLUI0Q0YtQTIxQ0Y0QjBEOTlFfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2QTVBRjAxOS1CNzEyLTRDRkItQTMzNC03QzM0M0E2NTBCQTB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMwLjAuMjg0OS44MCIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA4ODczMTUzMzgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDg4NzMxNTMzOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMDUyNDQxNzg2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8yN2NiNzI5ZC1mZjk0LTRkMzQtYWFlNC0zMzg1ZmEwOWM0NGM_UDE9MTczMTk0MzI1NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kRFdCZ1dDQiUyYkw1VGt6Z2ZhZSUyYiUyZnhXTjVWeHEwSU82SUN0U1NXQUQ4aTNPT2RlSjNnMDRrNmxmWUNNT2ZjcFhySWhVNzlnM25NQVpzTDFBSjJtajJFUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NTA3NjkyMCIgdG90YWw9IjE3NTA3NjkyMCIgZG93bmxvYWRfdGltZV9tcz0iOTU4OSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMDUyNzUwODc4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTEwNjc5NjQ2MDMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjExNjY2NTI0MzgzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iODY2IiBkb3dubG9hZF90aW1lX21zPSIxNjUzMyIgZG93bmxvYWRlZD0iMTc1MDc2OTIwIiB0b3RhbD0iMTc1MDc2OTIwIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI1OTg1NiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  PID:5628

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5656

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5620

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5196

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3528

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2168

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x4ec
1⤵
PID:7260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e60c132.rbs

Filesize
21KB

MD5
57ef221ad67ff9a2d3e24a7c5337d001

SHA1
65c4df90495dd576df992c5ac753b08487de2ff5

SHA256
365aaffb2d92d467437f7070dd6a055ad25d13354bd46f0cea2017c864e21d5d

SHA512
3d376658ffc1ccc5ef4415d2a2ddfbc198e411c99933519e173d9286799d546293c22c9ebc892691d25404e23dc17962b7416db2c95015ff5c4ed1cd48c9aa21

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.80\Installer\setup.exe

Filesize
6.5MB

MD5
b621cf9d3506d2cd18dc516d9570cd9c

SHA1
f90ed12727015e78f07692cbcd9e3c0999a03c3a

SHA256
64050839b4a6f27d896e1194e902a2f7a3c1cab0ef864b558ab77f1be25145d6

SHA512
167c73cf457689f8ba031015c1e411545550f602919c35aff6fd4d602bd591d34e8c12887a946902b798bf4cf98aadfce3c2de810bf16c7c24a216bfd8abec19

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
35a79bd6de650d2c0988674344bf698b

SHA1
a0635c38472f8cc0641ceb39c148383619d221dd

SHA256
a79a81da2b8dcbe39609a9e1b4e8c81ae0bc54195c0c854b77bebe7bfa7f10c1

SHA512
afe33d38785afe489845654ba1c3ed6648b36b1ebe5f98b3d5d4bf24eba3af9bb6676af5a79d2ec570bf2b4b6ae40d14fc3d4b872c5d4577aea40f6d1a26c0cf

Download Submit
C:\Program Files\JJSploit\JJSploit.exe

Filesize
9.7MB

MD5
8c6a8bfd1adf6ccdfe9b65b514479ec7

SHA1
08f64d25974040ade826f0c79fd638c6a67627c1

SHA256
097eb40a9a1572788272298f48748e80053c9e83f2734387728ea689afc9bfa4

SHA512
8ca0ff01add66e8a5fc7db5cbee09fdf2aeda2026c7787370d6d8831c86b504bd50c587bea8ef32fb57f44ea4d9366d456fa071c30ae85708326529cb2800791

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
2e912fc288210fd62a31730241d7a6bc

SHA1
0c86112ac48c51483c0455f85dfa8bf43a6916d4

SHA256
13153c5285f3a45f1e33e3c9ed50cc2f8cdd16f51eef2f5a33fec4e12fed5e37

SHA512
2401a92b9efcc834e039da247c42d1c76c5f919e97e6473bab4399e5246a5035c7530f99a417dc2e60efba7964a92f5d8efe20dbfbd5a86697f4342014fe37ef

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4524_1798721304\manifest.fingerprint

Filesize
66B

MD5
5bbd09242392aacbb5fac763f9e3bd4e

SHA1
14bb7b23b459ce30193742ed1901a17b4dcf9645

SHA256
22b55f5d9b1bafb80e00c1304cf5e0d6057a304a2e8757b4f021b416f4397297

SHA512
541e4c7998e91a5113f627c2c44e32b54878fe225b3b9476572f025f51f2b4ec4a44b102498adcc22b8fe388970645bacfafb6e7fc8a216df4d7bbfc8b0ff670

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4524_1798721304\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping4524_870457017\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
80KB

MD5
e169bf6a80dda5699f654f94b0842a79

SHA1
fe204a0584052bd928e52e3d15e11a234518b6c3

SHA256
46164bff7d6e7a0cc932a8785debbde22ac1b759d56a64ce13d79d7bbf167951

SHA512
011b44c25cb5b455b7fe697cc201a94182f9c8a4852338b951473bb10b32b932c1d4b62ca4ae822d1fabbe30d4a007f1d56c3240a514c1b15fec7fd5232f0a7d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk

Filesize
1KB

MD5
7ef67062f6b0cf1a2b5046fb761549fc

SHA1
8dd811aa60e67874caf48f92eee99cef4f5205ff

SHA256
1974b956a589e9bed0974f8bb6f779ed3523156dfd913f83b63c796d95d081be

SHA512
64a1d3dca6999d819a144a9d3ae296f754c80961718201730db74d2cf19a7f95541ef461866f8d2666440a29cbd6e17eb56b6bdf2a5cc37eae00c745f26147e6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk~RFe60c364.TMP

Filesize
1KB

MD5
bb9210c009600bd097710864bbaa884b

SHA1
5a16dd272e120ab27b28fb4c6b8f07ccd156bc3d

SHA256
f381b64d3740fccb671e7816b1eb9727bbd372caaa6e26a2dbb7324a1486b376

SHA512
13381161fe458c292479d7c7677b0114ca43e192122aaf4bf7eb5665b862a216421d4a349f33642476933fc2044ac0834a3bf984cb929c6a2bbe67c92736bd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\clinbuildhosted.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d936b1d43351f7842948c340cc534ca

SHA1
7d22b26039f6ed476c04aebbf771b770ef28091f

SHA256
a5748fb829b32d3ffab390823066f319ee677a0776d760a7376df4cbb2775ed7

SHA512
2bd75042ccffc65407c3f85af3fdccdd160137068dcdec81d4c33d9b0d78b110294900393e1a5265e1f1364b4c58875277ea1cb0d2477f98bc9568351ae8f77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffc39812e2fcd5adcd109fff6e72c856

SHA1
927e636b225729179e43d8d731e3e4552a4f6405

SHA256
0f33fce94f0ebc3522f3d32883771a853a9041a4a59632a70033f12ec352d754

SHA512
da84d9e272245762fd8eb693b83b1beca59d513477e99f798c34f3ce7aeba263ad97834f8c315eb9fcade7d21c1925c13083d411f7fac7bf18594b860c57d6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
18KB

MD5
c83e4437a53d7f849f9d32df3d6b68f3

SHA1
fabea5ad92ed3e2431659b02e7624df30d0c6bbc

SHA256
d9bada3a44bb2ffa66dec5cc781cafc9ef17ed876cd9b0c5f7ef18228b63cebb

SHA512
c2ca1630f7229dd2dec37e0722f769dd94fd115eefa8eeba40f9bb09e4fdab7cc7d15f3deea23f50911feae22bae96341a5baca20b59c7982caf7a91a51e152f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
20KB

MD5
4d8b471a2271ac4e3b5d25b5683964d0

SHA1
67b52c3bfabc09bc4f99d259de43213dfebbb5c8

SHA256
d0947470db9c332a7e6abf959a45cbdaa82e6e032e325c512cc9a3cd32dbae65

SHA512
d734faac61756e2fc07821704a9ebc5c5a0e7a7dec601b3c8ac4ad6b1cec59cd6446f38e4df41f9c51cf5a45bc7c6241801fa945023bec1a735c0bf450a0c0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
b8e8faefda3c8c21aa2f1a357f1103e5

SHA1
c258fe9bd147151aeb2ba81cdbbd299bc4b7830a

SHA256
a9c3d4af082de08c5be0db5d940326308e35dd7bf5c68e94bb23a16d461b9955

SHA512
b8f4a38950969bcd92bf714a1045fc28a78c30f15210fad82cd80b9ee106398729cc313d5c467e4d0c7d5af551213ff8ad2efa5a4ffbbc310377f6eb31fb3173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b717b5b825039c2a764112b35086b724

SHA1
6c28c8a980abdaed836d435853f02704ae7018b2

SHA256
a42f4375fb9b6bc404df195c2e51afe330a579d6a0858bf68fa545c524d748c9

SHA512
73385f6f601084be3d285e63b834b72f1f934342a016bf669d722eb6bfac03bfdf4471017b390305e38e705c70dff80ec8617fd8a448a9186aed33cb6a76770e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
60fafc2409e20445635c3c6d2a459eb6

SHA1
8571b26588b99dacc1c68a060539731359f44619

SHA256
9a0bdc94bc3d1d0f8d0d6d6a4c63e9b30cbcbbe67297308ebd1ad6dd17806f9d

SHA512
6d4504c3c57e9e643c3d4ee601ba8e8e92806343d0f5159fe90128479173b9c130cefc599a05682301a928acd8b6c5bf6dd53d1051b16bdea5f16fd56e67f79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
9249f75b3b84bc66b4be8be79ac752be

SHA1
bdc177a02a1871baa8e59a47cd3cc9f8183c44bd

SHA256
e9c5f0d4392d56349981889fe9c16d0a4eebc40d99ed1b9f7ed290e83fb24b27

SHA512
69e46f3955a7783b2eae4d5303fd0d014c083acaadfd5c609806e443fa0bb7efae668ca012f27b3c8da08a06f379aab6f9042fa6c9c2ad43fb53b46b0254a04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
35af675ec976d9719bcf0c065cdfc7cc

SHA1
2f1a22119f960cb93a0c04a6a64afce7e9cc6b54

SHA256
3145d696934ff52e3f0fd6ca552029ab2f50e47bab7f73066b6db52deb46db37

SHA512
e70c3de9a58368099fc6da620f9ce660885937f78f3dc237e23b3a7090d5392bd0392c864fa354c9c0db65623d399e7e52a57cf199378affd689258bc8af0bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d66d4505d4b6147424d0a71c8c3c267d

SHA1
fd619a6c37cc9c21412db149ca6ed2947eb80b03

SHA256
c148ddf5f8a73c1bc385a1a615acab79229fc119ab052f3bb4168075bb6405c3

SHA512
447f9d8a71c75b97d83a020d7fe18ec742bdc12b2a7b3022cc1ae46625c76cf65eb2707caf3e7de96e1364c2cbc8ab3d7a4453ed421ddc20f0e3da0674b893a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c9dc1f743748529932f2fd491c03c6b6

SHA1
e6e8fa2c58ea44d88bc85b5a3f048008ccd0571a

SHA256
40af2767fc9ea5822e215c95b0b936f627e185fe496ada3924c5a7f16aa1d212

SHA512
acf86ae1060de922fdc2623802496c2de88957cfcd7dae81f6f515db22b49e75386e5b45089de69ab9bf6a4554881ca6b0ca604a9afd628017b88890731782e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c727425ed53743887c861c02478e239

SHA1
9be7f5da541e8f3f2929fa74539dbd12594b4d8d

SHA256
6ca9daf20f7c6b3b0dee35d7e06b337627c4dcce94c54c17bd5c38864f7a8c34

SHA512
b391a25629727d3c43cdeca91dbcbcce9ac1b12d39b232aa10e0406080c186c3f31f502bc191983c346e47cc10c059935726b7fb20efa2546c1d3a3963dd6fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
47e58497bcfb210a1a586749ae739aad

SHA1
61ae21fae13ad3a44c5bf0505701e30076d5aea0

SHA256
a31cf78da83919556172b9576638dcb2be9fd5c2073d742a01fd3fdef3e09b84

SHA512
cbe405c26858d5765919062473857072d0349110d68b78d0b1301332360c4e996b217225f4b159da6ed4be238a739da57da0b45f6e0062c4faa43d91e17172bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a6d3f1a1cbfd92e9548d62e298af470f

SHA1
57b43e1e33e31c5b6cf41ccd3a8bedce104a2546

SHA256
189f85ebce3149e290e0d6cb58c473632b629ed694da7bf2e5e99faf4eae4a9e

SHA512
a080be433cd349f556beb43d956e8cdc0b9f19410deadde29dba4ef58bd7d4a62a033d827cf83ff448e5e02c3e5ff921b616ee79b0dcd5837fa7efab0373f19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\044090d9-49f2-4762-8e1a-2363b59dc627\index-dir\the-real-index

Filesize
2KB

MD5
6a750dcb33feae0a4663916b8270dbb4

SHA1
aae8bc7688945c7c39ca2407bf23b64e987e6e15

SHA256
a3eee56de3436693851a3653e2dfd7575c7ce32c6e465e312f73eab4401e99ba

SHA512
8b922ee56303e9f44130f687049ae95b4f197e0ff0f63c5f88125e7316e1897a368aa144f2753f9cbe6877919b38dd5bd8386741a6b631cf1c6b88b16559bbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\044090d9-49f2-4762-8e1a-2363b59dc627\index-dir\the-real-index~RFe62a9b8.TMP

Filesize
48B

MD5
fc8c0119daba0e8761b022eaa199f5fc

SHA1
378a5ebc132eb5b4aaaddbc9c1e0f8b61a9f59ce

SHA256
6d1d3e5a8a3c43691f951a97b7486993804508e09194ae3bed65bc0b0e2d1437

SHA512
18894ab6138e3b3a2f6293a7075f4d83de06a34f803eb8d15a6682b2ea57c5a7b6d398011682c89c2e4a922dae8075dec5665aea732fa6eaa3f4e2e7c9d8dcc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ba17f49c-e834-43e8-8fda-4d14f833ca09\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
c7d780ba2db031afb8c31a5d106c9e94

SHA1
8b12dd4adf604e3ce9bd3e32282636368ceaa3f2

SHA256
cd3e336d7c5e90700e578eaec9e0f139e01ef12457844d20bb46d0a491b9d6b5

SHA512
4daf7b29603f6a79b360aa5c623ddd260ce1faf6bf2b06a14b0da4762610475558bfd7b6d4f1a9bae027a8f9716593a9e25ea815be76092a7cea714e933e773a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
ca3448827f180a45e47f2bb09d3ecf60

SHA1
f451031767f57d2b1f83700d0111e48270bbadf7

SHA256
67d44e4d48b678a010e2bc027274c2157ccaa83ecd252f0f9ec0b035fff79e28

SHA512
6475ef31092ac6df5594ef7f7538a603eee64cc535648a05dacef48a0720e9bc8669af04b39450876cc47b31ba74a208051a08d8e5ceb7cbd7ca1fcd36a7b325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
360ceb83e25fee8de98153d2dd96b08a

SHA1
327841089d0009ab8a2d78121fe3d4efc78ed11f

SHA256
46e1f1f37e250c91eba8433e4f915984fbcaac1c540d7952e64f9b9352e94456

SHA512
13aee715ae1e2f785f70812e4017120c0a631b00681b3eb3d08462413b98f51fb99dc6f823376e8641b7e45eef9bf19e42a29cc953418c455625fcfb34745d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
8fad32cbbecf7bf24103f8fe5a729d98

SHA1
d508051955312bbf06a401468981a23df175b754

SHA256
0f0d13cc1e00d80fe3f8a8a2c95348869e1fc81da0dec6255701752374a0d4e1

SHA512
98272767ef89ae546da3c8233faa25eae529b545b338bdda53ecb2d0f12faa4b0d72667f4ced86c7d24cf88b2047c6843d2eaa8068f78f32d2464ade846b922b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6da67228f6da27cc7ece213188378c8d

SHA1
214bbab3a5028dfcaecf8e0fa3f218d7ba88d116

SHA256
5527fb50a787d37200e8917d106229bceb3739e06121f4a4118c3cf50a705795

SHA512
439b37558439b9ac4b2a54bd187f0fdff16f30a2388d0a3a5de81b7cf7638839d5ea9dbce75de181d4efdcea622fd8921b64a9544afbebbb6186778839438523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe62a9b8.TMP

Filesize
48B

MD5
764294734ce39db8f4e29f33d2d1ed62

SHA1
62005baa47fa7c6d4bee2b1c35b0c5769f18b789

SHA256
5f275e889e302bb6bf43e5856ba2e459d28e33dd7ba95d3b0c23a83630341c4a

SHA512
4fad79e50d4c487f8c7fbacd36b33d2dbbff7b7b48ae0db78dc4df4e214203f468c98c8c942ab9d3a1f5aa9f1aceb0c8449b43f6a6a70c117a0883287d218f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acbc15c456d2de6cbcc4685fbba1fc86

SHA1
dead9ffa518f6d7cb784d793a757db85fa91f345

SHA256
9fc24a7e7a16cb91084f4387b625bc00b69a624f43a29ad8da870d7a48e16443

SHA512
753eaf695797aafa2052005c1eedd0d78475dda37b80f2273e745d72f98751149e16cf3a2e1b628d7729a5e448c53943e91484124ac99350c1a1e169896dd4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2131e530e6e73597f78d06b23fe8e541

SHA1
09f00c7e236c9dfdcbff557b418101ca8361fc3c

SHA256
346448eb1b3d84f021c4e18d6ba83ded6f4b3b67df14b0525c51d2dd92404549

SHA512
c58c21cc29096baa9b562da996d825156dfdc10b040449561672afe7a756cb5b46eec42ff03402eca0ac9b4738adbec6f24edb06ced50dffd8233f8bb9d503b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2f02c8d45c1c00d51f2791396eb6810d

SHA1
7aa0b981ebefe040260e9ace833bc8185b2f0866

SHA256
c59860aebb37c468c6bb66902dfc147e3e47b24c3612adb84ed2178e742d314e

SHA512
60eb1ed7669009f47226ebaf47df8acd4ea71020b76c3822d84fa41410fd11c723c1aeb4857725654d3267cc046e2686517604ae0f0cec31b4acb8a48e8620d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0d8916728c294fbac532cf941dba6e91

SHA1
6acf519f191ef7676ae003ca0d46786fb21eb038

SHA256
497e4b76cb46180898a4532b2d93037e18862465ec4988c37297d6e695d0453b

SHA512
593e9278915009de97668cc7c941e3cecf6a9902bc3f3dee4544539b68b3d090f35907ec20ddfe761ad40d0a23b5a57644cb9b36e157a004660176e71018ba60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a84c25a3f639163e3cfa7eb0168a2a4

SHA1
3100ab06da79bf89eb7b11a642db24cb225a325a

SHA256
efb28f77ef144803767b9609ebf59cb99b0aa56e5efc902989207e48c92a2ea6

SHA512
89cd7cd44ccbc59a498a914d26d4c0d2fd378958497e8bdf391e8fcc7f09537a9cfefcf67ba72a5e7595634fd0cf4e6d389a3e943239eec6d7d4d7947c8d8022

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
a294ca871773ef32683f68297ffecc0f

SHA1
18490c652852fdede35609b4b2ccfb5c76d02f4c

SHA256
9fcd15e3453c93acdadafe6f2e6d795274ec6af528f7a1e582d38256c17be51f

SHA512
b4d7c6d65eea9d5ce15cb5fd1be61741e8a844c801fad95d1a8214ca198a5526636a06fd6525de5202ae86c01abb3b1d6e9c13d929182622b3133a7d3ff799cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\0D80C3E13262BC3FE8F94412907C8163A35907B3

Filesize
13KB

MD5
1265b2d76b6e540c9a98a19c79726707

SHA1
9cb3cfb8a5bca72da55c2a731e5548992ed7d9db

SHA256
6af0f1f0e2a33f90902931e495ad15b014c32d50558de0cbb1a2ec031ce56a5f

SHA512
fd581513553b43608d8826200383c3c4707716e4b41339f160d0997a5adbc57edb97c86434036875fff7a68d08ac1312b40d1e3e39cf6192d1e84509b4261ce3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\14B37D874ECCE8FC601824508C2D929011585284

Filesize
31KB

MD5
582d07c34c854ea96e6d2f4859d49be6

SHA1
cf39cf7fed79070c7fb42cd37b50fe9f4a0a0358

SHA256
a76637911845703755ad738ffbd2c09163935a9b728117e92ab0b584b1c609a4

SHA512
437755d7d798d51a757b2595bd6d54af6543ea69c85fd8fefe8aaaa2deb60a96533d353df85e1141986c033ae349a5d66bc7edbf1dd44766b89448157cb21d3b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\16331D5A247D6C9F50A58F1E797D03E2C6A6C213

Filesize
14KB

MD5
56a6a373f0b34f61189d892023f0f604

SHA1
9e5294857a404111e31621e1e87da853be2c9cc2

SHA256
60ed0f8502c155f632a4640c27ed548e25acabed6ae7f95f3774a83dc5de06f0

SHA512
81996782c0ee8ccfe462f79a4f8ef50d3459da5392a219b6b8fd150e00449816431e0c43ea23ec4e13de7a053f1f5b4b44be4176a5e50d0767cac69809227847

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\233F26266AE911BE4D6AAACF6F98BF2DE4CE8D09

Filesize
140KB

MD5
a4b0cc4567b146c8e15243383fe8f320

SHA1
fe04aa704f97210d6f643eea75221a5c02be4799

SHA256
2bd7da3d1faade7087b9a1c47e05854a9a5b532e45df416f5edee2b18ab3b509

SHA512
c9ce149d608acbf0f2ea2efd49424244b1ffd8942600dcc1d10c83bd3ab71180b776140d66a1c4b853c9f52bcf3b718488ef4575e4d8994bb293cad28114a166

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\2C2CB353008FAA8559773FC209C76F11DDEA3573

Filesize
13KB

MD5
509b1bcd77270c17c297c4ac933b1bf5

SHA1
14d207a6293085becc584eb6566a9bef375f1573

SHA256
c4758ac2a3d4593ab5ef98d32a25dc50434eefddcea58f241a087b46943b927b

SHA512
374b0bedb51830d016a2b483d5ebd52a4dd10916b1c20041d0a7c5828c77df0911a8b973324bc660cac979534681829725f88e2b91caa4f868b4d82131e3c7cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\539C376D03D0CC7AF91712BE94AFE33C0FD1D545

Filesize
44KB

MD5
5796f470ddc3e7a8a937663a15e3c12c

SHA1
f793e90d2229b3deba5050ab7f6b7be77628e2ec

SHA256
d2f1f63de818bbbb92891dc5a2b9726c7a7e29b80ba0f10bb11a08999baa87d7

SHA512
f4061a1dbeede99851198f9f3c87379ee4e2fdc41151ed624c73e3745423a483802e383968d91864411231ed25938ddf545b9fdd57d962b2d89bad4f0b6811f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\5E3087C002694EB585C34BA104BBB31124A5F189

Filesize
17KB

MD5
74905d472e19bcf6009f36d5df739cff

SHA1
b730e8dc77dc31b77c847c1c0d377c91d94e68b7

SHA256
67221135ecb8cb38eef1f513a0baa1f4b99da136770bfff1658b7f7b71e760a0

SHA512
e25a275c92ca335825dca4aa7bff4abb1c5dcde8df48d5fcd094e4a8061bccda11d6072df30d31a7550ef7c9573e10ae72799d064e6533ee02bb63449341093f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\751348728EB168457C9B1AF6B175D7474AEF4FAA

Filesize
17KB

MD5
440d2f4ac04587139e2078a3f92cf2cc

SHA1
6d99bf8aa0b904d85ae97fcfc275ec2a16bb48e2

SHA256
4edb7fb112d699b4732874292688c040153e4d02efe11dd1fd73453145ac0043

SHA512
df5832a0943dcbe598890e1cd2caef5a82e25a9b1d1e52922ccdecb9b34f8c09da06bcb325a5f7561176d9f888249ca0ec7fc147a5a0d7ebec76adffb6ae7187

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\924A43390CA48F3D03BF33C8C5853AA5237E6D29

Filesize
25KB

MD5
c27e5e2193a3e927cbce6e4c48260501

SHA1
d2d67b323c102f2093e13cc00b365124a34c05fb

SHA256
1f30fe36686d960e7347807f277ffcaf67b058690a91ef9e20ff781543eba1b9

SHA512
6f2352010bf0864f12547513c97ffda749b994d3a3e60d90fde12c4f35582b793fb816c642b43d0c5e047e998266b8cd5bf2d584195869eb4dd2b50a60089064

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\B403CD48B9B4A9E6E9DE38291F2B8425CC3BBA9A

Filesize
77KB

MD5
8fd9861ee679a27ccbf0080043dcb53b

SHA1
865b8fc3e6a853bd48b139d4999ad047d5f0210e

SHA256
a015e3e69e6c908a132877ca8e0bb8ee8dd3ee219734efce2c5d45fc24347ef9

SHA512
c62ab00ac89103948bfc1efb035cb984fb49f91e8afeab886300596701f4fef5ae25fccf2f35e2cd4ee2fa602e9646e93ee68fafa1094032ba49e4c99eaca7ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\EA6D9BDE7E0D49FE4A6CD50D4500CE4E0B32B2D5

Filesize
795KB

MD5
2017e9f71f1e30fc06405eaa36cd32fc

SHA1
b035b6e3842b6d9e644f6eb3c692098453eda2f5

SHA256
bc6bcf989b41003ad7d03a5ffd19098fc737e04fd7848686ff720eed61edbf6c

SHA512
7a34b5444e4065013ec65c5115b86e8780f7912924cf8d993ebdabe28f126ec4526e67f3eef4fd51971d8294e1c41165079548cd8482519f5e2bd17164fa0118

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Kd5BpnjLsiJ.bat

Filesize
219B

MD5
63be8e0637627f60c7257c83824c33ad

SHA1
cfce79afc028551ba3e3c418cf5572c3e9ff3d01

SHA256
456b82db98216b195db53deea81834750e959dc5c628398c2eb94cb4bc58ff97

SHA512
0a6e26011c72a2ce6d39e6f9be702931e500ce7076e54b602f0f0880686551b7b406d42fef65d50acd5af9457eac73e1b7f131838249b657db29f04ab808c631

Download Submit
C:\Users\Admin\AppData\Local\Temp\4jF61t3xebKZ.bat

Filesize
219B

MD5
c92f81b3d500c7535d37d739176781b5

SHA1
3a6aa973b5366c1f601ef2c26ad272e3b755a9e7

SHA256
26c1f9ee2b89b966ee641d3d344613ed144ea84a5b3c527a5739b1fa26398b0a

SHA512
07375205418f9000b250d8ac27e49d40d11d7d71e4e19cc2253d4c244e9b4dc4e7f64388d12f83faa95191a2050a857c5341708e46c341b6d62a664f9a1e850a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6HdOM0XY3wVK.bat

Filesize
219B

MD5
a8736b602a3e25cc2d79a29a205e59e3

SHA1
a77f3f72957f1a9f59b6960e99e447518fd50014

SHA256
425dfe908ca30fa1e808fc9c5d05a021a8af8cffbb0046d68cb728309767585c

SHA512
03e18b146acae6d9ed98179e87dc173c4f709f552ace0871674208d6a4347c116bcc88cc6692d35878bada43999e480cb1b34b6f15c12965b2191b9cbec4a76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BZzCixG0Bnrl.bat

Filesize
219B

MD5
1f9f52e15653b34843ea7bf6edf61ae1

SHA1
beb30250edb0541239483e47d01bebff2394b701

SHA256
24b9c9c49b912f885d3334f598e7e36417949adc590edcf533a0c353bf90f6b0

SHA512
ed31c6ba22ba4d86957258eb5ad74b79113a00dfa8a156420b4f03079d5db6f9a1213e37eaf8f38218ad1e10700558f4777e5d8bfffade663e8a625f16b7e898

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBkcSshvHMjf.bat

Filesize
219B

MD5
9fd916b9b3e8f163a8b9bf59bd4feab9

SHA1
eca653cd7d6e6aec1178e273b73112383857eaa0

SHA256
41ee8d75630a8802b1d81b92d7ac52d37ca16e8d8c7f0645a25698f36ea0b7d2

SHA512
5befda76776b90598bd3bb292264520b62ba6e009d1b48f62c686820c35535fe99d75165fd2f3553827c911038c96df0b4755d779596c07dede727385f7dfa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkvCHGbJpiYa.bat

Filesize
219B

MD5
70b7d2c14f97ae48299ff85cd847aed6

SHA1
9d565891a7a1cdc16e64827315645ace99bedd7a

SHA256
1aaa5759a8517afa98d403427980be76c66c04da4dc88ae5c88cfdbf0438f8e5

SHA512
d498a70b212093d6ec7d46fafd7193e133d5d39b901af82005dc46924506d943c6fec872232957838aa4e4c77a0f32b77b03f1cc1b5b6ec1bb3144af93336003

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fzskw5ENxFXe.bat

Filesize
219B

MD5
c3f29f339dacf07a3dca885819d020fa

SHA1
fc3d3bb417f24eb986027469d64fd831154d54a5

SHA256
77cce18dc7d9c3475d39adc351b45f31ab44490b6e385b775c13c042ce4a29cf

SHA512
be9d682d1eca50a6319094ad01aad36145906925e58cd2891d806925e91acd08101aa48c08e09b9dbe05bc8bf61dd0eebd6b1ca4d52af1f7a317a81c9da8ecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZOodTBxX6w8.bat

Filesize
219B

MD5
1a9995bc48612f895c3bd491425d59d9

SHA1
3a0e2bd38935c21e33682d61444a2f8c22d4e34c

SHA256
ccede8a8733a3cbc8b8c58b31629041b7e965de8fbaef700de12f328d3aa6d7c

SHA512
c7cc58a17b4dedc7af1b4996e7b9434ea4028dc3d6bfce72e310f2a48074bc7628e6aa4a19254d2f7684187200484178409832f93c464184e0f0207bbe4b3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

Filesize
1.6MB

MD5
431a51d6443439e7c3063c36e18e87d6

SHA1
5d704eb554c78f13b7a07c90e14d65f74b590e3a

SHA256
726732c59f91424e8fb9280c1e773e1db72c8607ad110113bc62c67c452154a6

SHA512
495d60ad05d1fadb2abd827d778fe94132e5bfc2ae5355e03f2551cd7a879acf50cc0526990e4ccde93bf4eff65f07953035b93cc435f743001f21b017cbfdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewBuZ2cYiya.bat

Filesize
219B

MD5
7ef2c07e218618ac2095342c3062035d

SHA1
2422a1a786fb99fa264c9c22da2737cf2bfde0ce

SHA256
386b7ecc6fe3d9a745b8b44dfff70fd0374d0f751d2543096ae9bca6e83e7a0c

SHA512
94353a517e70b4e186c2c851aecf4ed9dd8d9c4cd0c773c1185ab4a72a2b8ed75ac60c8cb113d2fc5c527cf1642dc4a1731940cfb6e55283c64ccae15067fe90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nw39VCWI7dlM.bat

Filesize
219B

MD5
2379eec6b1f3df3bb4bd168b2c43dd2d

SHA1
1e46c11dd2f9eb1e7c2be5176ec7052d87b1c8e5

SHA256
487891c5b9c2e54204f35f30ae53f60d3e912d5a51dc2d6ede7246b4c89cd816

SHA512
b897bfc4fb28736873615054a5c01a48c828fb128d41e66c7daa8ba86933485172d1d31d33993a64aa0ff5aa0c6d8937aa81a0c298882d9487be3aae484c59ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ODlWfEu4eE19.bat

Filesize
219B

MD5
01e4248db1402150ae8011f30ba59582

SHA1
b0618eb5bb28b0bf34a179669be4d062fcf488e0

SHA256
713a73a565febb79a3e4cdd867d79110912a428263805c9f481ced2458f7c9f5

SHA512
ee345e41a28d8b1344daa1c02bff25bfac0e4bc72a272f700ca33c4c0569ba50d7b2b15e12020e8048eeb70a2cbfb548ec6dc9d952ff9549257ffef67f907022

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKegVBDbk8Pj.bat

Filesize
219B

MD5
397dc00c8c282e20aa2c095c52c77e66

SHA1
e05631f7e64c88ac5ea91b57e417c4264afdc3ac

SHA256
4db4ce3e422db6bc67dd1eca2f9967bbe56308a2de4e4d95ca9952ded30bafe6

SHA512
6711ed76288af66204b5c7d04fc6f9f12dc1237fe75701a7ffff79df79dbd6bb243332e70fe0ea4fbefa64d272e59200f4f9e5c4c07716509ca7b817904dcf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSQcEERrldIP.bat

Filesize
219B

MD5
0e8e70c63df68522c388d0741999d2f9

SHA1
c9f8a1f6d9afec30ac35658df025793fe984d0c6

SHA256
7ff662e981bb5a1fb2919984301c140c48f6a916c552de69006375f8cd887d7a

SHA512
44c196c063cc6f752eb229f49a6815b4f2625767ef52f47ecff70a25d6d52cd4a1b3e02e2fd8dc54835bc203897644636d1199bf630142cd2f1f7bf3fc4f0c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDWO8Gh53SmG.bat

Filesize
219B

MD5
53cc1993c35b7f3b230b5923bdb58d54

SHA1
28131122c00deb2ecbed40792f502735361af307

SHA256
df2b04b00379ce9e5506d1144f6093e04af7b7ec0035cf551d93de1a19ee129f

SHA512
e3718b88f003da6960f5f35fb4ad95d1570a0badfc69ecde6722830835d13b7b4b90b468b75590747c7a343de76c90225b3226fff4fc917147cfd65e5e9a99bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyftcig1.vrd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKtiQHn1ZDfV.bat

Filesize
219B

MD5
7f5d11f48eefde5f9a59af039fff328b

SHA1
fe045f54d1640c4ca233e86bbf004537e8a5abf9

SHA256
d6e807bf56fabf95013fd26e09cf1272028034aa3a2f3b4f2fec944459bf11c8

SHA512
6ac5207da5848b426b7f0abce765226b56e8bfa46230daff95e2e783a57c0a66e5ce03530437f6555c0471f0a585cbcdfeeee6791670faa2afc113166a842e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\eHzacrcKyFp4.bat

Filesize
219B

MD5
f840c705ceb895747eb7e0a37f09f3da

SHA1
e1fd33f4d68d7f0e1f6901fe8d20e4c24d1157c7

SHA256
8f18b4565254715a4a0253141958ecedff4ab953389d7956c94dee9e13abc850

SHA512
058e16f7ef46570bba568c4a783e280500fc87f4b4da9db32b08b298a7b2a3a7754875b4115286c8fa19999c00e7cefe3874a57a00e2bb8dc738c99f5d6b6873

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1Pvi08amPlI.bat

Filesize
219B

MD5
6c43976ae33b17c16c73b9a3d50e53d6

SHA1
8e1e85accd63c4e34fcf9d397b2f079670387903

SHA256
611084f4569dfad8f5dd3e290e7899b28626d96b611f710a1e7428517b7e2b0a

SHA512
0b7bca845c94861609d3ccb9f0c6cae15fc23c9a8d097cd63253e9098e94f0f574dfec7ef7a1466b471ccd04e1dd5b049a7874c3b9795a9356672422a29591db

Download Submit
C:\Users\Admin\AppData\Local\Temp\guXB91VgAxch.bat

Filesize
219B

MD5
4014dee14cc91028bfba9211b88587c7

SHA1
1e9bf0210f0fb6f8e895be026679b30f44f26e8b

SHA256
d30e5cacce99e965090dec0b71126901f8095a9256f75d1adf86bbf5cd798eac

SHA512
fe10bc881a5e207ecc8ece905a0b5ee1b8c293b4376b06ff661ab0a28c09b24a13bd5a4c5c349fb79533b3f35ef1c8a729a012b0bc0d703f423c90f0180bf166

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0z1UgINqwvz.bat

Filesize
219B

MD5
981621994e455812b32d4f299e4d2830

SHA1
e190877f108e6fad58b275c36c719b69c68e3893

SHA256
fcd761f97015680fac0b22dbf3a26270aef39c2cf08cfdcaf465f83f2ce42565

SHA512
fe2044d1d3a9fa39492248471d15695d598e9933d32a2047831845989a6d59b41609b356873aad075e09fd215fdbc7280c6ba1c7079f20f8d0ab9159cd43caee

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvBkUkb7Xw4q.bat

Filesize
219B

MD5
c6567e59b0cfd327777540a1b469cdde

SHA1
a49aab0243e031472b9d9c056c9417b69d115181

SHA256
37ea2b1b10f854f5779585e803ae0e885d629ea2104963cb1cfb1dea764cebd9

SHA512
5a667a8f2c6248729f3ed3d987840e8e4a73a84fb74f9cba577b4c8fa7f7f3f2cecf4ad911c8c9004c4bb301c9ff7c3473554cb8d7e738d800f76906cfc50a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhnlPojMuvqr.bat

Filesize
219B

MD5
383c7ab293facb6a0663c3e551cb5974

SHA1
3233432602b50427a6ad68ba81a41656914fe217

SHA256
a78bc166f5765fb586ae720540cc7daae7dd3f7bbc40fc00efeed016c7d16115

SHA512
970b6d483674787bba2cc062c8079573aa99ed43da1aed6ecdc875697c2b915971a670ab26ea00d767faefd1541bd2fde3a215feae2ab595d14b1615053f3f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUiTo2Yy2o3G.bat

Filesize
219B

MD5
639fd2d7fff72583abf1e6b9242621ee

SHA1
60559cd29937182ed404e3a3c570b0319d47dcb4

SHA256
e3e6a10765efc20b6397d6e731e1cb9596366cf0df327880ecb07e0565bbee17

SHA512
4bfa9d51c3ee7450ba911765572662f62957d21bef4f669b7fe4e3bbc5beea6720699efd48cc743b7c67d4bb48437043cbdc1297fedb44ec9735f76729d07b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYpwzSb42cs7.bat

Filesize
219B

MD5
25d18a9cb0530b265e493f18401bed54

SHA1
ed1d2852de063bdabda7c57151115763fbde5bd2

SHA256
1019ff47e09fd83e8e623110b2bf514c5535793e8187e6c2233c62a02b415f17

SHA512
6a5a126f109835a141b002f0d69fe2ec71348d0102e914caf23680bcc88b0f1f44aea7624059c46da09e3e9e2dfb1a12d9e6b5d8393c0ceadac88b6748dc0a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3a94F5Vrnbv.bat

Filesize
219B

MD5
687576d88c34acab8083e8a8fb384dfd

SHA1
c44c35ad393a1a8429dc8800729025ed52c55bfa

SHA256
1df3bef3d3fd65588310e34a3516b8ea21835f3830a91a4db69405325042205f

SHA512
ec3659844a7e61272787e4ca8e7be228e09ea31013a289eb07d19d171484ba0e7a46f1cfa519df4595659912297c8debdc48d9c022173c87b5e58f4c83d2f7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\t9y161VvwXqj.bat

Filesize
219B

MD5
aa47fd73f9094151d5cc3e27335ee94c

SHA1
349bb201c89a226732949a64ae3d39d22a6668f4

SHA256
d742e7bf12158e29e8377c985f0e88d0e682e47b9f9d31871645b71f11cce787

SHA512
67f6325acc75fd9b402417b190a83b0279fa0b377de545119b92e2db21e072bd2c93a6dfb558514828bdb4699ed29447e5e8b2c81ec35227cf857503691e6656

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLVjeosWyMHt.bat

Filesize
219B

MD5
eba184adea414e1d620b50e4d4f9f2a4

SHA1
740a4457a3b1badd084bef1c6525f73220c579f2

SHA256
e2c724f02999d434bff8a62e3dc237d79de3b36aa0d49daba4a97c6d1e660c6c

SHA512
2a4e874eb94415ae67bfb51e7f599ebff374ed0662c7c3545aa2d0172f54b2082701458b7a4b87d1609f15352129a362d6c2f9b5daa087c4278534be329238e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwRUzFFB8uwp.bat

Filesize
219B

MD5
88e3ae7a1d6c8acb2f46612672ea3346

SHA1
ce7e79975f597d29fe6360120c1f9dac9a8ffd36

SHA256
a5cd2bc512f4405eae844b8a6dad54d860f5cc0454634972db6eb272713d2851

SHA512
b46e6348f76e432a0b65a38d7f32e9b1753b1a61762b39458264d5d5f117bd0682c9fe26e6cdd4b4fdf0201ba5af8c989f1a9510d55621e14002f443771cd892

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNAcwWGNt4xq.bat

Filesize
219B

MD5
767162c97ae6163f8d76f51845a04df8

SHA1
120feb70a661f8c55b54ee9f8e2129f300249f67

SHA256
8e22a4f1a09ed8ded5a6c86107956f3b9e1e238f6379aac1908cde3e3a040c6e

SHA512
328c759876c8de0c6f77ad5aaf61eaffae4a86ca4b6583beefef7a1ce81e752e90e690fa51f033a4bc841e70ae3e61c9e2804af40efa0291593f07e89210d1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCk6QASbGRo3.bat

Filesize
219B

MD5
d061f6529138515313f6652358aab88c

SHA1
856a51084310fe411df1a8938cbd6459dff9e4cf

SHA256
89eba034b4eb149a4e2594fc17dc623349d667ab074617bdb630f79b9ec79da7

SHA512
e3c7430785b937423af0c6dc5c7b8331d0bb2e1c7ca1a6b21f122737090fa5b29e5f5e8bb6b952080509ad47fa7015f0ddfdbc12413fabd778166dad27aff777

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmaNq6l65NHF.bat

Filesize
219B

MD5
2313052ec9c897fc00d39bb865ce5be9

SHA1
d805ae5fa592f5e307d0ddca8a431cfb34e1c117

SHA256
3d26536b7fb579bd3e42f9672b44b364eb01166715c3c60161a3347c0b3f1a3a

SHA512
d5cd81df7a5321d161ee55935978b1922da3fd2f0055ded7f0ea03635569f2933b2fb154f145a67bc0f398f0df8232ee62c5ff4830b29c54cb4f998bd4e13752

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
aad379a8983158937357b102263db444

SHA1
38d65587595cdf1c60ca07e71dbfc516bf2708f4

SHA256
f144b3585002a107d08af6c7d315e14ebe37a7d6b56792b1695a216265ccc61f

SHA512
c8c9673322c05c676dc86a2ac08d105474d6743dda230750304f863338b96244ca0cdf92251342045d97d03cdb268f147b8c1af1129f81b9b9eae03834c5bf5c

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6036e40b49a0300aaa0fd7c47d97c364

SHA1
a4f6d35655cad32009050ab4e97e532d97cf5066

SHA256
6efbde9e54cf24fd6cb5755e706a972ce134f6b26b2664634d5426900bf06876

SHA512
d8a960daf80b2facf150c0ef525b8c578c08c55470189a9941e137154d4619303892fde9a176e5867f2508d6cf97a83979592c1434428877a4291de4a47ed5f4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe62d0d7.TMP

Filesize
48B

MD5
262bb403e688f29de8d7e8ab8435eead

SHA1
88307350b59ccfc3362f618872b5111aa68d019e

SHA256
14a4ee22ff368ddbbf3dac239add092ece9ed05109b63c6beded29630a5c11e9

SHA512
41a3bead8b64c72ea8527fc6d8d105f1065a82e3af122db011cb7e546587be453fe7644384cba25d9bba4f5258c863d495183b7deca4b1bcd5166aa20b93f55c

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\30f8b2dd-33ed-4bf3-a7c2-d7dac010616a.tmp

Filesize
2KB

MD5
23002cf33d41f8889f7ce919516e23ba

SHA1
a3ba85dcde79554f03f88435bdb7d68b62e3447f

SHA256
158679a5a7a89b5f80480cf7769dca521ee02bf7f893440f41ab236f5bbbade9

SHA512
35c8ad8dfa032bb4bbdb161251740df1ecce3c3f1b178e7211eab2c385f1057eb8cec1f3b1a0121bec39c501f9431dc579b721d1583fc0598cafd16130497a3b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\Network Persistent State

Filesize
2KB

MD5
9cb978c854227e3683df6df677b572e0

SHA1
bb489474cce52387472fcef4e856e28557b549d1

SHA256
7e469b8d97cdd736f8bdbff6f2ff4d03146c203e31f9c1399de640ae1ca07493

SHA512
3248a46d891bc5b775a178e5fed65380aba9167e4b155624a2f244041130fd98f178fceb09e71cbb4531cecff2bfb5ea093ff8335481d9cad22ae9175e2f2704

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\Network Persistent State~RFe636799.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\TransportSecurity

Filesize
984B

MD5
8569ec34ac8475f3f63a9bbb08514227

SHA1
c51c27296162f493962f7d30699147010561ba3a

SHA256
a01c73151b4659f5330cf0cbbb7d812d0c5411b09198361a6cfd07380dc7df16

SHA512
0cab5d84a7577fac01f0cc4d130e88079df43bef4f6a3dda56686a9932c70479002032335faf63db3fb97e720d71a6b6af2341def509a00abd2e9444bc1afd7b

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\TransportSecurity

Filesize
986B

MD5
0fd8a0f6534d7ae355c9171c14081cbb

SHA1
08ae3942b221d5b811acfcdc10e2a45e82522472

SHA256
d5a08f48cc094e675c2fafcda17942672e80dba5941f8eed45b218d3a0b609b2

SHA512
9f53b05785f91363bcdea3259a42b0409c14296bcfdec15d6c531ff957e0304411b9a8bc6084d8fd015ba1baaf5e2c2b640a2fa78d51440fc57dfcd651320665

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\TransportSecurity

Filesize
1000B

MD5
4eea37811dc72b2d04b94b4cc9620037

SHA1
83ee386458667ec1e448173ced7e63977db88710

SHA256
55cde53c8e94fd7d9d89b15e20715d6ac3036d6c36211bfb4227c9bdb0d0de95

SHA512
a4007416133e11212a0807df8ec945ff584a739e375e1905f61476d2011b19d76fa0a6d8d42f04a5693980cb973c10481768d7d4d2fa0cfe51d173ee4397f862

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\TransportSecurity~RFe62e4dc.TMP

Filesize
827B

MD5
f98a405c0e2a97f9c2b4f076decbaf2a

SHA1
e842926b2bb36add70b1df8861d5816a59258235

SHA256
b2745f6eb5b208a896b270327a160aaad990038270b54edc70b2d184747cdb2c

SHA512
e82f5ab72189d74e30440ec9f98a83c189cace27c2af9c8088085305e8d35937a2bb69f3b10c576dd9fa3990c8ac0dec24f69ed20cd368e21bb61abc0ff55fed

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
6KB

MD5
a9df5e9c4a3ba9e93200cac56336b2ef

SHA1
f33afa82350de3d73d9454caea6c319c3f9d9e91

SHA256
29607d0293ada5d7cbaa80f0320a865256e22ae729d38a5924b75a17006bebde

SHA512
b363333880f0fd12311a845bdb0af6fa81868af789da8b432ad178cfd7076d7fb8986b70fda5a5097839e32f2346105423e6319a52dc4924faca6b44e3b3f10a

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences

Filesize
7KB

MD5
9bd6539183ab7d14969e65e07539eb8d

SHA1
3b52cdcfa60954d9f21f47e688aa3805db3ea5e1

SHA256
fe3541ed69b61adf4d4d10b54a72a474fff8803fbed8c59856df8c8e96282e27

SHA512
acfb1e7180d39ada2b012fc45c0d58e14fd34b54a062fced1c30e019399e1d2e9b257150f46269c29e3611652befb5017bca7fddfc946d2650053eb5ebc75f6d

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Preferences~RFe629d54.TMP

Filesize
6KB

MD5
550bf829cf84f2899742076128bd6255

SHA1
f60f1dd706f935b5f733f1fd8ab1e629e14fc25d

SHA256
99e3818fdeb5aa257cb4ea29475bc90ec089ff3ef650bbd6aa4cb1d4c531be8a

SHA512
bb024f024e6804129926a2a732c014b4d64d84620256709cdb170f1c6daed620a2b67491619a210dd40c7e7a286ed35ae8bdc562be59223ce46ad232f3114b94

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
1KB

MD5
be5bc70467efaf8218c71671f6a4482a

SHA1
484c5bd09b50fe5e68c78327748f819dd7fc6f40

SHA256
0432965772a3900aac3137da5abea69818b500c085166eed104569a19c70c9c2

SHA512
9b537afa419fd356c15044b451870211c70b36943e9b190b398587bd3504e40bbc71cae74e17184ef3346ba24ea50665af8cd39f1e08012e8e9764548e072fa4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
2KB

MD5
eb915f84f58d3ee87f8a6e3fdc4b4c9f

SHA1
91953a0f53c7762944222ef9487c26d3a95708bb

SHA256
22672eb8c493b0bf70a4f43ebce903f7adb9997f2c503ad7ce4608f440113022

SHA512
e85beafc6af263212b4c25f1a83e7d8c370ff722517c57df147f3a6c544ae0aeb74a4ed71f0ee6c6fc1a65c6de23fff7a8948f9c95eb927929bbaac084c1fae3

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
3KB

MD5
9a1939562e857e524d3aa2a06f0b1e66

SHA1
fa48eaf071ca0028965f204aa1a230b3e8e519bc

SHA256
d0b70841116d8029699c7ad9bea5abc5ab4d7347736acdccbb55176ce2b239fc

SHA512
c39dfe7c3dd6d1a1761f4824645b0e714deba64e929016c703030c957bdcf7eee9a15519f1162f045387f755097a2461b2dabfe5e6c7acac580872d1126ad96e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
3KB

MD5
8cff170d4f221443eb186aeb0a8c0466

SHA1
6551e2b3438cba3d09962303335a8d2dc8d7a0b4

SHA256
e6b5510e9a7f9afcb928eeaf6c8a30261845bd0862e6b88d9b1478625b623332

SHA512
f2d42f8ad22a77ae2df4d79417f29a31c2949cbe6173639c0d8a7d859eef764a3dfe1c75b62d20a42749b42b3a8b4e6834f5b53286cf76f27ba548a980ce75fe

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
17KB

MD5
8054be2db0ae4df2b97faae0fe063879

SHA1
d81dc7abbe82da3e6e7724c4093a62da959aae3a

SHA256
37078524c5afa0d0c9c05b229747604ee2e94232a2506e8d14ed65f0e26e6edd

SHA512
25128b6da055d44cf04a1656ca31f9e5940071e73c877a99f4f6ac5fd7c4866f883aeebfb73c915df28ebe9fe50ca5860641d8e30f49175ba70e4e8fa949c9d4

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
17KB

MD5
bad1b10dab28a5906262ff4783c156d8

SHA1
1426324a73e468b636e35ef43827823f635acce4

SHA256
30505cfbfca0aa17ee7ef7f0eff8aab7ddb2be9758a60d04a544859f37892092

SHA512
6253085249f9e09a0ae24c8a83f0fc46033259b026045093f4bf2e723e4e7fa98fe584da3372bc758ba22b8867f4bc11bdc8ee3168a2f26ccc089789bbfdbc56

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
16KB

MD5
e2ea6a99665d9c7a4aa792ccf57112cc

SHA1
0636fe599c929e534a83a4c30fcc473bee3759c9

SHA256
ae99eb83133e00f529c1356c6ca66df7da7820246b47e3b8f0f409bac028c1c2

SHA512
d97fb6b910aab2fd29164fc0db96dc6ebb2bcf0e098bc99b52f350bc965324aec85179df5cc20502c6376c7f9bc2bcb166eb6a31d3cf2e148844b674cce2cd79

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
17KB

MD5
d9c01d102dc314b5239b92d5ebfd6413

SHA1
f8171c3837a01100a1a531c3845e28d3ddf65a8e

SHA256
63b85e438fe0de8cdcd2aab3790622886c3d38f8a622f774fe0de39f92bff8e6

SHA512
fd4b2ad6fa35067017a927e2cb58efce40c6c04e8a2a0351b55ced4b2289586ebba261357bd0f97fb8746a064392dba2bd5b442014158710789d18e9d1ab44d3

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State

Filesize
17KB

MD5
6cc64de0bc55c3a417830af169cebf1c

SHA1
f4312691c97ae2f55a2326339fc249b97189ddaa

SHA256
f75a47e2b59c4bac9e52a7d52472b9d6eea837f8f199d2cc10f58f976259985b

SHA512
da90ba93656c9bc7399e210cb170225475c423ccd9ad1cc4130f3eb5bf9e0bffedd62baacd6a8240ee391bc2cdacc9eda0785211882e5e59da717560c71c5205

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Local State~RFe624e1a.TMP

Filesize
1KB

MD5
c14122dba85ddf1141c6d165ae747397

SHA1
36869ef26fea56f2e1db26320404dc7dd2f87eb4

SHA256
2bce463bc664631988e886ab07167276ae4322368a7b6682231cc9f70cff6234

SHA512
acfe8a8b83d2ead2ee16614d437fcbeca761a6951c2fcc17ac5a8f1ac233395a8e642444190ebed2a78eaf336621d218193df9937afc195b77530250a83c167d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
0f7fe430adeb28cc7bb9ebdb1c8c9be2

SHA1
d1ffc640e6ca5d03babef157e7f85cc358880500

SHA256
aa6bcd596ce8b8e62a70143a3b8e3356f260083cf42a4349ff9239b2080fee0e

SHA512
c508bace799179aad523690179bee83d616c76666157aa2acce6f402faa843be94dc1010a33ef735ffdff68509d400dcabf3e2c8bb320a83c5165ff5dc7844e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
17KB

MD5
0a3a8f1ee0c0f1ac35ce4c06af69cb80

SHA1
3653f3c138f521486b53afca64e12db7267d6304

SHA256
d434e568d65cb73989eb0dc11345921cb18e1bb39e94a52f6ea9a1643e87292e

SHA512
b628fed41f8679a373297d7d8b38c020b835578e27e1bec861dc2319af45bb18841a1cfd5a30684b7136bc45d54bd4858dd694d945b5794246ee93a43d09f89b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
556e7cd0fc188960cf190e3a653088f9

SHA1
37025e7d7eb56bae8593fe26c426761030e271b5

SHA256
3702d17095fa72dfc1a962a30799682d5a3ced85985d664836cf57a056a639f5

SHA512
ca8c24f612eb409948aa5889df516757d666a8213cb831f3c2e4548534ff370fe369741d9fee5776c0114c1d42f15cc8ad147e1142e8ac36feadd8fa3850fbde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
17bde07c65d99049e35ae224f68e2cb7

SHA1
60bef89dd87b3fcb516f39699fb260914d408415

SHA256
0b275ffa387626637fa75d05ea1fa2985bb1c0a7c6f8b18639d3fde0e907eba0

SHA512
78f6cb3cc1e3114867fc295eaf79b361840f30c37ab6b5b4d722c56dc7bb1c3e0df1c974fe6645ff653129277a3fda6ba1e219bb73d50ba023d0b2ce4dbd315a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
24KB

MD5
1d68ea6ed2d0783d9809cd2e55aae737

SHA1
f4c4c0ee0a6a4f4bfd25f176f6bc6f75499f24dd

SHA256
a2fc81a488296068eccbaedd923b04303ddc58d3f51c19cad765d343255b905a

SHA512
80de728a7ca1c24047e27ef8bcafef012cafed4427121f9811dc4642eb2316b46de1ff56703887fe2b4418cf427b50482f399e9ac459db9c380416e788f22c73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
ff72b529e3722dd1f33be05426c0e0ed

SHA1
62da20981d6a1518f03cfb3f4c31dac3bdb05fa2

SHA256
ded3bc2f57423c3211d2cd8dbe91cff25a58a69e14baab059fe712af147161f0

SHA512
e5c4a62fe7db573cf8d20c1abb0c84ef3567f6f77773b63156d48a25c65cd8f9682978afc79327006e096a584b729838fddf8b1f10c03b0f22f88905bb1b00c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
7KB

MD5
85622e96318dea02a1b43b7c46bfc1e5

SHA1
2b82b1ae808d7d37da3ce389e7b187eca6725897

SHA256
720f67586bc2d867fb0f60e0623ae095e396074f2b943f3115f40d9482e75b69

SHA512
f7b8fa94f721349fd2339d7b3cf58f0c2e63d5bd8ad2a1b2f4b0d7b4af7d9ea59adb0bdfd9a3dec0f2f2279d1ff7d729d9723fd063571ff5855bf4455b0a22aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
18KB

MD5
de5181dbf9886f4c942db658ba9b57ca

SHA1
c35772457ee35eeeb2b8b70933acfb2a54cfc14a

SHA256
ca3702fbfe76706824e1f3d0ca4adf1c4ad504686d1232391a5d0571429d5467

SHA512
7394768e24b203a1a3484ca4dc612dd36a90fa72fefbabe7b541c5841197bfa6cbb683fc85d5ef67c2689157637f142eccf1a07066fe59998359a8f2ab9d3604

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
36317b6ad3c542ac5b35ec0182972bc2

SHA1
6edf0e8f046ba9dc0a2d30c42fd461cf3084baca

SHA256
5db8aafd344122c14fe50a1b2df27c05dd62d99e4b24b722faec17ce3922e144

SHA512
92e42da0f50bbb2b04ea4986da80e34e39a428b09d4dc8484292c73ce2fedf35e0cdace59d52082acb76f3fa576cdb4b6d054cdc127df0a9c0fc43a91844a2fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
75KB

MD5
53b58878bb38e07f2efe7cd1a943453e

SHA1
86c81ea364c6b875583fb704e916e6b2fdcc304c

SHA256
52a8b89c36186052f111395322d713cad6e86958742126bc2457b085f2f1c32f

SHA512
8d2f100b10ce26e1e49e83a38e26d65ee5e77ed89e69fad1efc9f77f51faab9f2337c29f9f0a031d179d13d348d74373dc9c6bc35fa36929a30e8eefb6805c07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
75KB

MD5
efe2e2e28675a2046b764e576c5f064e

SHA1
534fca3b4a1639420ae932a1dc0e18b8dc325411

SHA256
e7c24c354d8ea320d2f4b81b2d5b2f94a6abd403b3df69a9e5fd34eb948280f6

SHA512
691f500e0c0dc72e02c4c131e3bf7e598ab5d14bd7b1a123d63d0019d340fcecbdca94e39415415c261cbd58bc484ab7d2fb0dbc2886c6f84834e87d9154c62c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
56KB

MD5
a435126d98d343cea59d0538e4c50180

SHA1
dc3c7fe11fdcdaaadaf7931de8910bda30191e08

SHA256
7605af7aa8ab0928721fd6e8ec4523e4bcf0497cf5b718bc84586b75e3b53957

SHA512
2188cb66b5143ce532c299a90112395f020c5874c7698eb562ca4c594e43e8abc4370caf9e229d3204af6709f288c0df0b4a3eb873b52bebdf155d04410d5c10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
43KB

MD5
40b9bb73118c2b9db4a37b2be2ba0c5c

SHA1
15666d61d75910177aafd4a6ce77c7dd389e18ce

SHA256
aaf528bb13f7412cc4a1ebd4e39d6059ec1491faa8bd9212a448fc4b77d06c8b

SHA512
9e89a83eebe3400bd2b58c39d041ec9d5c047be668bacdcf611f0a5af18d45eca5d34f42d7ffa39e1fcc983980cb40f3383c4acafbebc827fe419fa0f8fdd153

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\0af9eb85-a210-4fee-96be-85cda4558fbe

Filesize
671B

MD5
c24b10b9ac216bc070d7b8631fb1cde5

SHA1
f0782760b2de1919e834cb8ba83a61037a0c6415

SHA256
65f4d2f8ad428d6d1d84ebadb5c7bea404d95b047c66c3147035d83c21e6d1ae

SHA512
cb7139bf58e9308a1a0c5b06fff054ed3371c72fa843f025eb5ac3ccf5778557fc16318c6e70c80834c5d27338e1db35f48c851f5193dbb2c12a6fcfb402914a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\4fcd83b5-867a-42ec-aa36-0ace4ac2fc0a

Filesize
25KB

MD5
e9d9a21b2fad06579792a42e06e720ef

SHA1
fb4cbf840b068ba5b83882ae8348f5ce8d7bdc35

SHA256
55525fadbc65212cc8d3db7117748dc33b31143cf346b17e77da4bcf4038f72f

SHA512
76373668546829e1d51d64b89e05f827bf01131882a712f545fbde1b43608d2b5c67295d9178ace938c6c8730e1187a2286fb694ba48eed909445fa6f1f126b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6e0698b6-6045-4686-9568-55bb079adedb

Filesize
34KB

MD5
4ed0cc366d11effb830d6a7254965771

SHA1
0c8211b6cfd74981686cd719449c146077b27ac7

SHA256
1ef5f9daa2639fb73fd3fde57526a6ef47b3ba8f456cfdf2eadce626822bfe21

SHA512
3772feb3b40e86d0b1e231e548c82e730bdcdb122b7df0e4d10ca2def91479ae3410ef27cdbdbdd74f50056b58baa79dd6dc4e4220ab9798862d8effd425074c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\e5f73532-38cf-4900-9405-1f29319dbc2b

Filesize
982B

MD5
334a80d21ed97af436c644617505162c

SHA1
8c28f0da8bd8598108e467462d44a00caf4b7b70

SHA256
19904c83d839aca40274f850bf000d98b43a37610d72816aeb5b8f3be01364e7

SHA512
cb573e1a8dcab8b19eb652862c930b8dcf7ba3599aae1d16da60b482e0df4a11dae9af8547e8bcf4a385d56bfd5f99b832d49d6a8eac34336bb245362744d36d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
11KB

MD5
fefc20fa4ab07087222ad726393d38cf

SHA1
d666c7fd75ceb8ddc3ba9c9ed470e33528c5bf24

SHA256
afb0af0e2e09988be5e47917a4d6cb9f0ada07478c775e39b0b23028832cea74

SHA512
d6c4060ccae153e3612184596fafac0c29629e44dc983013e97e7d67cc34529a3166ac54186573e3abf0e24c90b884e0c7de041e5f78442e68141e6d066e61e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
12KB

MD5
f86c57a9918213c591afb337fca080f4

SHA1
5b87f01551a837cdb44395950d0e0fec92a06eb8

SHA256
e83778f787b2af02998edecb0fc5cbefa889c9ba4540a8f68c2386e7ae88f8aa

SHA512
19fe5f30b39d3acb7f1f8db9058aca875d065252b1df23a3a45bca89062ed565178992e707b0321228b9c0c80736b898e41be06d1ee95912ad96e38b9c3efa38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
f8ec86a7b4c6b01cd6ffd91d4727aad8

SHA1
529f32b4b7260f2bc4c7d3a15a4b0ba3adaacf67

SHA256
c342b3beac7c76e81bc39666437f503ff52d86120342559d54068a0deb77c0e6

SHA512
e7d17caf5caec6de009005ecb7e656982cc5f4eb1d8adc2777b48cf9acf64e97810c972176f81c94546598208426df004f1a26b3edb58c6b1be832ef0d624efb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
11KB

MD5
346d20c9e5e83954db3848e2dd1c83a8

SHA1
4ddf8c0517499be58b18fa6df84a60e3581470a6

SHA256
f38ba992e969ad0e415d8cc6e5481d7381c386738f19cda01fcc154021df8af0

SHA512
8d559a21f2232678a616e672c74d4f1b64d8b126ce934057a5f7dabad758e5fe131089cd44cbed91c5eaf42ddb5d42fc7d52364f6c4395af47216c208b7d0165

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
abcc7f712b13a308a9b68706cf7ee46e

SHA1
0fa529fa71bf775aed5a3c42c6eac774a14151c7

SHA256
7efd4c071ea12e86f7813e59b46fdb5d97346dca7b27cef37bdce60e56baf7d6

SHA512
69f31e81ead495811903ced79253f744b9c398946555195d8a2cbb5b4aabde50b835efc909d4939384e0100af6326321e4166dea053704895d892e632628915f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\serviceworker-1.txt

Filesize
497B

MD5
94a3500d8e5bdf97c2c1276bb3621f7b

SHA1
62daddbb03a6c4211ed1a8728c1f31ab083a98e1

SHA256
14dbb5f75d8119214ce46d8a32149ee2ee63d60184d5b9b90b4e939065061a01

SHA512
c8e1fd849b8eb394bc6627d8041dad6cb295c2da181624f3b85dbc7c6def67dd0d22cff0677c05ead58c1731164aaab6a8a15a3b2ff75aa482c6ce957e5f00ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\serviceworker.txt

Filesize
196B

MD5
c065ff985ef676d0d8d202a3ec77c39f

SHA1
7f3c0b78faeed0b5764bd7e6ddc98fada7323020

SHA256
aae7134fc6cbaddba87f2a391533df678b4d20d9ac7c3d871773d6dda5a1ee2a

SHA512
d23fcbf5705b1f7031d8e95966414d4857d29ad671456d00bcec31e78cde5bc480e75c913ed49068eea1a8cf6789efef32e99fede9d742e76c516427f17a1443

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
d2f695aadf575c94b5fe5ace55b881cc

SHA1
4169de8aa4e3c3820754062471e3437fd0c2010b

SHA256
4112dfcf11439b0615202a6b25d4a61a0ca735a8ece97fa01ebfa4cda79bfcde

SHA512
b013aa09152b46b4d3cf358e1894eef4a7a2a662c90f529d02cec497968db4c6982e45f2e0468a54c40f6fe8d7e7ca24d3ed7ca810a05f5ca87f1f825d091a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
c38bd28c56338cc3f9bfef01708f5e42

SHA1
f4670e0ef40d561cee010e7d8943b607d778f6a6

SHA256
0ae7fda3910ab0f43962ca2ed156009a9555c5b5bebf46ad4a535a74933730da

SHA512
b216231000fbfcdc081374a342c65c28278aff60d90f32b816f0cbec611f8a8eb82d0e41a5d2022d75aaa763656e63a150d544d3c13fa916188f8841bd4a9f42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
0ccf8c3d9da62b17b3c81690d89a3e63

SHA1
eeca2d0eed646f33fbd8c1783747edeb2c638f0d

SHA256
ebb3276e577711aec76531105b5c1649955ac4bba545e11ce76ba27b55a9a742

SHA512
14cdb760a8e506271a104827121a5c81bd04ee5019bd254c9d6a24c98f3052c4340ab20d29f8ee780eb7c1ef28f2520f172261e39dc672baa7a04fee8675d33f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
19edaa0ace73c16dc1240e554411308b

SHA1
02c8e28bf5913eefef72bdd92427d25b308f576d

SHA256
380115400489c7c6af087d7041b4484939ad026262837b65638b9ed3c0599293

SHA512
3e6f4274081993e0b26c57a1e86d9dce3f786c053da0befa765f5965f07a025001e8e65e2c7ffe13b3ce1e197612bfa53bc29344dc66fc6b369ba866a35bb13e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
c88424c0f30eed898e6e88303578f30b

SHA1
d02fea0fd1149e0692e063a4fa916907621c1afe

SHA256
09eb8861f6e66bc0854f1711622ebfe4ce5ed95cf734c748ec82637952772657

SHA512
7cac7076b0e231b8bbb37f1161d0d2d67aa8f7c2ba94bed21759f0c4f886e4c9a79510265a1373d45e6b4090040670195a2a6d28b2a7c23710d41fa8e300910a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
6c81bf8b3d709248e0b06e78f3a13889

SHA1
14a3b76571ae2497aaa70c21dbe29b110a6c0029

SHA256
0408dc23fa44f7f5afb3298455e66b4ad6d7e2ccb9d9d65f7f09c65c9f586946

SHA512
25ba25705a3f3659c37fb06a5c099e34014e1fdc7145adf7f6fcbb76444be64da7f31e0edd8ea3beb71437056f19846f39e7f1063fff48b9d2739bde036fbf83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
cb6636a0c47916f64ee43f4f92fcb419

SHA1
f2e71a5cc9919d0deae259a4ca2af84d0a299ed6

SHA256
1527a3bb7da4241915b4b6c9f8a9cab6ad18098fe5a9a557343d7f17f3e80c56

SHA512
53b40f3d40e8ec0347c36a19a6c30a454c8d4861ac7b8c5e82dfa91efae5566a5da0227f7527aad49e9c1dc79eeb251e91e3f44968ff87f8352592479b4e6b70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
19130c2935faba8913af6ed9fb1fbd6b

SHA1
dd71afb544b6782a6793da1a6f26de7cacb81103

SHA256
7fe3c0ce174e1a563a8c605cbc666af2b2843cd9fbd8e00ccd00cc646bc96c48

SHA512
f808d9c17227ff22b33d8336c767b6341766b4e0fa68df3469f2ccbf4bfb1faba215bada8a99cb94f9621980ed73e3c2672ca2064e9671e31d7355add1761f22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
201ae871369ff778cde368d2b8ebbf0e

SHA1
f879f830278446e8c5c727c2b75563c0a4cebeb2

SHA256
145ec98abc87a3e23b58d7c9114f9b4021d62e9678773e823b323094834c50c0

SHA512
4785fcf3966ff95f09e0e38e3e329300124fcb6e0c0b6b6fd2ee7fc8eee10ab2b45c3a0f750ebfc06e5e14a91387681893179495655426de0903b4fcbb8faa89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
5760e7b3256a9cbff45ca6b92e47bcc1

SHA1
a0c08f3cde9f1e58f926946d6da241ea2fac12cb

SHA256
afa24d155ba09f855a0424514dd0976d99fefe14c050cc303d54ba7961e80c91

SHA512
de394bf3fd1970674cbe864a05b2dc5b8269b754ddcb9be6763554ae20abc3b4a318d00cb3fca5896bab34d71ddbf31f2cf028bfe1c88585f3c5513f5178d1ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
5fbcaf7224f5c71ae64b34860bcb7469

SHA1
eccf1925869ea20192b9be83017024e03f527ae4

SHA256
dc9e3e3559133a45d8862569c0048ca48fb2dd63647f5c2f089b9ab63cce72ba

SHA512
e61acdbe81c4ebd5fac2c819b6d9a48b50165a75efebe42f82acd5f7781bcb4504683e738c53c6a04fda1c91c4484e2ad04ddf57c43157b67158e467f1fbc106

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
3db5718cf3b05f830fb01ea3680a8ddb

SHA1
c8fcd03f2cccc4b459e20095e3b58c69db570882

SHA256
76d2745ffd4ab5b8f5405473d776ec041779373d2e2035e7c8977f10161adb33

SHA512
55dcd0e0521a048e3821c4898b80bf2807c5f82cc714236984546c10b1ea9461ebf1d302d537c3ac7564334b80bd33a182a99c1c437ffce54109cf6742f1d33d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
563eff17829b34e8e091b9c92bc3ac3e

SHA1
4e920c96b631da0b1e7d3eab4857b03bfcd635ad

SHA256
e57f2f7bc986e236f72062a5d8234fcbd620dc7fb3e243e4eb535f6a34a11a85

SHA512
7f013a2d5e4a6cba4e2505bba50d3921921ccdc0812ec782cd39292565947ce9d3e81536beb7faddac881bc13dd1271610fc304a8a3449ae47a7588dfcf65f85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
3613ae6366af1fc7bbd882489a576e9e

SHA1
1be31df2d8dc832c211c05f25c4bae25fbd805b1

SHA256
6a2f2ee406d88eef1ebf649ae4920173d799e695970c8fd658aa25c5f02f545a

SHA512
0a8c76f22b7cd17d0ed3f120d3c80036549c89ddd32ba4d38147bbfa4b5d63dd8e867406f441ad3979226742cc2add47d3551d0ff8b28b815b1320195b35e378

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
37KB

MD5
52c3bd29893bf5182b5873bdbde04143

SHA1
97c2f2ed14c5b70f77669f26738d6b22c459570d

SHA256
6b3a739253a1c41304375cc8b9375254c54bd20b1932448cbbea3e7339d1ad57

SHA512
d5367e09b9c8986694703fc0e453d778032ae13e007980fb67bac19be1e3adfb2cbb007a5650732eae3de13a08f647a8191d72990f4d59843d33da9b083b5af2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
bbca056ba0c63cf929509c82e8f233b2

SHA1
3c82e4b0b3e037f97532d667602664a9a85720a3

SHA256
877b8463f4a44653dc3d382c385a90d1234dadfecb11524de1fd763d303564f2

SHA512
33de5d6bdebc3a9275fd33e4ceda0423783ae5a6057f9d32b20f6b399bb591d20f085edf1c62978d3a43b9a72970b0c6332c6fb433426bd0d62771d82f0d7aef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
b770993a51af1e80539317a609116bd4

SHA1
76b2675fdc6fc61b6267cbdfe537fc86f59d8312

SHA256
3ee0a98e297746f6e5380812a9f62694d9753ad2fff3d4216b1ab3a2f3885044

SHA512
b8d13c08ba8c998353f989f83b16ea978d19f8c2fe2642939cc8e0b598247f30bc2e7493865473c31ce9986fa55f6223c4ce66a4438704218b54e8887e9493da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
d129bc733cee20c9d8cf04294448aefd

SHA1
971fa9c16304eaca77000aa5c7339d8c90eac4df

SHA256
9de07b8ec5662913011427820c0395416e992c4e672295c76b2ff2fd9853449e

SHA512
7b1c92a93f282aa4ad7330a5287a5169ec8afa5d519e8ea4538175d48d30ce0930121324145e57b398210788e6d13ddb46ef21970f4405a665539b143453bf52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
768e9252c3f009455b6ad366d76f48bd

SHA1
76f11ba48ad5f691171d125956768117b2a0d622

SHA256
773e67dfaf63140f76fd1f69685b3d5329b1ad4631a8c725ac2a93cdd5eaac88

SHA512
130840ba1b80b86b55d3e12830b3cbeb43f35f9fcd911b92db71fb753524ea00b5711e0465a60949af80cf79c4c2b4753bbcc0e2dd4155ff875c84a109d8db35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
f908935d3a8bd6590b3aea3102f91547

SHA1
33d7c2f6107ae713e2250aad709c37a48229a2c5

SHA256
78d8d23918c2e65ce0b97b5b5189551420e9ca81e9baf1fd9ec655b32699811a

SHA512
8f6bd6a5214a7460607a323639416e74244728373b3a94763f017aa5618076eb9453f6a9954f98cb5a919fe9701e64c8ec053c3fa2055f975ed7ddcfca269ea1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
3697d6fccbc84f41c59393f889f460f2

SHA1
ed99279fca794bbf950c1d8ac2b1d4610b599bb6

SHA256
e4e6d770c915d8cde3b1834b3ac2c97a676e5f17bfe7eb8ed99fa0daa56ef188

SHA512
402236fd2b6ebd2b2a16aa2e1c3af49c3e108dcbd96434c038936033569b6a1c55515c5242d619bbe64f83400978497785e3b4735ae25d06ff0d55a8eae08cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\default\https+++wearedevs.net\cache\morgue\23\{0b8a4ca7-ab13-4cfd-a44b-dbd92c94d017}.final

Filesize
614B

MD5
a1f0f7322e08d29bae25058730fd9e78

SHA1
9e99eeeeeb484a581cfc64b4f97241d2dde2c176

SHA256
6519c3021515fc48b5901c4b3d0c022b1620f1a9d71992e21bb9295eee3b9517

SHA512
8b1dc96c90ba25165cca48ac8cc2566cea5e2680f2481ba08ea5c0c068053bd5169aa5343325d05cb458557774cd414719ea38f132eae6b18e9dd7bbe2b57cba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\default\https+++web.toffeeshare.com\cache\morgue\61\{70bf1969-2b6c-4cf2-993e-4b02716a363d}.final

Filesize
2KB

MD5
0c017b10341e48f6adbc320db8a8e06e

SHA1
bc7dec516f3833f8487890cd1c5816185b7e76f2

SHA256
dff8378c604c5b36875761e2112eafb2b199f17c4d87c010cafd9810120d888b

SHA512
6954dbe63c60a1b38dfa4e90334b757d8659b1ed7b4d1b2d5f4845c5ba43f45da11c196f95c6e8c5a27cbaf0b3cfd848024bd371966ea0f207bae5ef2971b461

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\default\https+++www.googletagmanager.com^partitionKey=%28https%2Copera.com%29\cache\morgue\95\{9f4950da-7678-420f-a643-8d4f7396045f}.final

Filesize
4KB

MD5
7fd116230491d5754c0b8b21d8aac3a4

SHA1
505c970507e1ee607f55221d72dd3c8d5c34a006

SHA256
c7e87cc66882a9f33a088046f6bccf88d71b3c746c737cd922845e4f964ddc3a

SHA512
2d782cac56b3691bb4189b85a4f2882ab30a5d23eb71e5db4aa04f27d19956cedc246213fcf66c333ce86cdd57a808a1cbebba54f885bc2e85b601d02a9c943c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
6513828b275513f60edcb9649820a0b9

SHA1
bfa668e62a1c30c4ea050cc42c6e9bacd4e956ea

SHA256
9474840eeb4e7e642983d4fe6a79d8ab092ce81ffd6700909879c6e8b0592398

SHA512
d85ed2c0d2eb09844bf7dd66f76136aaf1682855629ea870faf23fc3b5566f7e24d129ca500d33ceac153e041c7e1df04eb757cc4b5886d4f9d3316bc5a20bfe

Download Submit
C:\Users\Admin\Documents\jjsploit\db.json

Filesize
54B

MD5
41dea3a16884a8a050f599c1b3d3dbf5

SHA1
0d1893892dd3a5211b8dc4b66efae5d3f2c82689

SHA256
e14fda8dd813d96cdeb51cff4e4a5c8dc636b72b7fb075902d88ab587bf19466

SHA512
2c2a88c7d0fa9f32893449d5d8ae0d148793974c0e9f979be1221dce3b7c86a0bc02f3575bd5d2010e0fad20fb9730f707cdddd99fa922b8de67d9f1e7529cb2

Download Submit
C:\Users\Admin\Downloads\JJSploit_8.BdiLWIQQ.10.10_x64_en-US.msi.part

Filesize
5.0MB

MD5
8cb1e85b5723e3d186cc1742b6c71122

SHA1
f4638a9849b2bea46c8120930c7727cfae70b4d2

SHA256
f1db224af0f14b971ba8be3e33482322b2f821695a4bbe2782b956217da383ad

SHA512
b447f7b4e6590120ed50eaad798b271e7ebbe52ad61dbe5e621e0c99a6314fbcfd10ce8e6f837a7ca76e1084651c65dcb0eafcdac6cce6eebe2d1729249add5b

Download Submit
C:\Users\Admin\Downloads\clinbuildhosted.LZKpWXUw.7z.part

Filesize
922KB

MD5
fe67b96da864d9fa7ffa12dec23c5644

SHA1
28f32f05c914b0abffd92bc643835fc7ebfa950f

SHA256
10be415d2dc842de1a362a755471252d69ae95b604229664890e066dab1919b1

SHA512
2d079aca12f1865b3d8d83892ce752fe5ac57209288d2825a3894dfb07f14d0447c5e0ce1e3482c67c0e4dbe5e1b16c2c8dbbcd6a6ad17384495036bc2445160

Download Submit
C:\Users\Admin\Downloads\clinbuildhosted.UClG0kWD.exe.part

Filesize
128KB

MD5
d766ac592250564ce04537f90a07fb44

SHA1
39e4738f6bfb4d0d4c114bbb9d2d9f6fa12fad8d

SHA256
ae5f085d001b5d600346312a1d3380f5fe0ec5367c59df762b4bab7dd1bb83b5

SHA512
0ac83fe3bba92fe6fc66e50ebd0df5d413420ff2f0a32455b1bf56a8392a366c669c4b92283117089b4c5b7eba6249f79372a711487513932a346cc78072ead5

Download Submit
C:\Users\Admin\Downloads\clinbuildhosted\clinbuildhosted.exe

Filesize
3.1MB

MD5
c694aa829c15e117f2c4249a6a074cfd

SHA1
ac7fa69d126c86282671e43cb4a77c3c57ab8ef2

SHA256
4e9dc4221d59d8144ec9bf86d8953d3791227ff2bfe60164348532c3a50b0a4d

SHA512
d3b9ca1c3f4b1eb2382000277643ff330242da1af391d0ee097b70f7f6ea383da1b99f405193fe9c500d339fcb039e6412a5e8a119ed1b7a6f96a5aae49eb371

Download Submit
memory/884-3275-0x00007FFCDAA00000-0x00007FFCDAA01000-memory.dmp

Filesize
4KB

Download
memory/2260-3207-0x0000000000620000-0x0000000000655000-memory.dmp

Filesize
212KB

Download
memory/2260-3153-0x0000000074330000-0x0000000074556000-memory.dmp

Filesize
2.1MB

Download
memory/2260-3035-0x0000000000620000-0x0000000000655000-memory.dmp

Filesize
212KB

Download
memory/2260-3036-0x0000000074330000-0x0000000074556000-memory.dmp

Filesize
2.1MB

Download
memory/2572-3304-0x00007FFCDAA00000-0x00007FFCDAA01000-memory.dmp

Filesize
4KB

Download
memory/2608-2867-0x000002D3AD000000-0x000002D3AD022000-memory.dmp

Filesize
136KB

Download
memory/5364-1595-0x00007FFCB8093000-0x00007FFCB8095000-memory.dmp

Filesize
8KB

Download
memory/5364-1605-0x00007FFCB8090000-0x00007FFCB8B51000-memory.dmp

Filesize
10.8MB

Download
memory/5364-1596-0x0000000000A70000-0x0000000000D94000-memory.dmp

Filesize
3.1MB

Download
memory/5364-1597-0x00007FFCB8090000-0x00007FFCB8B51000-memory.dmp

Filesize
10.8MB

Download
memory/5364-1599-0x000000001BF90000-0x000000001C042000-memory.dmp

Filesize
712KB

Download
memory/5364-1598-0x000000001BAF0000-0x000000001BB40000-memory.dmp

Filesize
320KB

Download
memory/5628-3277-0x00007FFCDB370000-0x00007FFCDB371000-memory.dmp

Filesize
4KB

Download
memory/5628-3276-0x00007FFCD9F80000-0x00007FFCD9F81000-memory.dmp

Filesize
4KB

Download
memory/7128-4901-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4910-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4909-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4908-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4907-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4906-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4905-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4911-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4899-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download
memory/7128-4900-0x000001418ACF0000-0x000001418ACF1000-memory.dmp

Filesize
4KB

Download